AV-Portal 3.23.3 (4dfb8a34932102951b25870966c61d06d6b97156)

A reimplementation of NetBSD using a MicroKernel (part 1 of 2)

Video in TIB AV-Portal: A reimplementation of NetBSD using a MicroKernel (part 1 of 2)

Formal Metadata

A reimplementation of NetBSD using a MicroKernel (part 1 of 2)
Title of Series
CC Attribution - ShareAlike 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this license.
Release Date

Content Metadata

Subject Area
Based on the MINIX 3 microkernel, we have constructed a system that to the user looks a great deal like NetBSD. It uses pkgsrc, NetBSD headers and libraries, and passes over 80% of the KYUA tests). However, inside, the system is completely different. At the bottom is a small (about 13,000 lines of code) microkernel that handles interrupts, message passing, low-level scheduling, and hardware related details. Nearly all of the actual operating system, including memory management, the file system(s), paging, and all the device drivers run as user-mode processes protected by the MMU. As a consequence, failures or security issues in one component cannot spread to other ones. In some cases a failed component can be replaced automatically and on the fly, while the system is running, and without user processes noticing it. The talk will discuss the history, goals, technology, and status of the project. Research at the Vrije Universiteit has resulted in a reimplementation of NetBSD using a microkernel instead of the traditional monolithic kernel. To the user, the system looks a great deal like NetBSD (it passes over 80% of the KYUA tests). However, inside, the system is completely different. At the bottom is a small (about 13,000 lines of code) microkernel that handles interrupts, message passing, low-level scheduling, and hardware related details. Nearly all of the actual operating system, including memory management, the file system(s), paging, and all the device drivers run as user-mode processes protected by the MMU. As a consequence, failures or security issues in one component cannot spread to other ones. In some cases a failed component can be replaced automatically and on the fly, while the system is running. The latest work has been adding live update, making it possible to upgrade to a new version of the operating system WITHOUT a reboot and without running processes even noticing. No other operating system can do this. The system is built on MINIX 3, a derivative of the original MINIX system, which was intended for education. However, after the original author, Andrew Tanenbaum, received a 2 million euro grant from the Royal Netherlands Academy of Arts and Sciences and a 2.5 million euro grant from the European Research Council, the focus changed to building a highly reliable, secure, fault tolerant operating system, with an emphasis on embedded systems. The code is open source and can be downloaded from www.minix3.org. It runs on the x86 and ARM Cortex V8 (e.g., BeagleBones). Since 2007, the Website has been visited over 3 million times and the bootable image file has been downloaded over 600,000 times. The talk will discuss the history, goals, technology, and status of the project.
Multiplication sign Bound state Knot Mikrokernel Student's t-test Student's t-test Term (mathematics) Mereology Computer Computer programming Single-precision floating-point format Arithmetic mean Computer animation Term (mathematics) System programming Video game Operating system God
Slide rule Functional (mathematics) System call Service (economics) 1 (number) Device driver Online help Computer Data model Crash (computing) Antivirus software Hacker (term) Term (mathematics) Operator (mathematics) Software System programming Information security Installation art Operations research Linear code Service (economics) Spyware Server (computing) Content (media) Computer Computer simulation Sound effect Ext functor Cartesian coordinate system Electric power transmission Power (physics) Antivirus software Word Computer animation Software Factory (trading post) System programming Formal grammar Quicksort Window Spacetime
Polar coordinate system Group action Multiplication sign Source code Floppy disk Survival analysis Hyperbolic function Semantics (computer science) Dimensional analysis Data model Bit rate Semiconductor memory Hypermedia Befehlsprozessor Cuboid Endliche Modelltheorie Error message Social class Bit 3 (number) Port scanner Flow separation System programming MiniDisc Pattern language Modul <Datentyp> CD-ROM Cycle (graph theory) Point (geometry) Student's t-test Computer Number Power (physics) Revision control Read-only memory Robotics Software Computer hardware Energy level System programming MiniDisc Condensation Operations research Noise (electronics) Dataflow Generic programming Line (geometry) Database normalization Radius Computer animation Software Rootkit Computer hardware Game theory Operating system
Web page Group action Observational study State of matter Code Multiplication sign Login Computer programming Storage area network Software bug Product (business) Well-formed formula Kernel (computing) System programming Series (mathematics) Information security Error message Metropolitan area network Algorithm Executive information system Cellular automaton Electronic mailing list Code Mikrokernel Line (geometry) Instance (computer science) Machine code Message passing Process (computing) Kernel (computing) Computer animation Logic System programming File viewer Freeware Window Operating system Probability density function
System call Code Weight 1 (number) Client (computing) Software bug Semiconductor memory Kernel (computing) File system Endliche Modelltheorie Error message Mapping Computer file Mikrokernel Sound effect Physicalism Bit Message passing Process (computing) System programming Interrupt <Informatik> MiniDisc Right angle Modul <Datentyp> Asynchronous Transfer Mode Point (geometry) Asynchronous Transfer Mode Server (computing) Module (mathematics) Connectivity (graph theory) Device driver Limit (category theory) Distance Power (physics) Flow separation Computer hardware Authorization Energy level System programming Interrupt <Informatik> Data structure MiniDisc Form (programming) Computer architecture Module (mathematics) Server (computing) Memory management Line (geometry) Interprozesskommunikation Limit (category theory) System call Particle system Kernel (computing) Computer animation Software Basis <Mathematik> Table (information) Abstraction
Asynchronous Transfer Mode Server (computing) Datei-Server Computer file 1 (number) Device driver Parameter (computer programming) Rule of inference Goodness of fit Virtual reality Cache (computing) Read-only memory Kernel (computing) File system Data structure MiniDisc Address space Block (periodic table) Server (computing) Computer file Fitness function Memory management Virtualization System call Datei-Server Data management Message passing Kernel (computing) Process (computing) Computer animation Software Personal digital assistant Right angle Block (periodic table)
Context awareness Server (computing) Overhead (computing) Service (economics) Datei-Server Table (information) Code Multiplication sign System administrator Plotter Set (mathematics) Insertion loss Heat transfer Regular graph Distance 2 (number) Goodness of fit Cache (computing) Semiconductor memory Kernel (computing) File system Gastropod shell System programming Energy level Damping MiniDisc Scripting language Email Dependent and independent variables Information Inheritance (object-oriented programming) Server (computing) Weight Chemical equation Computer file Mikrokernel Bit Group action Datei-Server Message passing Word Kernel (computing) Computer animation Interrupt <Informatik> MiniDisc Block (periodic table) Communications protocol Spacetime
Code Multiplication sign Water vapor Mereology Software bug Fluid statics Mechanism design Kernel (computing) File system Cuboid Office suite Error message Information security Vulnerability (computing) Boss Corporation Data recovery Infinity Bit Process (computing) Crash (computing) Buffer solution System programming Quicksort Spacetime Asynchronous Transfer Mode Server (computing) Virtual machine Maxima and minima Computer Number Power (physics) Product (business) Crash (computing) Propagator Gastropod shell System programming Software testing Data structure MiniDisc Computing platform Noise (electronics) Key (cryptography) Server (computing) Memory management Code Total S.A. Line (geometry) Datei-Server Loop (music) Kernel (computing) Computer animation Blog Table (information) Communications protocol
