Why MS Windows 7 can never become a reliable OS
We live in a post / informational, globalized world where computers control nuclear power plants, military facilities of strategic purpose, etc. And while in modern operating systems (OS) there are two characteristics that make them unreliable and unsafe: they are huge and have very poor isolation of failures. The Linux kernel contains more than 2.5 million lines of code, and the Windows XP kernel contains more than 5 million lines of code . According to Carnegie-Mellon University researchers, there are between 5 and 15 errors per 1000 lines of code. With such estimates, the Linux kernel contains about 15,000 errors, and in the Windows XP kernel - more than 30,000 errors. Even worse, about 70% of the OS code is occupied by the device driver code, in which errors are found 3-7 times more often than in normal code. It is clear that it is simply impossible to find and correct all errors; moreover, when correcting errors, new ones are often introduced.
The large size of modern operating systems means that no one can understand the whole system, and as a result, managing the system becomes very difficult. But the same can be said, for example, about an aircraft carrier. No single person knows how an aircraft carrier works, but all its subsystems are well isolated. The problem of clogged toilet does not affect the missile launch subsystem. Operating systems lack such component isolation. A modern operating system contains hundreds and thousands of related procedures that form a single binary program that runs in the kernel. Each of the millions of lines of kernel code has the ability to write to key data structures used by a component unrelated to it, which can lead to a system crash. [see: “Andrew Tanenbaum, Jorrit Herder and Herbert Bose“ Can we make operating systems safe and secure ” ]
Windows NT:
MS Windows 7 Milestone is an evolution of MS Windows NT. The 1st commercial version of Windows NT was released on July 27, 1993 (it will soon be 15 years old). The version immediately came out at number 3.1 only due to the fact that the Windows API, including the window interface from MS Windows 3.1, was added to the original NT OS kernel [see: Microsoft Windows - Wikipedia Material ]
"Development of Windows NT, launched in November 1988 under the working title NT OS / 2, was conducted in parallel with the development of IBM's own OS, OS / 2 2.0, which finally came out only in April 1992. At the same time, Microsoft continued to develop its own OS family of DOS and Windows, differing in lower requirements for computer resources than IBM OS / 2. After Windows 3.0 was released in May 1990, Microsoft decided to add a Windows API compatible program interface (API) to NT OS / 2. This decision caused serious friction between Microsoft and IBM, which ended in a breakdown of collaboration. IBM began to continue developing OS / 2 alone, and Microsoft began working on a system that was eventually released under the name Windows NT. Although this system did not bring immediate popularity like DOS or Windows, Windows NT proved to be significantly more successful than OS / 2.
It is interesting to note that the OS / 2 APIs were originally planned as NT software interfaces, and then POSIX - the Windows API support was added last. In addition, Intel i860 was originally planned as a hardware platform for NT, and then MIPS - in the same way, Intel x86 support was added later ... "[see: Windows NT - Wikipedia Material ]
The fact that today is called Windows Vista, this is NT to horror hung with all sorts of API libraries and interfaces invented by Microsoft. According to MS, Windows 2000 contains 35 to 60 million lines of code, and Windows XP contains more than 45 million lines of code that is constantly being updated and modernized. The source code is written in assembler, C and C ++ programming languages. Even within Microsoft itself, they do not quite accurately understand what they developed. Understanding the code is very, very difficult. Most likely, Microsoft Windows in all its versions contains a vulnerability that cannot be fixed (according to some third-party researchers, different Absolute Errors are different in different versions). To treat it is about the same as plugging a hole in the middle of the foundation, on which a high-rise building is already standing. Of course, Microsoft is well aware of the existence of an absolute error, but does not consider it a vulnerability.
The way out of the current impasse is Micronuclear OS , which can gain a new life due to the potential to provide higher reliability:
The reliability of the Microkernel OS comes from various sources. First, the size of the code executed in the kernel is about 4000 lines, and the total number of errors is only about 24 (using the Minix 3 OS microkernel as an example). The small size of the kernel allows you to verify its code manually or on the basis of formal methods. IPC features avoid the need for managing buffers in the kernel. In addition, the available IPC primitives are limited for each process, including destination addresses and events that are notified. For example, user processes can use only the rendezvous principle and send messages only to Posix servers. In addition to this, all kernel structures are static. All these properties greatly simplify the code and eliminate kernel errors due to buffer overflow, memory leak (memory leak), late interrupts, etc. Of course, moving most of the operating system to processes running in user mode does not eliminate the inevitable errors in drivers and servers, but this limits their impact on the system as a whole. Erroneous code in the kernel can corrupt critical data structures, write unnecessary data to disk, etc .; erroneous code in most drivers and servers cannot do such harm, since these processes are strictly separated and very limited in their capabilities.
