Design of the SPEEDOS operating system kernel

(Eine inhaltsgleiche, deutsche Fassung dieser Übersicht ist ab Seite 243 zu finden.) The design of current operating systems and their kernels shows deficiencies in respect to the structuring approach and the flexibility of their protection systems. The operating systems and applications suffer under this lack of extensibility and flexibility. The protection model implemented in many operating systems is not powerful enough to represent arbitrary protection conditions on a more fine-grained granularity than giving read and/or write access to an entire object. Additionally current operating systems are not capable of controlling the flow of information between software units effectively. Confinement conditions cannot be expressed explicitly and thus confinement problems can only be solved indirectly. Further complications with the protection system and especially the software structure in modern operating systems based on the microkernel approach are caused by the use of the out-of-process model. It is extremely difficult to specify access rights appropriately, because the client/server paradigm does not easily allow a relationship to be established between the role of the client and the permissions of the server. Focusing on client/server structures favours a single, central server implementation. Specifying a software design and communication model for applications at the operating system level impairs their structure. In reaction to this observation, SPEEDOS follows the in-process model. Processes are the abstraction of activity and are orthogonal to the information-hiding objects. This model is part of the design of many object-oriented programming languages and a few operating systems. The method call does not switch processes, it transfers execution to another object in a controlled fashion. This model is almost equivalent to the out-of-process model, but the in-process model provides advantages, because the process identifier correlates to a subject. However this only helps with protection, but does not magically improve the protection system. The two major deficiencies identified and addressed in this thesis are the versatility of access right specification and the structuring of the operating system in conjunction with the applications. The SPEEDOS design places the emphasis on balancing the duties and powers of the kernel and the applications, in order to obtain a flexible and extensible overall system. SPEEDOS supports freely programmable protection checks for individual method invocations. These checks are implemented with bracket methods, which intercept other method invocations. The concept was invented in the context of componentoriented programming languages, which are meant to improve the software structure beyond the state of the art in object-oriented programming languages. In the