Computer virus Randomization Context awareness Source code Execution unit Client (computing) Computer programming Software bug Data model Pointer (computer programming) Mechanism design Shooting method Hypermedia Different (Kate Ryan album) Kernel (computing) Negative number Error message Information security God Programming paradigm Seitentabelle Arm Software developer Binary code Mikrokernel Message passing Data management Process (computing) Sample (statistics) Crash (computing) Buffer solution System programming Interrupt <Informatik> Summierbarkeit Modul <Datentyp> Quicksort Cycle (graph theory) Figurate number Programmschleife Inverter (logic gate) Web page Point (geometry) Computer file Connectivity (graph theory) Branch (computer science) Mass Infinity Computer Crash (computing) Computer hardware Authorization Energy level Data structure Booting Compilation album Form (programming) Computer architecture Focus (optics) Weight Code Power (physics) Equivalence relation Compiler Mathematics Video game Data Encryption Standard Library (computing) Building Run time (program lifecycle phase) Length Code Multiplication sign Binary code Arm Data management Programmer (hardware) Mathematics Injektivität Email Measurement Type theory Touch typing Normal (geometry) Procedural programming Whiteboard Server (computing) Service (economics) Robotics System programming Interrupt <Informatik> Message passing Condition number Module (mathematics) Operations research Addition Multiplication Pointer (computer programming) Kernel (computing) Computer animation Computer hardware Pressure Buffer overflow
Open source State of matter PRINCE2 Characteristic polynomial Flash memory Set (mathematics) Solid geometry Coprocessor Arm Befehlsprozessor Computer hardware File system Videoconferencing System programming Endliche Modelltheorie Series (mathematics) Exception handling Identity management Personal identification number Demo (music) Flash memory Content (media) Bit Complete metric space Variable (mathematics) Discounts and allowances Curvature Word Befehlsprozessor Computer animation Software System programming MiniDisc Whiteboard Videoconferencing Reading (process)
Radical (chemistry) Googol Hecke operator Computer animation State of matter ACID Quicksort Determinant
Demon System call Thread (computing) Code Multiplication sign Source code Execution unit File format 1 (number) Compiler Computer font Different (Kate Ryan album) Kernel (computing) Cuboid Cloning Process (computing) Endliche Modelltheorie Error message Email File format Computer file Sampling (statistics) Shared memory Sound effect Portable communications device Product (business) Message passing Data management Process (computing) System programming Pattern language Web page Game controller Open source Observational study Divisor Portable communications device Product (business) Software System programming Compilation album Computing platform Computer architecture Task (computing) Mobile Web Multiplication Standard deviation Assembly language Mathematical analysis Expert system Code Cartesian coordinate system System call Compiler Computer animation Window Library (computing) Cloning
Point (geometry) Asynchronous Transfer Mode State of matter Weight 1 (number) Counting Fault-tolerant system Programmer (hardware) Kernel (computing) Set (mathematics) System programming Energy level MiniDisc Computer architecture User interface Mapping Server (computing) Weight Mikrokernel Mereology Line (geometry) Group action Cartesian coordinate system System call Category of being Computer animation Mixed reality System programming Normal (geometry) Software testing Quicksort Fingerprint Library (computing)
Server (computing) Group action System call Open source Multiplication sign Artificial neural network 1 (number) Web browser Food energy Arm Product (business) Revision control Programmer (hardware) Whiteboard Cuboid System programming Series (mathematics) Gamma function Recursion Computing platform Metropolitan area network Default (computer science) Weight Projective plane Java applet Mikrokernel Menu (computing) Open set Web browser Category of being Word Kernel (computing) Process (computing) Computer animation Personal digital assistant System programming Right angle Library (computing)
State of matter Multiplication sign Open set Fault-tolerant system Mereology Computer programming Software bug Medical imaging Semiconductor memory Different (Kate Ryan album) Office suite Information security Position operator Computer file Electronic mailing list Sound effect Special unitary group Open set Thermische Zustandsgleichung Process (computing) Hash function System programming Quicksort Resultant Asynchronous Transfer Mode Spacetime Laptop Point (geometry) Asynchronous Transfer Mode Game controller Computer file Patch (Unix) Hypothesis Revision control Internetworking Operator (mathematics) Software System programming Data structure Newton's law of universal gravitation Projective plane Cartesian coordinate system Single-precision floating-point format Computer animation Personal digital assistant Revision control Table (information) Window Operating system
Run time (program lifecycle phase) Code State of matter Multiplication sign 1 (number) Open set Mereology Software bug Formal language Mathematics Radio-frequency identification Semiconductor memory Kernel (computing) File system Extension (kinesiology) Gradient Sound effect 3 (number) Database transaction Type theory Message passing Data management Process (computing) Right angle Queue (abstract data type) Quicksort Task (computing) Spacetime Server (computing) Service (economics) Computer file Real number Translation (relic) Product (business) Revision control Goodness of fit Term (mathematics) System programming Data structure Compilation album Matching (graph theory) State of matter Memory management Code Computer animation Personal digital assistant Video game Object (grammar) Table (information) Operating system
Randomization Run time (program lifecycle phase) Code Multiplication sign Coroutine Bit rate Mereology Computer programming Variable (mathematics) Mathematics Bit rate Semiconductor memory File system Information Data conversion Extension (kinesiology) Information security Position operator Data recovery Electronic mailing list Rollback (data management) Bit Port scanner Variable (mathematics) Orbit Category of being Type theory Message passing Process (computing) Hash function Point (geometry) Patch (Unix) Control flow Graph coloring Number Revision control Frequency Read-only memory Hacker (term) System programming Speicherbereinigung OSI model Data structure Theory of everything Hydraulic jump Address space Pairwise comparison Matching (graph theory) Information Leak Kernel (computing) Pointer (computer programming) Computer animation Personal digital assistant Table (information) Library (computing)
Slide rule Group action Run time (program lifecycle phase) Open source Multiplication sign Numbering scheme Compiler Binary code Branch (computer science) Open set Software bug Programmer (hardware) Mathematics CAN bus Structured programming Dedekind cut Computer hardware Flag System programming Software testing Error message Hydraulic jump Task (computing) Predictability Addition Overhead (computing) Information Block (periodic table) Port scanner Word Computer animation Software testing Object (grammar) Block (periodic table)
Web page Ocean current Onlinecommunity Trail Group action Code Connectivity (graph theory) Maxima and minima Login Total S.A. Semantics (computer science) Value-added network Wiki Medical imaging Flow separation Googol Kernel (computing) Operator (mathematics) Authorization Cuboid System programming Website Gamma function Information security Error message Metropolitan area network Mapping Assembly language Information Sine Software developer Web page Bit Total S.A. Line (geometry) Port scanner Measurement Word Process (computing) Pointer (computer programming) Computer animation Personal digital assistant Universe (mathematics) System programming Website Quicksort CD-ROM Operating system
Polar coordinate system Point (geometry) Metropolitan area network Home page Link (knot theory) View (database) Archaeological field survey Web page Execution unit Archaeological field survey Knot Student's t-test Student's t-test Computer programming Product (business) Degree (graph theory) Word Computer animation Googol Videoconferencing Website System programming Website
and then determine bounds and following and make this thing part and the other thing is normally works have never seen it like this that before but I'm sorry but this is not much I can do about it OK so I'm going to talk about a reimplementation of that this using a microkernel and this is the work done by my students in my program resides or watched of a all arose changed over the years but also now to build a reliable operating system kind so what's reliable offerings that will let me give you my definition of an operating system is said to be reliable when a typical user has never experienced even a single failure in his her life time and does not know anybody who's ever experienced a failure if in engineering terms Republic but mean time-to-failure 50 years some like that I don't agree that some people say things a reliable you know that you will say well you know if God wanted computers to work you wouldn't the reset button so I I don't think that's really whereas you may think that that's your grandmother you know the is or why does not work is most of the things work OK so there's
