DROPS is the educational operating system of the Dresden University
of Technology, Germany (TU-Dresden). Its name is an acronym for
Dresden Real-Time Operating System, which reveals its strongest
feature, it is real-time capable and it is designed with security in
mind. Its homepage can be found here. Note: This is the 4th entry to our Alternative OS Contest which runs through 14th July!
I study computer science in the sixth semester at the TU-Dresden.
Since about 7 years, I am interested in new concepts of computer
science, especially concerning operating systems. Thus I started using
and developing Linux very early and gained knowledge about its
workings. I also kept an eye on BeOS, the BSD line, Plan 9 and other
operating systems.
In the third semester, we had an introductory course about operating
systems where our professor introduced simple things like access
rights under UNIX and other general concepts, mentioning DROPS as a
side note. Because code and instructions are available on their
homepage, I started doing my little experiments with it. Later on, I
followed the lectures about microkernel construction and about
building operation systems on top of microkernels.
Now I work at the operating systems group developing user-space
applications like my shell (littleshell) and a filesystem adaptor
called proxyfs that exports L4Linux filesystems into l4env. I will say
something about this later on, to give you an understanding how that
works.
Motivation and history
We believe the best way to achieve security is to minimize the code
one has to trust. The keyword is trusted computing base (TCB),
which means that the less code you have to trust, the more secure is
your system. To achieve real-time capabilities, we needed to design a
system that allows for clear division of its parts. That is why we
decided to design a microkernel based operating system.
At that time, there was a big depression concerning microkernels
because implementations like Mach showed very poor performance when
compared to typical monolithic operating systems of that time.
Luckily, Jochen Liedtke was able to find the problems of those first
generation microkernels and designed a platform for new microkernels
by further minimizing kernel functionality. This new design, called
L4, consists of only 7 different syscalls. The main idea behind it is
that everything that can be done in user-space should be done in
user-space. Microkernels following that new idea are called second
generation microkernels.
We adopted this new design and implemented an operating system with
it. That way we are trying to show how great those second generation
microkernels can perform, how secure and well designed the operating
systems on top of a microkernel can be, how one can add real-time
capablities, and how one can use such a basis to create truly secure
systems.
System overview
I’ll try to keep the technical details aside as long as they aren’t
needed for understanding, to make this document readable.
DROPS is built around the L4 microkernel Fiasco that was developed
at our group. Fiasco consists of only 15k lines of code and is fully
preemptable and fast. Fiasco has also been ported to run as a Linux
user-level program, which is very convenient for development because
you don’t have to reboot your system every time, but simply run it as
a plain Linux program.
Because we use a second generation microkernel, every bit except of
the most basic functionality (everything except addresspace magic,
threading, and communication) has to be done in userspace. We call
those basic programs servers, each having its own distinct
address space (task). However, programming on the raw system
while keeping track of all the dependencies is quite difficult, but we
have a good solution which abstracts the system for the
programmer. The solution is called L4env, the L4 development
environment, which makes programming easy.
Of course, DROPS also has means of providing a graphical user
environment. Actually, there are two solutions–one being a console
that abstracts from the raw framebuffer providing one console per
application. The other is DOpE, the Desktop Operating
Environment being a server-side-widget-based realtime-capable
windowing environment.
DOpE is able to guarantee certain refresh rates to clients and
redrawing the remaining widgets whenever there is processing time
left. All the redraw operations are started and done by DOpE, so it is
not of concern for the client application. DOpE can be easily
programmed by using a simple text-based configuration language. It
even provides its own command interpreter for easy prototyping. You
may learn about it here.
Our group ported Linux into our environment as a normal userspace
application. This version of Linux is called L4Linux and it is
binary compatible with plain Linux. With L4Linux you can use all your
legacy applications on top of DROPS. You can even run several
instances of L4Linux side by side on one machine, creating a
virtual-machine-like setup. It is also possible to write
L4Linux-programs, which actually communicate with L4-tasks outside of
L4Linux. You may find further information about L4Linux here.
Apart from L4Linux we also have a technique called the device
driver environment (DDE), which allows us to take Linux
device drivers out of Linux and run them directly on our platform. We
can even run Linux drivers of different Linux versions side by
side. Do you see how that solves the driver problem for our platform?
