2. MK++ A High Assurance Operating System Kernel Shai Guday David Black

3. MK++ Results  MK++ is a complete reimplementation of the essential Mach abstractions for use in a B3 formal evaluation  A microkernel for TIS's TrustBase - B3 level assurance  Good performance as well as high assurance  An "essential microkernel" with only those features and functions truly needed  All B3 assurance requirements have been met  High Assurance Software Engineering  Object Oriented Layering

4. Brief History of Software Engineering

10. MK++ Internal Architecture Resource Management Objects Kernel Interface Space Accounting Processor Scheduling Connection Management Transfer Management Memory Extent Management Resident Memory Management Clock/Device Services Clock Mgmt Device Mgmt User Addr Space User Port Namespace VM Clocks and Devices Tasks, Threads, Resources PC

11. Object Decomposition

12. Relationship Decomposition

13. Benefits of Object Oriented Layering  Lock Hierarchy based on Layer Hierarchy  MK++ is fully preemptible and multithreaded  Simplified Initialization  Run constructors in order from lowest layer to highest layer  Easy to determine what functionality is available at each layer  Significant Layer Enforcement at Compile time  Compiler rejects circular inheritance  Header file discipline: don't include header files from higher layers ... in addition to improved code structure and assurance

14. A Few Words About Performance  MK++ Performance is comparable to Mach  Even on highly optimized Mach code paths  Performance is more robust (no special case `fast paths')  Kernel microbenchmarks (IPC, page fault, task create)  Extensive use of inline methods  MK++ has lots of tiny methods, but most of them are inline  Disciplined use of virtual methods  Layering forces attention to this  C++ is not slow in the hands of competent software engineers!

15. Sharper Tools  Layer Verification Tool  Enforce Layering Architecture  Covert Storage Channel Tool  Find all storage channels  But not timing channels  Tools find many problems missed by people  Incremental execution would be very useful  Hook tools into source control system

16. Formal Methods  Generated runtime assertions based on Formal Model  IPC subsystem invariant checks  The Good News:  Found 4 serious problems missed by development and review  The Bad News:  Missed at least one more  Kernel not exercised under all possible conditions  Test coverage is not a new problem  Neither is it a solved problem

17. Conclusion  Assurance is only possible if software practitioners can reason about the software  High assurance analysis and design necessary for high assurance software  Software engineering techniques exist for practical development of high assurance software  Complement of layering and object orientation support decomposition of complex system software, e.g. MK++ microkernel  Need advances in the state of the art  Object interface design  Dependency decomposition and encapsulation  Assured design patterns (aka frameworks)  Framework composition rules