a couple words about recall the television on Sept 1 divided step to plug it in step 3 words prevalent next 10 years that's where all eyes televisions becoming computers is becoming less so but still traditionally this is where televisions work in the OK now the computer model known as edition by the computer you plug in other sort 2 thirds of the way they're just this little thing about that and now it works for the next 10 years well it's not the 1st you have to install Service Pack 1 through 9 after of 10 and then you have to install a or emergency security patches that came after 9 have OK and then you gotta find install 7 new device drivers because all the ones they give your obsolete then you install the antivirus software and they install the anti-spyware software and they all the and by hacker software and then when you install the anti-spam software and then you're going kind of x amount that is random space on the slide
there's more OK it doesn't work so you call the help desk again and you will hold for 30 minutes and then they tell you reinstall Windows which is what you're trying to 1st place on a typical user reaction is something like this but except for us words from the play with it but you know for grammar as a function of your content of the while back saying the 25 % of computer users have actually hit the computer with there so angry with that you know that's not the monitors for something that the computer itself for minor minor wasn't find its fall OK so I I don't think we're quite there in terms of their reliability and so is reliable important well it's annoying when it doesn't work you know and some lost work we should also think about other situations for example industrial control systems and factories cars moving down the assembly line and some crashes and then stop everything like a much or power grids about a dozen after reading for a couple minutes on the people but on hospital operating rooms must not like the work in the light effect of your banking and e-commerce service that did that for 5 minutes feel they measured amount of money that isn't enough to make about mega bucks per minute there on emergency phone centers lot applications control software in cars and airplanes all kinds of things is what applications where people actually care a lot about you know reliability is it feasible to make reliable 1st of all I will never know if we don't try and the Dutch Royal Academy of Sciences Unit 2 million euros to to try so I said thank you very much you tried the European Union gave it to have linearity of shot so very grateful for that so we're giving it a shot without but it
is it achievable all memory you can make nothing nothing you can make this stuff reliable but that I don't buy that on systems can survive hardware failures for example radius can survive a failed disk iterated system but this fails start working it's big screeching noise magnetic oxidase flying all over the place that the whole rate continues the workers redesigned to work even if a drive fails impact exonerate with can survive to fail drives if you want requires more redundancy memory can fail ECC memories can recover from memory failures are kind of CPA can survive and packets they get lost packet gets lost somewhere it understand citado that widened acknowledgment also and again you know and so the CD-ROMs and DVD drives three-quarters the bits on these optical media are error correcting bits so you know 700 megabyte CD-ROM is an action 7 megabytes 3 gigabytes and is is a 14 bit numbers used to encode a bit number and then there's a 3 thousand bite number news to encode 2048 bytes certain songs many levels of redundancy to make it work so you know if you can survive hardware failures for heaven's sake remarkable survive softer failures that's a lot easier than so harbor failures repair
and so I think we need to rethink operating systems and and the research in this thing needs to be refocused somewhat that performance isn't the only thing the only game in town although some people seem to think it is we have nearly infinite harder and this crater generic PCs these days that I I look at some point I said on the IBM 709 which cost 30 million dollars the little room the size and iPad is about 30 thousand times faster than the fastest computer in world 40 years ago and has about 10 thousand times more on 1 of the biggest computer in the world because the million dollars that there's a lot of power in modern PCs laughter around lots of cycles of with this tons of useless blow where all modern software so the slow and load and but he doesn't have to be like that that's self-inflicted so as to achieve what I would call the the TV model the future operating system be smaller simpler modular veryimportant reliable and secure and in particular self-healing which is at the root of the itself it's itself that harder can fix itself rates and fix the problems the TCP can fix its problems is the memories and fix the problems like in the soffit fixed some problems some easier than so that's worth working here a very brief history of work been doing it is I think that the dimension of money in 1876 John Lyons Road kind of a a commentary on UNIX version 6 describing it line by line what it did in fact in 1939 18 the patterns and said you can't have students understanding are are you existence terrible so the new license for did writing any books about the were teaching classes and so on and then you have years later I said you know maybe I could write a Unix like system myself those like version 7 and then had this crazy licensing thing on it and that the robot can came out 1987 in was that there was nothing CD-ROM in the back of the book with the all the another there was before that the floppy disk you can get a separate boxes CD-ROM drives on the company and so there's like a floppy disks which had the whole source code everything on then in 97 limited Posix-compatible now come out and 2000 which has a license via the license that previously they were selling the box things at 69 dollars which is the actual manufacturing cost with a floppy disks and a book about it you know on the box and everything so convinced them that bitterness that the condenser which will be the license through that and and then the descended from the outer and inner a little bit wasn't so big in 1987 in the semi mannerliness Torvalds wrote his biography that he bought a PC for the purpose of running Linux and began reading and again changing it and and so on so in a sense when X is a fork of semantics but this is the guys about forks in the 3rd edition book came out of the European grant and then moved for embedded systems and that PAC which I'll talk about later but it doesn't 3
editions the Book of intelligent
design list as applied to operating systems and I have been and always I think you know been attacked for the wouldn't microkernels keep users often we compute the kernel to be small you understand it would you mm now 15 million lines winners well over 100 million lines nobody understands starting at that Windows Microsoft missing like work on on the Windows kernel here's the book you a room listing 100 million lines states of 18 bookcases of the code nobody understands that you know I mean that a product that nobody really understands it's not a formula for you know about free kind of thing people of study bugs in great detail and companies they often have like registers and make you know if you find a body of the telomere registered the logic we will study these logs and getting down to like you know 1 to 10 buddies per thousand lines of codes but best you can do 1 but per per thousand lines of code seems to be the best anybody can do that very few recorded instances of action doing better than that that of makes that 15 thousand 1 of the cultures 15 bugs and kernel looking from California but there's a chance you might know when it's published 15 thousand but not all of a series of course some might be punctuation errors in a message of some kind but some of them undoubtedly so serious and other programs have this something they notice that Adobe updates flash every 15 minutes because of security reasons like they can't get a PDF viewer work and have an operating system is harder than that hour and drivers have no studies have shown drivers of 7 times more blood cells that everybody wants to look at the Linux in paging algorithms to so much fun nobody looks at the end of the absent from printer on you know some other printer that and 70 % the code is drivers Motorola that so the stuff of a of that but I think a good systems be modular it should run as multiple processes which are you know separated and have