Work is underway to create a device driver environment for BSD
drivers, enabling us to make use of even more drivers.
But we take even more value out of Linux. We have ported the Linux
TCP/IP stack to run on plain L4, enabling L4 applications to make use
of all the virtues of the Internet.
First experiences
The first one would do is to get the hello world (a simple
hello-world application) from public CVS, compile it, run it
and see that it doesn’t do much more than saying “hello
world”. However, with this little package you can already learn much
about how our system works. You may get it from here.
For easy programming, we have a custom build environment, which can
be configured using graphical menus, just like the Linux kernel
does. It basically keeps track of all the dependencies and does the
build magic for you. All you need is gcc and a recent version of make.
Once you start building more complex environments, you will notice
that it is very difficult to keep track of all the dependencies and to
configure all the system services to get a working setup. Thus the
entry learning curve is high, and it caused me some troubles. However,
the problem is well-known and we are working on solutions.
Programming for DROPS
With L4env, programming for our system looks much like programming
for any major UNIX. Because we have ported dietlibc and
uclibc, there isn’t much a C programmer would miss. However,
once you start using system services directly you will get into
trouble because documentation is sparse and most of the “feel” for the
system is taught in lectures.
So as to port dietlibc, a virtual filesystem backend had to
be developed. Our solution is called L4vfs, which is completely
modular, allowing you to mount different filesystems (called
volumes) into your address space. To make use of the filesystem
of a running L4Linux instance, I wrote a little L4Linux program
(Proxyfs), which acts as a normal volume, is mountable in L4vfs
and translates all the filesystem calls into Linux calls. Using this
technique, we can use all the filesystems of Linux from native L4
programs without big porting efforts.
Proxyfs is also a good example of an L4Linux task, that is
communicating with L4-tasks.
Programming system services is straightforward because all you have
to do is to write the interface in an interface definition language
(IDL) and implement the methods. All the difficult stuff needed
for interprocess communication like marshalling/unmashalling of data
is done by communication-stubs created by our IDL-Compiler
DICE.
As I told you, you can use all your Linux applications with
DROPS. This is the big feature making it usable. At the moment,
DROPS is an educational system.
There are a few programs like a presenter and rt-sensors,
which are used to show some advantages of our system. The main
priority is to show the means of how to develop secure and real-time
capable systems, so the user experience isn’t the main
directive. However, because everything is available in source code on
our homepage, you are free to develop programs for your
purposes. Actually, we are always searching for hackers to help us
;-).
For an introduction to newcomers we have a Demo-CD, which is
bootable and shows some of the great things like the ability to run
several L4Linux instances at the same time and more. You are free to
download it from our website, boot it, and get a glimpse of what can
be achieved with our system. You may get the image from the homepage.
The Demo-CD includes a tutorial browser, which will teach you in
short what the current demo is about. But please have a sharper look
at the browser, notice how the background widget changes when you move
the scrollbar, see how text behind the navigation buttons gets
magnified, see how text behind the navigation bar gets blurred and try
to resize the window to see its layout policy. And now let me tell you
that the whole browser consists of only 3500 lines of code. With all
the infrastructure it uses, the whole system depends on only 60.000
lines of code. Do you see how that compares to the millions of lines
of code of the Linux kernel and those millions of lines of XF86 code?
All in all, you have a trusted computing base of only 60k lines of
code.
A screenshot of nitpicker with X11 and DOpE in action.
The demo includes a setup with nitpicker, our new secure
windowing system, which can be used as a backend to other windowing
systems, which it then merges into one desktop. With this technique it
is possible to have the real-time capable DOpE environment (or several
instances of it) and (for example) X11 side by side. Because
nitpicker has been designed with security in mind, those
windowing systems cannot interfere with each other, and through a magic
key you can always get into an overlay mode, that reveals which window
has the focus and to which windowing system it belongs. There is no
way for the client application to fake this information. You see that
this defeats all attempts to install GUI-based malware like spyware,
keylogger or trojan horses.
L4vfs in action.