Another feature that improves reliability is the use of separate instruction and data spaces. Even if an erroneous code or a virus causes a buffer overflow and puts someone else’s code in the data space, this code will not be able to be executed by switching to it, because the kernel will not run code that is not in the instruction space of the process (readable only).
Among other features that contribute to improving reliability, the most important is the property of self-healing. If the driver writes at the wrong pointer, goes into an infinite loop, or behaves badly in some other way, the reincarnation server will automatically replace it, often without affecting other processes.
')
MS Singularity:
Quote by Andrew S. Tanenbaum : “... Microsoft is also interested in micronuclei. She more than anyone else clearly understands all the problems of supporting monolithic cores. Windows NT 3.1 was an indecisive attempt to create a micronucleus system, but this attempt was implemented not entirely correctly. And the performance of the OS on the hardware of the early 90s was also not good enough, so Microsoft temporarily abandoned this idea. But recently, Microsoft tried to do it again, but on a new hardware, which led to the emergence of the Singularity OS. Today, as I see, many believe that if Microsoft did this, then it clearly went crazy. But Galen Hunt (Galen Hunt) and Jim Larus (Jim Larus), who managed the Singularity project, are very smart guys and they understand very well what kind of jumble is Windows and how much Microsoft needs a completely new approach for its further development. development . Even people working on Vista can see that they have serious problems. That is why they transfer drivers to user space, that is, they do exactly what I recommend. ”[See: “ The second part of the Marlezonsky Ballet ”. Discussion of Tanenbaum and Torvalds: Part II ” ]
The Singularity project developed by Microsoft Research offers the most radical approach to developing a robust operating system built on a microkernel. But the Singularity is not possible to tie the Windows API and it is not possible to transfer Soft written under the Windows API to this system, so this theoretical in its unique project will not be able to help ordinary users of MS Windows :( [see: "Andrew Tanenbaum, Jorrit Herder and Herbert Bose "Can we make operating systems safe and secure" ]
Microkernel L4:
L4 is built in such a way that almost any API can be built on its base. It abstracts from specific memory management algorithms and other strategies, but provides mechanisms for implementing their (strategies) in an arbitrary manner. It also supports many hardware platforms, has support for multiprocessing (SMP) in the kernel. Drivers are supported in the user space and the launch of several operating systems simultaneously on one microkernel. In addition, the creation of both a real-time OS and conventional time-sharing OSs is supported; both OS for embedded applications, and desktop OS; You can implement different strategies for process scheduler (and memory management).
If we compare Mach and L4, the Mach microkernel was very cumbersome, it had more than a hundred system calls, it contained about 100,000 lines of code, took about 500 KB on disk. L4 is 1-2 times more compact. The original L4 implementation contained only 7 system calls, its complexity was about 10,000 lines of code, it takes about 100 K on disk (ELF format, Intel platform; data for L4Ka :: Pistachio), but it only takes 12 KB in memory! (According to other data - 32 KB, it depends on the version of the kernel). Therefore, L4 is also often called the nanowaddle (nanokernel), since its size is 1-2 orders of magnitude smaller than the classic microkernel.
NICTA , the National Information and Communications Technology Research Center, which develops the L4 core, created a commercial company called Open Kernel Labs (OK Labs) to promote the L4-based solutions (mainly embedded). OK Labs is developing its own commercial implementation of NICTA :: Pistachio-embedded, along with Wombat and Iguana. This own version of L4, Wombat and Iguana is called OKL4. “Commercial” OKL4 does not cancel the free license. OKL4 is licensed under the BSD license and its source is open. OK Labs promises to release the first microkernel with a mathematically proven error-free (formally-proven bug-free microkernel) by mid-2009!