well-defined components so 1 of our philosophy things have isolated components and so move all the lower loadable modules also the file system Memory management evidently kernel the separate process is protected by the MMU and you know these things that can interfere with each other too much effect so every model every model should run with the principle of least authority the polar so if a certain module certain power it should have the power but shouldn't have power it doesn't need there's no reason audio driver needs the power to fork right just those need that and giving it the power is looking for trouble on the particle with authority in step 2 is to isolate the eye of the I O devices should be isolated from each other and limit access to I O ports so in in Linux drivers don't have access to the I O ports they have to go through the microkernel to get access to the distractor can actually talk to the disk that was talk to the to makes a kernel call this is on the right on the dust registers and the kernel checks 0 yeah yeah the just reduces to support your allotted they would go to that effect but some other driver can right this point to the audio-graphic can't right in the disk in the tribes in a model of system of course is not supposed to but it could technically and you get bugs were attacks which allow the distance the audio driver to widen the data so that should be prevented by the hardware and the unconstrained demand that we can't write over memory with given I O and then you can get some of that in the hardware now and isolate communication so don't let any these pieces like any other please have a little table someone kernel which says this piece is authorized to talk to that piece and then it's OK to try to talk to somebody you're not supposed to talk to that it's not OK and for while and also the kernel has some calls these are deposits calls this a very low level calls like create the structure for a process that can be filled in later and so on and handle interruptions for low-level stuff again it should only be allowed to do the ones it needs to do to but a bit maps saying you can make these calls and making the other 1 you back an error message saying no permission that is always would restrict the power of the little pieces so they only get to do what they need to do that the principle of least authority give a component only the authority to do those things need to do to do its job and no more than 30 restrict interprocess communication respect I 0 years ago everything also make sure the faulty receiver can hang standard so in client sends a message to a server and then the client goes away it doesn't listen the sender shouldn't hang transcendent answer that this receive original processes and
so this and as including and here the architecture of minutes 3 this kernel which is about 15 thousand lines of code handles interrupts message passing some steadily so interprocess communication some of the basics for process structure and so on and then the that in user mode are all the device drivers driver being a separate process can so this driver and network drivers all separate and on top of that are the servers like the file-server memories are in the process server and bunch of those and they're running a separate processes and then there's the user stuff technically these are all user passes and structure is kind of an intellectual in abstracts and goes on like 4 levels in the hardware although had 4 modes in the hardware 1 could do this with the intellectual does have form modes but we don't use them so it's more of an intellectualization than physical structure but the idea that each is a separate process protected by the and the so it can't do things possible them and so user-mode
device drivers every driver runs as a user-mode process they don't have any superuser privileges this drivers on special the sense volatile rules and in the newest turned on for the limited to their own address space can execute protected instructions and so on and they don't have access to I O ports that don't have access to the problem instructions the need to make a kernel call to do the special things the kernel checks to love servers there's a whole bunch of them they all run as separate processes some of the key ones are the virtual file system the actual file servers process manager memory manager network legal reincarnation server which brings back the dead or talk more about that a little later self-healing that I mentioned earlier in reincarnation that's a good fit right OK so here's an example do you read suppose the black 200 happens to be in the file systems cash what happens to use
the kernel is the structure of the paper and so the user sends a message to the file system saying specifies in parameters on file system checks its cash and finds catch does a kernel copies block back to the user so kernels are have is back and file systems as the user but that that's an easy case where the block civilian file systems can now look into the other cases where it's not in the file
system uses a message to the file server saying you go read out on read as fast as and that's all I have my cash called additional called the kernel fellow right these words onto the I O device registers for the disk to start the transfer read into my cash and the disk you know makes the protocols they should do this you know the answer OK and I it weights it suspends waiting for message and eventually interrupt comes from the desert the vertebral low-level inside the kernel the interrupt is turned into a message to the desk this get city doing receive it gets a message from the disk saying hi I'm the disk because there's not much information interrupt and then it's going go out and read that the just registers by asking the kernel please read these registers finds at all the the command completed correctly or didn't complete correctly and then it goes on and it tells the file-system read completed directly or read not included correctly and file system makes a called kernel copy data the users space on the desert and then rolled up and there's like men and 9 messages on like that in the end with time this stuff it takes like half a microsecond per message depending on the level of a regular PC it's well under a microsecond so if we had a 10 messages that have a microsecond has 5 microseconds the total time and some loss in the context switching but you don't really distance ms this is kind of small potatoes really there is some over pose the for guys have managed to get all of this microkernel that down to about 5 % over really push the very hard but it's possibly the overhead down to something like 5 or 10 per cent and now
reincarnation server thing I talked about it and and how does that work well in the reincarnation server is the parent of all the servers and drivers it's up there with before etc. so it owns all those servers and drivers as the children so it can you know when some dies it hears about OK so it gets a signal you know sick child or something like that and it can thoroughly really deposits of this level or below that it gets a notification something happened so that adjacent stable to find what happened and you know it doesn't run a shell script the shelter would be like send mail to an administrator sitting in the gold start the driver again that kind of stuff so it also claims that regulate the check there is OK so the reincarnation server will go to describe say ideas driver I don't the services and these great at 47 regressor losses so it's happy for 2 seconds and things again and says I just ahead of the service is great did 84 across 2nd kind of the strict and then the things again 2 seconds later I don't think I a this high and the reincarnation server by a enough OK but shut up 1 more time high and the reincarnation server and good and bad in this library and you're an answer me how a balance now so it kills the just driver and then it doesn't start to know as a gap 1 can go to the best it keeps a copy of the disk strivers you know the destroyer code in the RAM disk and memory so it's always got a way to restart the just driver from scratch and gross wanted as a 1 in running dystroglycan got all the other drivers from the desk and the drivers of set of the item Problems of file system so just read this plot they can read it again of has so a little bit of effort you can make this actually work in fact more than 2 years the same story again the