To get a better idea about the L4vfs, which I mentioned before, you
may try the L4vfs-setup on the CD. Because all the setups make use of
the tutorial browser, you can easily get much information about it
just by reading and enjoying the great graphics of the browser.
Qt-3 under DOpE.
Another demo included with the CD is our port of Qt-3 (embedded) for
our platform, which allows us to easily port Qt applications. There
even is a Qt-based game on the CD for you to play.
We even ported libsdl and included some SDL-based games on the
CD. Just try it out and have fun.
A look into the future
Of course our system is still evolving at high rates. At the moment
we are working at a new kernel specification, adding high security
features like means to disable denial of service attacks. The new
specification will then be called L4.Sec.
If you would like to help us improve the system, write legacy
applications, learn about our system, you may consult our homepage and subscribe to the l4-hackers mailing list.
Thanks!
- Norman Feske
- Micheal Hohmuth
- Alexander Warg
- Michael Peter
- Thomas Schilling
- … the whole OS-Group for creating this operating system
About the author:
Steffen Liebergeld studies computer science in the sixth semester and
likes to spend his free time in discovering alternative operating
systems and in programming good software. He also helps in free
software projects like wmii. Steffens
homepage can be found here.
If you would like to see your thoughts or experiences with technology published, please consider writing an article for OSNews.
Author nicely presents different fetures of DROPS without going too much into internals/code. He also doesn’t repeat “we’re the best” all the time, and is honest about some problems awaiting for people who will want to hack/code for this system. Article has links to more informations, and even nice screenshots (though i think most of those different GUIs there are far from “good looking” they still show quite a lot
.
All written clearly and understandable – made me want to try demo cd (i’m downloading it while typing this comment).
IMHO best entry in contest so far.
Thanks
— edit —
fixed spelling mistake and some words layout (thanks to OSNews authors for edit option
. hopefully comment is understandable.
Edited 2006-07-13 19:07
Security and reliability have similar goals.
http://www.minix3.org/
Less code in the kernel = better reliability and security.
This article was very well written. The author provided enough details about the operating system environment without being excessively technical. I enjoyed reading about the author’s involvement in the project. Most importantly, the author uses proficient English, making the reading not arduous at all. Each thought was succinct but still descriptive.
But I am a bit confused about one thing. When the author talks about running Linux OVER L4, does he mean the Linux kernel has been adapted to run modules against the L4 microkernel? Or does the author mean linux in the generic overlying tools sense?
Linux itself IS a kernel (not a micro-kernel). I guess I am just wondering if they adapted linux by layering it on top of a microkernel (and why?).
Sorry for being a dolt here.
[edit]
Just went to the L4Linux site… I think I get it now.
Edited 2006-07-14 02:56
…So, are the goals mostly security-related? Is the performance really any better than the standard Linux kernel?
Would this be useful in virtualization?
The performance is slightly worse than plain Linux because of the overhead of more context switches.
In fact, we published a paper about the performance of microkernels, by comparing L4linux on Fiasco, plain Linux and Linux on Mach. The conclusion is that the overhead “can be kept somewhere between 5% and 10% for applications”. You may read the paper here:
http://os.inf.tu-dresden.de/pubs/sosp97/
“Performance of µ-Kernel-based Systems”
Virtualization is possible in the sense that you may run more than one L4Linux instance on top of the L4 microkernel. You should make sure that those instances use distinct drivers for hardware, to avoid collisions;-).
Cool! Thanks!
Hi:
This is a very well written article: It describes the functionality of DROPS, gives a short but clear idea of the microkernels and L4, shows the integration to Linux and mentions the problems that they are still having.
I like a lot the L4 family (Fiasco, Pistachio, etc.) and I think it will be very important in the next years when the monolithic kernels will become harder and harder to maintain.
Excellent article, congratulations Steffen.
Ernesto
I’ll repeat it because it is necessary to repeat: This has been by far the best entry. I remember hearing about DROPS once before but I don’t recall obtaining this much information about it from the article I read. I beleive this article was very well written and very informative without being overly technical and detailed. It was just the right amount of information for a news site like OSNews. Can we get steffen as an editor?
Very educational, a good read (Y)