Apple MacOS X:
In NICTA, in addition to Kenge / Iguana / Wombat projects, there is a project called Darbat, or L4 / Darwin. This is nothing more than the port port of Darwin, on which MacOS X is based, on the L4 microkernel. Darbat is trying to improve the performance of Darwin by using IPC L4, which is much more productive than the IPC of the Mach microkernel on which Darwin is based. Darbat also contains an IOKit port on L4, which seeks to benefit from using user-level drivers (in Darwin many drivers work in kernel mode, and in Darbat they are taken out in userlevel). One goal is to support Darwin’s unmodified userspace drivers. Darbat does not want to completely remove Mach from Darwin, but instead get a version of MacOS X that works almost unchanged under L4, and uses the benefits that L4 gives compared to Mach.
Quote by Andrew S. Tanenbaum : “Mac OS X is also a type of microkernel OS. From the inside, it is Berkeley UNIX, operating on top of a modified version of the Mach microkernel. However, since it all runs in kernel mode (in order to select all possible performance), Mac OS X is not truly microkernel . However, since Carnegie Mellon University (Carnegie Mellon University) launched Berkeley UNIX in user space on top of the Mach microkernel many years ago, this could probably be done again, albeit with a slight loss of performance, as is the case with L4Linux. In particular, there is a Darbat project for porting Apple BSD (Darwin) code to L4 in order to make it a truly microkernel OS. ”[See: “ The second part of the Marlezonsky ballet ”. Discussion of Tanenbaum and Torvalds: Part II ” ]
Apple is said to be in parallel with the current Mac OS X 10.6 Snow Leopard inheritance system, and a new “big jump” system is being developed. Perhaps it was about her, Jobs mentioned in an interview in 2007, on the occasion of the official release of "Leopard". In it, judging by the thoroughness of the stripping of the “Snow Leopard”, there will already be “discoveries”. And not simple discoveries, but rather serious ones. Given Apple’s obsession with simplicity and elegance of solutions, it would be logical to assume that the new system (Apple OS X 11, or some other) will basically be built on the unique L4 Microkernel, and will be used on all, without exception, Apple products . From iPhone smartphones to servers. It's beautiful enough for Steve Jobs to come to mind. And to turn crazy thoughts into products that have crazy success, Jobs usually does. [see: “Maybe next will be Mac OS 10.6“ Snow Leopard ”” ]
And if that happens, then Apple OS X 11 will have unsurpassed reliability and versatility!
And the conclusion suggests itself. MS Windows has no future. With the current approach to Microsoft in the development of the OS, the future MS Windows 7 unfortunately will remain with 10 thousand bugs and irritated users. And I would never, when developing large and reliable software projects, choose Microsoft’s creation as the base OS :(
The large size of modern operating systems means that no one can understand the whole system, and as a result, managing the system becomes very difficult. But the same can be said, for example, about an aircraft carrier. No single person knows how an aircraft carrier works, but all its subsystems are well isolated. The problem of clogged toilet does not affect the missile launch subsystem. Operating systems lack such component isolation. A modern operating system contains hundreds and thousands of related procedures that form a single binary program that runs in the kernel. Each of the millions of lines of kernel code has the ability to write to key data structures used by a component unrelated to it, which can lead to a system crash. [see: “Andrew Tanenbaum, Jorrit Herder and Herbert Bose“ Can we make operating systems safe and secure ” ]
Windows NT:
MS Windows 7 Milestone is an evolution of MS Windows NT. The 1st commercial version of Windows NT was released on July 27, 1993 (it will soon be 15 years old). The version immediately came out at number 3.1 only due to the fact that the Windows API, including the window interface from MS Windows 3.1, was added to the original NT OS kernel [see: Microsoft Windows - Wikipedia Material ]
"Development of Windows NT, launched in November 1988 under the working title NT OS / 2, was conducted in parallel with the development of IBM's own OS, OS / 2 2.0, which finally came out only in April 1992. At the same time, Microsoft continued to develop its own OS family of DOS and Windows, differing in lower requirements for computer resources than IBM OS / 2. After Windows 3.0 was released in May 1990, Microsoft decided to add a Windows API compatible program interface (API) to NT OS / 2. This decision caused serious friction between Microsoft and IBM, which ended in a breakdown of collaboration. IBM began to continue developing OS / 2 alone, and Microsoft began working on a system that was eventually released under the name Windows NT. Although this system did not bring immediate popularity like DOS or Windows, Windows NT proved to be significantly more successful than OS / 2.