file system story with their so the file system doesn't this go read this platform and it crashes Cervantes crashes have the reincarnation server years about that no 1 gets propagation water children crashed so goes it's all protocol decides you know tricycle officer might be an infinite loop it's not really dead yet because it off if need be but no 1 tells the file server is a new just driver and file system which has to be written so it's based on a potent now takes in as the remember the commands it gave this driver listen tables all was busy issuing the commands of answers for them yet tell no 1 what to no 1 gets the commands the fails again you can repeat this and indefinitely eventually in hopefully get the answer many of the errors are transient and other weird timing errors the 2 things happen at the same time it shouldn't of tried again often at work so a lot of time you can recover from that of the basic mechanism itself self-healing the system detects on failure is able to recover from and from use this a number of places this is sort of the basic idea the self-healing system you constantly check your own health something goes wrong have a way to deal with that and kernel reliable and
also security on fewer lines of code means you're kernel blogs all security errors are basically box nobody ever put security holes in their own pros and these are basic programming errors something somebody's a buffer overrun some them but expected and if you that less code and the fact 1 byte per thousand lines of code yet he once again so the critical code so this you're by scores of smaller the total system problems the same number advisory also but they're user space very much isolated as I told you before so they have less power to do damage so that's really the key to the design of the trusted computing base is basically smaller is no foreign code in the kernel with other systems because from new device that comes to the driver and all that in current on the driver by in Taiwan whose boss was breathing down his neck we got a ship we got a ship in the kids says is not finished yet started the test and the bosses I don't care we have to ship the product which it'll make a release later and you put in your kernel we think that's a bad design you put in user space with very limited part it can't do you know too much damage if the audio drive isn't debugged yet they can you know somebody with tax it can make weird noises so but they can take over the machine because it doesn't have the power the 4 2 shell doesn't have any power the Delaney 7 would make weird noises and that sort of the basic idea also we we opted for static data structures is molecule kernel little bit inefficient in the sense of the process table a fixed size fixed at compile time but getting rid of now like in buffer allocation and all that stuff you know limit of awful a problem so removing the bugs to moving userspace doesn't reduce the number but it reduces the power to do
damage that in a process of negation all the masses are fixed length 64 bytes again is a few places you need someone to put a pointer enhancements of his affection the whole procedure for that affects life messages everything's 64 bytes is a type of not message buffer in on some header file there's no buffer overruns Evans fixed-length emission simpler 1 away we a rendezvous system that anyone has some measures to be a a set the message in the gardens I can answer but we had problems with that ultimately with 0 no lost messages which was great and there's no buffer manager which is great but we had an asynchronous messages because the clients in a message to the server and then declined by the server couldn't get gets in reply by server on and so to get rid of that we have a goal in additional mechanism asynchronous messages which we been like but we're sort of forced to do that so you know and we unify interrupt awful enough and so we the very very lowest level the turn the messages to whoever has signed up to to get the interrupt tag driver
reliability security drivers base the untrusted code running all by themselves and isolated user processes different than most systems were driver has to be trusted God and given that the driver like in Taiwan was under time pressure I it's better to have this you know the user code and the the you keeps away so if some drivers compromised the robot in it that but can spread to other components because it's limited to what we can talk to and under what conditions in which calls it can make this principle of least authority limits the scope of the blood the but probably can get out of the the component it's an hour if it's in the best driver you got problems but most of the virus you can talk to the just so you know it can touch the kernel data structure which is very important you know in other systems there's a bug in some module can write all of kernel data structures and then it tells you can happen nobody can write on the kernel data structures that the kernel a bad pointer which can handle time and see only brings down 1 thing the reincarnation server sees that the tries to recover from that that if something gets interleukin doesn't answer the pains then the further reincarnation sensor service concern is dead kill it announced ordinary 1 back to hear what kinds of problems and we restrict the damage in these things can the because not super uses iterator processes have to ask the microkernel for permission to do anything and if you're asking the sum that you shouldn't be doing the answers among other advantages of user drivers and the short development cycles for programmers that's normal programming model started the driver it runs it crashes you know you can you can debug it in just that normal program crashing you know you get some chance of getting a reasonable dumped you so fix the error back aerobatic compiler if removed a computer with takes a couple minutes so it's easier programming model and more flexible ransom experimental of experiments and the form Jackson rejected 800 thousand false and each of 3 even a drivers and then the binary drivers of runtime which wrote stuff all over the the driver actually we right we intentionally looks for things that mimic programming errors like a branch less than for branch less regal to like you the equivalent of you know for i equals 0 i less than in Member I less than or equal to and know that kind of stuff we over what created that can errors and rejected 100 faults wait a 2nd see if any crash and it didn't rejectable under false and went on to the board and you know about the crash drivers like 18 thousand times sometimes object of all my code is not executed units somewhat you know not needed right now so nothing happens to we crashed the drivers all all time but we crashed the operates in which as you'd expect inverter comprehensive fault injection experiments on port of the next today on at some point we decided we should be doing and on board I want my program is run time of the year and in and around the the port and we had to restructure the the source tree from multiple architectures actually makes 1 random multiple architectures in media and Atari and sparkle bunch things the Council lost along the way somewhere and managing the burning through the you would to boot on the on the different than had a rewrite the low-level code dealing with the hardware touching the MMU when page tables and in the very low levels of course is different on the on on the the context which is the front page use different we we we throughout the x 86 segmentation code the x 86 could actually run Multics at segmentation paging like Multics that nobody ever you will allow us to use a little bit but in most other systems did not use the ability of the 386 had gone back and hit the 5 since nobody reviews in which there an throughout the throughout and then at that point we imported the net arm headers in libraries and the bill that stage for cross toolchain supporting the figures people were likely to be doing the bills on 1 mole so possible but before you go out cross compilation so we had change build system where a drivers for the SD gardens the be all things to all talk about me that and then the focus counterchanged to embedded systems all but in
particular we are interested in the deal series won't be all black and so on this is open source hardware that and it's yours but this is is what size of us most smartphone and a cost about 50 dollars roughly depending which model that it's in at 9 centimeters by 5 centimeters complete PC with the normal kids at all ever the 2nd pieces on the full size board for 50 dollars and that people use it
