DROPS is the educational operating system of the Dresden University
of Technology, Germany (TU-Dresden). Its name is an acronym for
Dresden Real-Time Operating System, which reveals its strongest
feature, it is real-time capable and it is designed with security in
mind. Its homepage can be found here. Note: This is the 4th entry to our Alternative OS Contest which runs through 14th July!
I study computer science in the sixth semester at the TU-Dresden.
Since about 7 years, I am interested in new concepts of computer
science, especially concerning operating systems. Thus I started using
and developing Linux very early and gained knowledge about its
workings. I also kept an eye on BeOS, the BSD line, Plan 9 and other
In the third semester, we had an introductory course about operating
systems where our professor introduced simple things like access
rights under UNIX and other general concepts, mentioning DROPS as a
side note. Because code and instructions are available on their
homepage, I started doing my little experiments with it. Later on, I
followed the lectures about microkernel construction and about
building operation systems on top of microkernels.
Now I work at the operating systems group developing user-space
applications like my shell (littleshell) and a filesystem adaptor
called proxyfs that exports L4Linux filesystems into l4env. I will say
something about this later on, to give you an understanding how that
Motivation and history
We believe the best way to achieve security is to minimize the code
one has to trust. The keyword is trusted computing base (TCB),
which means that the less code you have to trust, the more secure is
your system. To achieve real-time capabilities, we needed to design a
system that allows for clear division of its parts. That is why we
decided to design a microkernel based operating system.
At that time, there was a big depression concerning microkernels
because implementations like Mach showed very poor performance when
compared to typical monolithic operating systems of that time.
Luckily, Jochen Liedtke was able to find the problems of those first
generation microkernels and designed a platform for new microkernels
by further minimizing kernel functionality. This new design, called
L4, consists of only 7 different syscalls. The main idea behind it is
that everything that can be done in user-space should be done in
user-space. Microkernels following that new idea are called second
We adopted this new design and implemented an operating system with
it. That way we are trying to show how great those second generation
microkernels can perform, how secure and well designed the operating
systems on top of a microkernel can be, how one can add real-time
capablities, and how one can use such a basis to create truly secure
I’ll try to keep the technical details aside as long as they aren’t
needed for understanding, to make this document readable.
DROPS is built around the L4 microkernel Fiasco that was developed
at our group. Fiasco consists of only 15k lines of code and is fully
preemptable and fast. Fiasco has also been ported to run as a Linux
user-level program, which is very convenient for development because
you don’t have to reboot your system every time, but simply run it as
a plain Linux program.
Because we use a second generation microkernel, every bit except of
the most basic functionality (everything except addresspace magic,
threading, and communication) has to be done in userspace. We call
those basic programs servers, each having its own distinct
address space (task). However, programming on the raw system
while keeping track of all the dependencies is quite difficult, but we
have a good solution which abstracts the system for the
programmer. The solution is called L4env, the L4 development
environment, which makes programming easy.
Of course, DROPS also has means of providing a graphical user
environment. Actually, there are two solutions–one being a console
that abstracts from the raw framebuffer providing one console per
application. The other is DOpE, the Desktop Operating
Environment being a server-side-widget-based realtime-capable
DOpE is able to guarantee certain refresh rates to clients and
redrawing the remaining widgets whenever there is processing time
left. All the redraw operations are started and done by DOpE, so it is
not of concern for the client application. DOpE can be easily
programmed by using a simple text-based configuration language. It
even provides its own command interpreter for easy prototyping. You
may learn about it here.
Our group ported Linux into our environment as a normal userspace
application. This version of Linux is called L4Linux and it is
binary compatible with plain Linux. With L4Linux you can use all your
legacy applications on top of DROPS. You can even run several
instances of L4Linux side by side on one machine, creating a
virtual-machine-like setup. It is also possible to write
L4Linux-programs, which actually communicate with L4-tasks outside of
L4Linux. You may find further information about L4Linux here.
Apart from L4Linux we also have a technique called the device
driver environment (DDE), which allows us to take Linux
device drivers out of Linux and run them directly on our platform. We
can even run Linux drivers of different Linux versions side by
side. Do you see how that solves the driver problem for our platform?
Work is underway to create a device driver environment for BSD
drivers, enabling us to make use of even more drivers.
But we take even more value out of Linux. We have ported the Linux
TCP/IP stack to run on plain L4, enabling L4 applications to make use
of all the virtues of the Internet.
The first one would do is to get the hello world (a simple
hello-world application) from public CVS, compile it, run it
and see that it doesn’t do much more than saying “hello
world”. However, with this little package you can already learn much
about how our system works. You may get it from here.