It is interesting to note that the OS / 2 APIs were originally planned as NT software interfaces, and then POSIX - the Windows API support was added last. In addition, Intel i860 was originally planned as a hardware platform for NT, and then MIPS - in the same way, Intel x86 support was added later ... "[see: Windows NT - Wikipedia Material ]
The fact that today is called Windows Vista, this is NT to horror hung with all sorts of API libraries and interfaces invented by Microsoft. According to MS, Windows 2000 contains 35 to 60 million lines of code, and Windows XP contains more than 45 million lines of code that is constantly being updated and modernized. The source code is written in assembler, C and C ++ programming languages. Even within Microsoft itself, they do not quite accurately understand what they developed. Understanding the code is very, very difficult. Most likely, Microsoft Windows in all its versions contains a vulnerability that cannot be fixed (according to some third-party researchers, different Absolute Errors are different in different versions). To treat it is about the same as plugging a hole in the middle of the foundation, on which a high-rise building is already standing. Of course, Microsoft is well aware of the existence of an absolute error, but does not consider it a vulnerability.
The way out of the current impasse is Micronuclear OS , which can gain a new life due to the potential to provide higher reliability:
The reliability of the Microkernel OS comes from various sources. First, the size of the code executed in the kernel is about 4000 lines, and the total number of errors is only about 24 (using the Minix 3 OS microkernel as an example). The small size of the kernel allows you to verify its code manually or on the basis of formal methods. IPC features avoid the need for managing buffers in the kernel. In addition, the available IPC primitives are limited for each process, including destination addresses and events that are notified. For example, user processes can use only the rendezvous principle and send messages only to Posix servers. In addition to this, all kernel structures are static. All these properties greatly simplify the code and eliminate kernel errors due to buffer overflow, memory leak (memory leak), late interrupts, etc. Of course, moving most of the operating system to processes running in user mode does not eliminate the inevitable errors in drivers and servers, but this limits their impact on the system as a whole. Erroneous code in the kernel can corrupt critical data structures, write unnecessary data to disk, etc .; erroneous code in most drivers and servers cannot do such harm, since these processes are strictly separated and very limited in their capabilities.
Another feature that improves reliability is the use of separate instruction and data spaces. Even if an erroneous code or a virus causes a buffer overflow and puts someone else’s code in the data space, this code will not be able to be executed by switching to it, because the kernel will not run code that is not in the instruction space of the process (readable only).
Among other features that contribute to improving reliability, the most important is the property of self-healing. If the driver writes at the wrong pointer, goes into an infinite loop, or behaves badly in some other way, the reincarnation server will automatically replace it, often without affecting other processes.
')
MS Singularity:
Quote by Andrew S. Tanenbaum : “... Microsoft is also interested in micronuclei. She more than anyone else clearly understands all the problems of supporting monolithic cores. Windows NT 3.1 was an indecisive attempt to create a micronucleus system, but this attempt was implemented not entirely correctly. And the performance of the OS on the hardware of the early 90s was also not good enough, so Microsoft temporarily abandoned this idea. But recently, Microsoft tried to do it again, but on a new hardware, which led to the emergence of the Singularity OS. Today, as I see, many believe that if Microsoft did this, then it clearly went crazy. But Galen Hunt (Galen Hunt) and Jim Larus (Jim Larus), who managed the Singularity project, are very smart guys and they understand very well what kind of jumble is Windows and how much Microsoft needs a completely new approach for its further development. development . Even people working on Vista can see that they have serious problems. That is why they transfer drivers to user space, that is, they do exactly what I recommend. ”[See: “ The second part of the Marlezonsky Ballet ”. Discussion of Tanenbaum and Torvalds: Part II ” ]
The Singularity project developed by Microsoft Research offers the most radical approach to developing a robust operating system built on a microkernel. But the Singularity is not possible to tie the Windows API and it is not possible to transfer Soft written under the Windows API to this system, so this theoretical in its unique project will not be able to help ordinary users of MS Windows :( [see: "Andrew Tanenbaum, Jorrit Herder and Herbert Bose "Can we make operating systems safe and secure" ]
Microkernel L4:
L4 is built in such a way that almost any API can be built on its base. It abstracts from specific memory management algorithms and other strategies, but provides mechanisms for implementing their (strategies) in an arbitrary manner. It also supports many hardware platforms, has support for multiprocessing (SMP) in the kernel. Drivers are supported in the user space and the launch of several operating systems simultaneously on one microkernel. In addition, the creation of both a real-time OS and conventional time-sharing OSs is supported; both OS for embedded applications, and desktop OS; You can implement different strategies for process scheduler (and memory management).