for prototyping embedded systems but if you had an expensive embedded systems would be toward in there you've done here some of the characteristics CPU's on a B 7 to cortex 8 the numbering of strange but and wanted the gigahertz it's really fast to have a again around 1 to 4 B 4 gigs of flash memory so the board has a discount effectively in a solid state disk of 4 gigabytes and you have a file system everything on this chapter 1080 p video content 92 little pins on it that you can run out to turn lights on and read switches and sensors all kinds of things you use embedded system is a base readable and writeable from software except under maybe even at so 1 USB port on identical USB device on the could conceivably could be held to have more USB devices you wanted it's open source you find another harbor works on these days it's often hard to find out of our work so they will tell you this is simply open source and strict 45 dollars a 55 dollars which models around 50 dollars this different several models of the state variable but we also to the Raspberry Pi B plus 2 competing board 1001 V 602 older processor runs slower at 7 a bag of words that of a gigahertz same-size ramp doesn't discount which is a disadvantage that you can actually you can put a file system everything on the board this demo disk to 1080 p video to Europe Japan opens it also animated definitive for USB ports which is a plus so again for USB devices without a whole set of possible and flat open source it's hard to figure out how it works it will tell you and it's a little bit cheaper so all along with the open source open source hardware and more powerful processor would be a better idea of the UK and and
that I will admit that they have and that I was wrong once once and on January 29 1992 I posted to count up 0 was that mimics the Usenet newsgroup now on google on people were bugging me add this feature in the future and in the acid base with those neurons are not unhappy Linux will get all the people who want me determination to be a state of my back again because they're all at this and this and that want to also I apologize but I do want termination because they just to be 20 years to realize this sort of the kind of slow and so
makes 3 minutes this state the minutes there's obviously so to
get something like that of the ordered all this the demons Copyright 1988 by Marshall Kirk McKusick use with his permission or maybe it's like
this anyway so why we expect what
we do have applications after we discovered that people don't like it was applications of these user approval portable quality product out there for a very long time and it's got a better code colonists code quality is marginal now and with we've tried compiling Linux with LVM for example you can't do it is not written in C is through the GCC effect and the difference and so you compiled which is better in many ways it doesn't work this thousands and thousands of compilation errors in and so you know it's just like a lot of the coding Lennox's again and we like package source which is a really nice package manager and thousands of packages out there all work so you usually is an active community course license compatibility were were BST compatible license I was a keynote speaker at Linux Australia few years ago that some of them they're sitting in this talk about him many experts from home but whatever I did mention licensing and the talk somebody asked me no question what what's license as its BSD-licensed analyze product sharing this is a Linux conference they broke out sharing was mixes BSD license and inspect that's why net BSB I think mostly because of its emphasis on portability that but if you ported to 80 platforms you can have a little weird unit 88 in x 86 dependent stuff in the middle of the code that doesn't work well on you know all the other architectures reported that really forces you to stick to all the standards to be fairly clean and not inline assembly code that kind of stuff so that we thought it would be easier to deal with that because the great emphasis on portability and naturally and try the the other ones with the it's the pages we use flying LBM is the main compiler we do of GCC but the main the 4 compilers describing old and we use in LPC build system is the file format which is new for us the source tree multiple architecture solves modeling obviously works headers mobile libraries company appears the next 11 a pack of source works and last time I looked we could build up about 5 thousand 40 packages that right the box that is built properly and this but other patterns that don't build because is 1 piece missing somewhere you know sometimes it's as simple as a fox you know that we don't have this this thing needs this font we don't have a fine enough time to report the far apart but in the footnote about the license but the building and and and so on but nevertheless it it did it builds you know of all the minutes stuff underneath it and so you know it's looking at is the like but not entirely correct so we have kernel for that that wasn't originally we do abuse been not kernel threads some of system calls amazing like LWP and message and samples missing something to be added easily think that of clone that we don't have somebody get calls on the articles that KQR k k traced on the fork that's basically performance on the job control since the x 11 if some running them some anyone this analysis study windows in 2 ways to mess around with them It's and job involves very complicated and some of my articles are missing nevertheless we can build over 5 thousand packages so a lot of stuff bills but of some factors depends on some weird apple we don't have them you know doesn't work QA task the whole
bunch these tasks on because the bottom line here is the 21 39 out of 20 651 past the 81 per cent so we're said 81 % B is think about that is compatible in some sense but it's the weird ones that we didn't know that didn't work the easy ones were so it's kind of biased toward the 81 % include most of the easy stuff and less of the hard stuff so here's the system
architecture of the whole thing so the bottom level is show is magnet mixed microkernel and all diminished drivers and then the servers so that all may make up to this point and now when you go to use the land on that this so we re-implemented the net BEST user environment on top of this fault tolerance in a modular much more bulletproof certain under review underlying layers so to the application programmer you just assume that it's 81 % B is the there's a there the libraries of their most of the system calls are there but not some of the where once the application programmer sees it as more or less normal map state because of all other problems talking about of reliability and fault tolerance 1 of your self healing so it's sort of a mix which what we think give you some of the good properties of that history and the properties of minutes to mix together
and it runs on the big billboards and
you can read this but raised to address that OK so I know the penny which borders is sometimes we know some features The Beagle words with enough time to implement a new frame buffers in some candidates about didn't but much of it is there but not all of it so it covers covers most of Beagle people stuff
what you all nodes become open source products always open source but it's now you know volunteer project and so some of you will join the people like to play with is the stuff this isn't a new toy to play with and things to do if the some system called the absolute crucial that we left out there they can be added but know mucking around the kernel on the servers recursion Notre doing it's not enough for beginners clearly and within about most of them until reporting more packages we don't have jobs you know a proper browser reporting other you know that B the year produced the softer be really really nice in many cases it may not be harder 7 at the time or manpower doing the right the other drivers for the for the beagle series wouldn't wouldn't have ported to the Raspberry Pi which may be hard because it's not open source and the minute I think works but there may be other platforms down their little no small embedded words we do know that rumpus certainly something that we're aware of we have the manpower look at but you know some kind of you know ports and libraries in up to 2 years and the Porter grouping of a proper growing many programmers are happy with x 11 really care about we're going to have a nice to have some kind of and we had the something called the economics of the previous version so lost in 1 here's a nation nutshell it's a micro kernel reimplementation of net this on on on the underlying system has all the properties of microkernel the multi-server the self-healing but to the users looks like this and it's open source could be the license is highly compatible that this the and to the same and that these these compatible other because these were also as compatible or not but that's not our fault we just copied 1 of them and this and that it's not like the other ones all the sorry that supports both L of the energy sealed L-Dim default uses package source is but 5 thousand packets of both of the box that many 3 . org it's cost downloaded