For easy programming, we have a custom build environment, which can
be configured using graphical menus, just like the Linux kernel
does. It basically keeps track of all the dependencies and does the
build magic for you. All you need is
gcc and a recent version of
Once you start building more complex environments, you will notice
that it is very difficult to keep track of all the dependencies and to
configure all the system services to get a working setup. Thus the
entry learning curve is high, and it caused me some troubles. However,
the problem is well-known and we are working on solutions.
Programming for DROPS
With L4env, programming for our system looks much like programming
for any major UNIX. Because we have ported
uclibc, there isn’t much a C programmer would miss. However,
once you start using system services directly you will get into
trouble because documentation is sparse and most of the “feel” for the
system is taught in lectures.
So as to port
dietlibc, a virtual filesystem backend had to
be developed. Our solution is called L4vfs, which is completely
modular, allowing you to mount different filesystems (called
volumes) into your address space. To make use of the filesystem
of a running L4Linux instance, I wrote a little L4Linux program
(Proxyfs), which acts as a normal volume, is mountable in L4vfs
and translates all the filesystem calls into Linux calls. Using this
technique, we can use all the filesystems of Linux from native L4
programs without big porting efforts.
Proxyfs is also a good example of an L4Linux task, that is
communicating with L4-tasks.
Programming system services is straightforward because all you have
to do is to write the interface in an interface definition language
(IDL) and implement the methods. All the difficult stuff needed
for interprocess communication like marshalling/unmashalling of data
is done by communication-stubs created by our IDL-Compiler
As I told you, you can use all your Linux applications with
DROPS. This is the big feature making it usable. At the moment,
DROPS is an educational system.
There are a few programs like a presenter and
which are used to show some advantages of our system. The main
priority is to show the means of how to develop secure and real-time
capable systems, so the user experience isn’t the main
directive. However, because everything is available in source code on
our homepage, you are free to develop programs for your
purposes. Actually, we are always searching for hackers to help us
For an introduction to newcomers we have a Demo-CD, which is
bootable and shows some of the great things like the ability to run
several L4Linux instances at the same time and more. You are free to
download it from our website, boot it, and get a glimpse of what can
be achieved with our system. You may get the image from the homepage.
The Demo-CD includes a tutorial browser, which will teach you in
short what the current demo is about. But please have a sharper look
at the browser, notice how the background widget changes when you move
the scrollbar, see how text behind the navigation buttons gets
magnified, see how text behind the navigation bar gets blurred and try
to resize the window to see its layout policy. And now let me tell you
that the whole browser consists of only 3500 lines of code. With all
the infrastructure it uses, the whole system depends on only 60.000
lines of code. Do you see how that compares to the millions of lines
of code of the Linux kernel and those millions of lines of XF86 code?
All in all, you have a trusted computing base of only 60k lines of
The demo includes a setup with
nitpicker, our new secure
windowing system, which can be used as a backend to other windowing
systems, which it then merges into one desktop. With this technique it
is possible to have the real-time capable DOpE environment (or several
instances of it) and (for example) X11 side by side. Because
nitpicker has been designed with security in mind, those
windowing systems cannot interfere with each other, and through a magic
key you can always get into an overlay mode, that reveals which window
has the focus and to which windowing system it belongs. There is no
way for the client application to fake this information. You see that
this defeats all attempts to install GUI-based malware like spyware,
keylogger or trojan horses.
To get a better idea about the L4vfs, which I mentioned before, you
may try the L4vfs-setup on the CD. Because all the setups make use of
the tutorial browser, you can easily get much information about it
just by reading and enjoying the great graphics of the browser.
Another demo included with the CD is our port of Qt-3 (embedded) for
our platform, which allows us to easily port Qt applications. There
even is a Qt-based game on the CD for you to play.
We even ported
libsdl and included some SDL-based games on the
CD. Just try it out and have fun.
A look into the future
Of course our system is still evolving at high rates. At the moment
we are working at a new kernel specification, adding high security
features like means to disable denial of service attacks. The new
specification will then be called L4.Sec.
- Norman Feske
- Micheal Hohmuth
- Alexander Warg
- Michael Peter
- Thomas Schilling
- … the whole OS-Group for creating this operating system
About the author:
Steffen Liebergeld studies computer science in the sixth semester and
likes to spend his free time in discovering alternative operating
systems and in programming good software. He also helps in free
software projects like wmii. Steffens
homepage can be found here.
If you would like to see your thoughts or experiences with technology published, please consider writing an article for OSNews.