If we compare Mach and L4, the Mach microkernel was very cumbersome, it had more than a hundred system calls, it contained about 100,000 lines of code, took about 500 KB on disk. L4 is 1-2 times more compact. The original L4 implementation contained only 7 system calls, its complexity was about 10,000 lines of code, it takes about 100 K on disk (ELF format, Intel platform; data for L4Ka :: Pistachio), but it only takes 12 KB in memory! (According to other data - 32 KB, it depends on the version of the kernel). Therefore, L4 is also often called the nanowaddle (nanokernel), since its size is 1-2 orders of magnitude smaller than the classic microkernel.
NICTA , the National Information and Communications Technology Research Center, which develops the L4 core, created a commercial company called Open Kernel Labs (OK Labs) to promote the L4-based solutions (mainly embedded). OK Labs is developing its own commercial implementation of NICTA :: Pistachio-embedded, along with Wombat and Iguana. This own version of L4, Wombat and Iguana is called OKL4. “Commercial” OKL4 does not cancel the free license. OKL4 is licensed under the BSD license and its source is open. OK Labs promises to release the first microkernel with a mathematically proven error-free (formally-proven bug-free microkernel) by mid-2009!
Apple MacOS X:
In NICTA, in addition to Kenge / Iguana / Wombat projects, there is a project called Darbat, or L4 / Darwin. This is nothing more than the port port of Darwin, on which MacOS X is based, on the L4 microkernel. Darbat is trying to improve the performance of Darwin by using IPC L4, which is much more productive than the IPC of the Mach microkernel on which Darwin is based. Darbat also contains an IOKit port on L4, which seeks to benefit from using user-level drivers (in Darwin many drivers work in kernel mode, and in Darbat they are taken out in userlevel). One goal is to support Darwin’s unmodified userspace drivers. Darbat does not want to completely remove Mach from Darwin, but instead get a version of MacOS X that works almost unchanged under L4, and uses the benefits that L4 gives compared to Mach.
Quote by Andrew S. Tanenbaum : “Mac OS X is also a type of microkernel OS. From the inside, it is Berkeley UNIX, operating on top of a modified version of the Mach microkernel. However, since it all runs in kernel mode (in order to select all possible performance), Mac OS X is not truly microkernel . However, since Carnegie Mellon University (Carnegie Mellon University) launched Berkeley UNIX in user space on top of the Mach microkernel many years ago, this could probably be done again, albeit with a slight loss of performance, as is the case with L4Linux. In particular, there is a Darbat project for porting Apple BSD (Darwin) code to L4 in order to make it a truly microkernel OS. ”[See: “ The second part of the Marlezonsky ballet ”. Discussion of Tanenbaum and Torvalds: Part II ” ]
Apple is said to be in parallel with the current Mac OS X 10.6 Snow Leopard inheritance system, and a new “big jump” system is being developed. Perhaps it was about her, Jobs mentioned in an interview in 2007, on the occasion of the official release of "Leopard". In it, judging by the thoroughness of the stripping of the “Snow Leopard”, there will already be “discoveries”. And not simple discoveries, but rather serious ones. Given Apple’s obsession with simplicity and elegance of solutions, it would be logical to assume that the new system (Apple OS X 11, or some other) will basically be built on the unique L4 Microkernel, and will be used on all, without exception, Apple products . From iPhone smartphones to servers. It's beautiful enough for Steve Jobs to come to mind. And to turn crazy thoughts into products that have crazy success, Jobs usually does. [see: “Maybe next will be Mac OS 10.6“ Snow Leopard ”” ]
And if that happens, then Apple OS X 11 will have unsurpassed reliability and versatility!
And the conclusion suggests itself. MS Windows has no future. With the current approach to Microsoft in the development of the OS, the future MS Windows 7 unfortunately will remain with 10 thousand bugs and irritated users. And I would never, when developing large and reliable software projects, choose Microsoft’s creation as the base OS :(
Source: https://habr.com/ru/post/27256/
All Articles