positioning of this thing we're trying to show that multi-server systems actually work and can be made reliable and demonstrate the driver's blind user mode of highly reliable and fault-tolerant applications on the crucially many consumer applications were high reliability is important and to there's a company and Holland you which is making thermostats which got an iPad to wall the controls a house that's on the internet that they're very worried about security and Avery but reliability check if people can hack your house from the outside turn of the burglar alarm on in our thing goes down for a few minutes once in a while that I want so there are increasingly many applications were fault tolerance and high reliability our nation's might will there and you know and images 100 or laptop project at MIT and then it the summers and come up with a 50 dollar single-chip laptop for the 3rd world at some point where small memory footprint is you've been issue you know all the RAM was on the chip and the memory footprint of the CIA's role is small but embedded systems shown is
a target now but the Sun is not in the current version but working pretty hard we hope to get within half a year for a Lucky lined up in this somebody's PhD thesis these assistance office sorta works mostly but little but this is not you know ready and suffers updated the fix bugs all time to improve performance and new features and what not and our goal is to update the operations into a new version without rebooting sort of talking about a three-line Kernel Patch we're talking about a new version of the operating system or some part of that which can be substantially different than its predecessor but to do this on the fly without interrupting running programs and you know we don't want restart the running programs even we change the operation of Mandarin and so the new operations might result data structures so in the old version used as a linked list for something or other and the new version of a hash table of cases actually different data structures self-reliant patch and now have user programs continue to run and is low state in the timers open files and what not to the State transferred through the hard part here that is an example of how this might work so suppose patches running on freebies the temple 1 some of the matter and which 1 is a patch still running I switched over to the B is the 10 . to change the operating system and programs in writing applications in space don't notice you change the operating system they continue to run the the state has an effect in any way you know operating that can do that is where most systems and you know just replace the US for processes running started to appear their Linux Windows we can sort of
don't match and there's couple loose ends we haven't quite got fixed the workings of the here's how it works in Mexico why it's much easier in next new system so the Apaches running memory manager some drivers and file system version 6 . 0 and 1 up and I wanna do and update want to go to is you have a memory manager but not change and that is that's OK the same 1 drivers and the change but here's file-system 6 . 0 and their spouses and 7 . 0 so we've changed the part of the operating system but not all of them often the case especially if you're thinking in terms of of these things are modular I don't have to update everything once all we have the ability to do that on W changing the file system found a bug in an or you got some new features in the file system but this only have a memory manager and no need to do little once again what we do have the ability to some extent
to how we do the update of OK were selected a manager tells some process like the file system OK you're going to be phased outside that the obsolete and it says check that our stuff life and don't take on any new work so when were comes in from messages human messages don't start up meanwhile you're in the middle of all the things you get this regret spending got of what fix all the initial that all so all the existing work here is finished also manages to everybody and eventually get the quia since they were no work spending all the work you're doing this finished and none of the work come since you got this message has been started messages queued up nicely in in human ransomware somewhere inside rather space and so if it is also work accuse all the new work and then it sends a message back to the manager saying OK I'm ready to go and on not in the middle of anything if updated in the middle of anything is horrible lot of the work on live update of people don't but try do in the middle of nowhere halfway through some other kind of data that that seems to me crazy that the work of the services takes milliseconds and you don't need to wait 30 ms told you finish whatever transaction you're busy with good work we have since they re not doing anything in the server all the new workers in QCM lost anything and then say the magic and writer role that and so with the manager does it creates a new copy of the file system the file system is a separate process right unlike those systems is is the user process to the file system creates a new product the in fact the manager creates a new process put into the code of that new process the new code of the new file system just another process led to file systems in 1 is the real file system the old 1 and then there's no 1 over new ones are going be up there are 2 separate processes and 1 of things require reasons we use LVM is LVM is programmable you can add new passes very easily programming language in to do things so we get the past during the compilation which takes all the data structures and makes a table in memory listening for every data structure every variable you know its name and where it is in its type and everything we know about it is in memory and run-time so it's relevant straightforward for any piece of the operating system to find all the data structure this is the table their listing them all going to the new file system has to get the state from the all file system because open files and so is still a table listing all the data structures so it goes to the old 1 and says Jimmy Dean state and so it is in the state and then with all the state is ready to go to transfer the state in 1 object time and when all the the of the state has been transferred then you can create a 3rd file system which runs backwards taking the old state now you went back to the you know they could take back to the all state and then you compare the effect the the gradient business and this is sorta like suppose you translating English the Dodgers kinds of males and you know using google translate and they translate the Dutch back to the English which you get that sort of matches which had the 1st place then all the can't prove it is a pretty good chances translations correct not it's unlikely that totally garbled translation would give you back the original so we do that and everything's OK we go forward if it's not we bought the whole thing and then you go to the restaurant nothing was prepared to
step it work so here's out so the works is the the user and Apache or whatever the old file system the kernel and then somebody says and file system get ready for updates and the new 1 has started a process created in new and what's in the tables of sociology and a variable X with and the answer is here's the blacks and then it goes to solve Table 1 time getting all the stated things it doesn't it doesn't ask for some data structures no longer use the divergent never ask for it and this has little bit more complicated than this possess identify the what's what this was all that complication but basically has a list of what it needs to discuss as for and then the 3rd 1 the checker started it goes back to the version 7 saying softener tries to run the process backwards to recreate version 6 you know after its answered this comparison between the original version and the 1 recreated from diverse and 7 and if they match when business we kill of everything else go forward version 7 if they don't match we kill off 7 and the very in the 3rd 1 I can vary 6 continues to run the update is aborted but every confronting Apache is happy just in the orbit it gets the message update failed get some reason that will to move nationwide failed but basically system things to run either way and anatomy amendment about k splice which then MIT case place goes in and can make security patches by finding at runtime the code that's a problem replace it with a jumper somewhere else in memory executing the correct instructions the jumping back again and again a little very small patches the patches the running process OK on over time all these jumps to other places then accumulate memory and memories in a with all these little jumps so there's a lot of the union of losing some memory that the update fails part where your toes is no a rollback and asking if the update fails for whatever reason we just show off all update your process continues to run whatever was doing and everything is fine and you know this there's no update with the old 1 is still running applications for happy to still a number of things we can do in Chile and
