Minix 3 and the microkernel experience
Minix Firewall Project
Packet filters are an endangered system component. Despite the excellent quality of the Linux Netfilter implementation, a number of security issues have surfaced in the past. If a subsystem of this kind is running on the Linux kernel, it will endanger system security. Building on work by the Tanenbaum group, the Technical University of Applied Science Berlin ported the widespread Netfilter framework to Minix 3 .
Here again, the stability of the microkernel architecture delivers additional benefits. In Linux, an attacker who succeeds in provoking a crash – for example, by exploiting a buffer overflow in the do_replace() function – can bring a Linux firewall to its knees. In Minix 3, a single user process could crash without compromising system security. The reincarnation server would simply restart the process.
The differences become even more apparent if an attacker succeeds in executing code. In Minix, a hijacked user process is still a problem, but the effect is far less serious thanks to isolation.
Even Microsoft is exploring their own microkernel system, named Singularity . Although Minix has played the microkernel game for many years now, its biggest obstacle to becoming more widespread has always been its non-free license. Now that Minix 3 is released under the BSD open source license and the firewall extensions are available under the GPL . Researchers at the TFH Berlin are also working on exploring Minix's potential as a virtualized firewall. Stability, a small footprint, and a new licensing model give Minix 3 a strong potential for growth, especially in embedded systems.
- Tanenbaum, Andrew S., "Some Notes on the 'Who wrote Linux' Kerfuffle, Release 1.5," 2004, http://www.cs.vu.nl/~ast/brown/
- Minix Project: http://www.minix3.org
- Torvalds, Linus, and David Diamond. Just for Fun. HarperBusiness, 2001
- Tanenbaum, Andrew S., and Albert S. Woodhull. The Minix Book: Operating System Design and Implementation. Prentice-Hall, 2006
- Weis, Rüdiger, "Linux is obsolete 2.0," presented at Chaos Communication Camp 2007, http://public.tfh-berlin.de/~rweis/vorlesungen/ComputerSicherheit/WeisLinuxIsObsolete2.pdf
- Microsoft Singularity: http://www.codeplex.com/singularity
- Minixwall: http://wiki.tfh-berlin.de/~minixwall
Buy this article as PDF
Mozilla’s script blocker add-on could be putting malware sites on the whitelist.
The Internet community officially banishes the notoriously unsafe Secure Sockets Layer protocol.
Popular desktop environment continues the Gnome 2 legacy – with new support for the Gnome 3 toolkit.
The Obama White House has issued a memorandum telling all US government agencies they must use HTTPS for all websites and web communication.
New program will dial up security for the Firefox browser.
Red Hat's community distro embraces the cloud.
New partnership will bring more and better CS training to US schools
Criminals offer online help over Tor network
Sophisticated malware is still present on Joomla and WordPress sites around the world.
Future versions of Ubuntu's code service will support the popular Git version control system used with Linux and other open source projects.