Andrew S. Tanenbaum, a computer science professor at the Vrije Universiteit in Amsterdam, is leading the project developing MINIX 3, an operating system meant to be more secure than Windows or Linux.
In his research proposal, which secured him 2.5 M Euros from the European Research Council for the next 5 years, Tanenbaum explains why he considers current operating systems are not secure:
The most serious reliability and security problems are those relating to the operating system. The core problem is that no current system obeys the POLA: the Principle Of Least Authority. The POLA states that a system should be partitioned into components in such a way that an inevitable bug in one component cannot propagate into another component and do damage there. Each component should be given only the authority it needs to do its own job and no more. In particular, it should not be able to read or write data belonging to another component, read any part of the computer’s memory other than its own address space, execute sensitive instructions it has no business executing, touch I/O devices it should not touch, and so on. Current operating systems violate this principle completely, resulting in the reliability and security problems mentioned above.
Device drivers are the main culprit according to Tanenbaum:
About 70% of a typical operating system consists of device drivers, and these are known to have 3-7 times as many bugs per line of code as the rest of the system. It is also well documented that 63% to 85% of Windows XP crashes are due to driver failures and there is no reason to expect that Linux is any different.
MINIX comes with a slightly different approach to OS architecture:
The main difference pointed by Tanenbaum is having the drivers run in user mode conferring higher security:
Above the kernel, running in user mode, are the device drivers, each one running as a separate process tightly restricted by the memory management hardware to accessing only its own memory. Device drivers need to do I/O and they do this by making calls to the microkernel to obtain services (such as issuing commands to a physical device). However, before executing any call, the microkernel first checks to make sure the call is permitted. Thus a call from the audio driver to command the sound card will be accepted and processed but a call from the audio driver to command the disk will be rejected.
The overall goal is to:
… reorganize the operating system as a tiny microkernel that runs in kernel mode, along with some number of user processes that do the real work of the operating system. While a microkernel is by no means a complete operating system, this design achieves a major goal. The goal is getting most of the operating system code into user space where it can be partitioned into processes unable to execute “dangerous” (i.e., control) instructions and prohibited from accessing memory outside itself by the memory management hardware.
Currently, MINIX 3 is at version 3.1.3a and its main features are:
- POSIX compliant
- Networking with TCP/IP
- X Window System
- Languages: cc, gcc, g++, perl, python, etc.
- Over 650 UNIX programs
- Full multiuser and multiprogramming
- Device drivers run as user processes
- High degree of fault tolerance
- Full C source code supplied
Since MINIX is implementing the POSIX standard, it can run most UNIX programs with little or no changes. The project was included in Google’s Summer of Code 2008. A MINIX Discussions Group is set up on Google.