displaced can handle major updates we've changed 1 data structure to the other to the extent that it's relatively straightforward we do that automatically the center not all straightforward the the writer of the new code has to put in conversion code to convert from the old data structure to the new data structures so if you've really changed in a major way like a linked list a hash table that the writer of the new 1 has to provide the conversion routine that gets a linked list converted internally to hash table that have to be there so you know it's really really weird you may have to do it yourself before straightforward cases it's all a matter that some other users of light update it gives you enhance security for example there's a lot of attacks on systems which are in the general category like returned to live said that the hacker found a break the system knows the exact memory layout of the program knows where the return address is on the fact overrun some buffer in such a way that the position where the return address is is not carefully planted pointer to the code he wants to execute in the library so on and can now take control over and go go to a library Tenons stories about gadgets and what kind of stuff that requires having a very very detailed knowledge of what the memory layout of the program much like we can do alive update to the set to itself very high frequency so we can change the code the data structures the layout the feral higher rate so this is like address space randomization in spades we get updated continuously during execution and you can choose frequency what some performance it obviously but but you can update so anybody trying to attack you based upon knowledge of what memory looks like doesn't have that knowledge and market changes dynamically to give you better security but it also reduces exposure to information leakage attack for the same reason somebody doesn't know what memory looks like they can exploit that goes with it we can change a higher rate and we also can the garbage collection in see this in the kernel and the new version has a list of what it needs so it only ask those things it needs things it doesn't need and pointers that don't point anywhere you not useful they don't have picked up in the new version so somehow there's a memory leak in this pieces stuff nobody points that nobody's and asked for his role for the actual variables that some point of the you know in the new code would have fetched the thing it points to Reno it's pointing to we know it's IPO address and everything but if the some chunk of memory which nobody is pointing to is that basically we don't that's that the cleans up memory leaks of color garbage collection even see and only like they just copied over this this can fix you know basic now what type of leaks from the from now
I cannot create another interesting working on but that's not the codon uploaded make it is
full objection is what we think testing is very important and all we have scheme using LOD and work for every basic block we can put in a test should we inject the faulty or not and then there's the original block and then there's the faulty blocked with some change to it and so that runtime becoming at every data block and say shall I inject the fault or not you go this way you go that way OK and the sale of the and does automatically so the not programmer and stuff into the new program structures that some basic blocks every basic block is now 1 of these blocks of the task at the top and then faulty not faulty so by turning on flags we can at run with a single binary make all the steps the reason you will not do this is that if you want you know on inject false that on the binary you have no structural information which during the during the sausage if compile time that's very expensive for large systems and here we have the advantage of source time voltage action and information but the performance of runtime and in addition we can even optimise with long 1 test for a certain class of false we can make a run over the binary and turn the slides off so it doesn't make the task which messes up the branch prediction the hardware and you make fun of to unconditional jump to the right place so this very elaborate full testing fold jection schemes now few words about the logo errors have low in animal like things to record what why reckon while they're small they're cute they're very clever the added open garbage cans that agile and the bugs which is very important and they're probably more like it is your house in England and unless you live in an article on the website makes
3 . org sort of simple sort this the websites of but not complicated website the that
mutations in wiki where he got a 3 letter word you can help for document systems and so this this wiki will have no information about what you need is usually is a developer you you walk and stuff about the system you can edit the like any other working on my is anybody look at Munich's ever but here's the traffic for the last year by month this correctly the website is getting something like 15 to 20 thousand hits a month has been doing so for at least 10 years tracking this on the total this is the main page since 2004 is about 3 . 1 million so we have 3 million visits to the website have also kept track of the download since 2007 by looking at the log for for these on visits to the download page is the actual you know log entries of somebody pulled in the ISO image of this thing and this been about 650 thousand downloads of the ISO image so there is a user community out there some sort of measure where it is but 600 thousand people gone to the trouble of loading the CD-ROM image and the last thing you can run a on VMware Rosanna in universal box of think and the wiki and describes how you do that in most cases it's pretty straightforward isn't a newsgroup the Usenet newsgroup is done Google bought use that and so there's no the group Google group account that our semantics where people can ask questions and community were trying to build that up so the conclusion is that the current operations kind of bloated and unreliable by my definition of never seen a crash and don't know anybody ever seen 1 it's an attempt to build a reliable and secure operating system using different structured kernels for small 15 thousand lines of code thing about 14 thousand plus a and C and the little bit of assembly code the very very bottom we got assembly companies presidency on the operations of runs a bunch of user processes each with the principle of least authority that each driver is a separate process usually operates has limited privileges so you know bit maps and there which say what you can do what you can't do anything only the thing just posted those if you try to do something you can't do with culture error no permission of faulty drivers to replace on the flight were also working on replacing the the stateful components on the fly that's not there yet so the trick here the light updates is possible and works in the lab kind of there's a couple of things with weird corner cases with pointers we haven't quite got working yet but we added the we're working and I hope
it will be in there and we're trying to find out what people actually doing with him over 600 thousand downloads we know they at the door and to download Linux from 93 . org give it a try on the website is it a survey that short survey of like who are you engineer only what are you and why are you doing this with your students you know unit commercial product whenever now could be the licenses required for use in a polyglot that's fine but we we don't know about it like enough to those downloads nor people don't appreciate fill in the full questionnaire 1 last thing will add here and if you have to be a student and you know the bachelor's degree looking from masters at some point and we have a matches in parallel distributed systems find simplest wages gloomy and this obvious from my home page has a link to it is a video about the master's program and the actual name PCs the view that word in public forget that statistical findings on my own but anyway that's the end thank you if