Can We Make Operating Systems Reliable and Secure?

                    Andrew S. Tanenbaum, Jorrit N. Herder, and Herbert Bos

                    Vrije Universiteit, Amsterdam

Microkernels—long discarded as unacceptable because of their lower performance
compared with monolithic kernels—might be making a comeback in operating systems
due to their potentially higher reliability,which many researchers now regard as more
important than performance.

  When was the last time your TV set crashed
or implored you to download some emergency
software update from the Web? After
all, unless it is an ancient set, it is just a computer
with a CPU, a big monitor, some analog
electronics for decoding radio signals, a couple of
peculiar I/O devices—a remote control, a built-in VCR
or DVD drive—and a boatload of software in ROM.
This rhetorical question points out a nasty little secret
that we in the computer industry do not like to discuss:
Why are TV sets, DVD recorders, MP3 players, cell
phones, and other software-laden electronic devices reliable
and secure but computers are not? Of course there
are many “reasons”—computers are flexible, users can
change the software, the IT industry is immature, and
so on—but as we move to an era in which the vast
majority of computer users are nontechnical people,
increasingly these seem like lame excuses to them.
What consumers expect from a computer is what they
expect from a TV set: You buy it, you plug it in, and it
works perfectly for the next 10 years. As IT professionals,
we need to take up this challenge and make computers
as reliable and secure as TV sets.
The worst offender when it comes to reliability and
security is the operating system. Although application
programs contain many flaws, if the operating system
were bug free, bugs in application programs could do
only limited damage, so we will focus here on operating
systems.

   However, before getting into the details, a few words
about the relationship between reliability and security
are in order. Problems with each of these domains often
have the same root cause: bugs in the software. A buffer
overrun error can cause a system crash (reliability problem),
but it can also allow a cleverly written virus or
worm to take over the computer (security problem).
Although we focus primarily on reliability, improving
reliability can also improve security.
WHY ARE SYSTEMS UNRELIABLE?
Current operating systems have two characteristics
that make them unreliable and insecure: They are huge
and they have very poor fault isolation. The Linux kernel
has more than 2.5 million lines of code; the Windows
XP kernel is more than twice as large.
One study of software reliability showed that code
contains between six and 16 bugs per 1,000 lines of executable
code,1 while another study put the fault density
at two to 75 bugs per 1,000 lines of executable code,2
depending on module size

.................................

全文可以直接下载附件。。。。。。。。。。。。。。。