Column: Bernd Schöne – Small is Big

Operating systems get more and more complex and, as a result, more vulnerable to malicious attacks. This is not good news for IoT. The best-known operating systems are the ones used to run our computers and smartphones, like Windows, Linux, Apple’s iOS, or Android but, of course, there are many more. Wikipedia lists almost 60 proprietary OSs and half a dozen non-proprietary ones, as well as disc operating systems (DOS), network operating systems, and a large assortment of embedded ones for everything from digital media players to mobile phones and routers. Most of these systems, accumulated over decades, are still with us somewhere. Each has its own set of capabilities – and vulnerabilities; backdoors through which intruders enter. Witness the recent Super-DDoS attack involving thousands of hacked digital cameras and household appliances. Developers of modern operating systems are well aware of their own shortcomings. programs in a GUI (graphical user interface), happens in user space.

Bernd Schöne

Complexity is the mother of vulnerability.

Bernd Schöne
is a veteran German Internet journalist and an expert on cybersecurity


Windows with its 40+ million lines of code is reckoned to have between two and five errors per 1,000 lines, of which up to a quarter can be serious. Complexity is the mother of vulnerability, especially in operating systems. This has led to a kind of countermovement in OS development, predicated on the idea that future operating systems should be smaller and leaner than today to allow us to build a stable and trustworthy Internet of Things.
The latest trend, therefore, is toward tiny systems with a mathematically attestable level of security; in other words, microkernels. Things kicked-off in Germany during the mid-80s, where a small, dedicated group of developers adopted the slogan ‘smaller is better’. Over the years, they have shown not only that the concept works, but that it can actually make systems safer. There are believed to be more than a billion devices using microkernels in the world today – quite a success story, albeit a quiet one. What are microkernels? They are tiny, but perfectly designed, operating systems that have complete control over everything that occurs in the system. They are usually loaded into a protected area of memory, which prevents them from being overwritten by other, less-frequently used parts of the operating system or by pplications. The kernel performs its tasks, such as executing processes and handling interrupts, in kernel space; everything a user does normally, such as writing text or running in a microkernel, all non-essential functions are handed over to other parts of the system. A typical microkernel comprises a piddling 10,000 to 20,000 lines of code, so every single line can be checked and rechecked to eliminate even the tiniest coding mistake. Jochen Liedtke, a German programmer, is considered by many to be the father of the microkernel. As a young, highschool student he began playing around with ever-shorter operating systems which he gave names like L2, L3 and, fnally, L4. Until his too-early death in 2001 at age 48, he had managed to gather an enthusiastic following dedicated, as he was, to creating new variants of what had by then become a whole family of L4s. “Actually, a microkernel doesn’t do functions”, explains Professor Gernot Heiser, a German computer scientist currently working at the University of New South Wales in Australia. Thanks to its splendid isolation and strictly-monitored communications, it merely provides a link between other, equally-isolated elements.
The reason most of us have never heard of microkernels is because they are mainly used in top-secret military installations. But every owner of an Apple iPhone actually uses one every day. Since 2013, any device powered by iOS has a L4 microkernel that protects the secure so-called Enclave Processor which handles encryption. The semiconductor manufacturer Qualcomm uses an identical kernel in its modem chips.
Development of the L4 has been proceeding by leaps and bounds, and the US military now uses what it calls the seL4, an ultra-secure version, for many of its most sophisticated spying devices. The kernel differs from others in one essential: the software used in its construction has to be verifed by mathematicians to be 100% error-free. This is costly and takes time, so it only makes sense in extremely lean operating systems.
What does that mean for IoT? Will we find microkernels at the heart of future developments, for instance in sensors? Christian Helmuth, CEO of Genode Labs in Dresden, Eastern Germany, is skeptical. “It probably won’t become universal,” he believes. “The architecture is too complex, and energy consumption is too high. In addition, the kernel, which is under public license, needs to be adapted to each individual use-case. In an age of mass sensors, that is simply too expensive, but for large, sophisticated IoT implementations, requiring greater security, they can be a viable alternative.”
Increasing pressure from regulators could mean that microkernels will soon be cropping up all over the place. Compliance issues are expected to be a major driver in the future IoT developments, making it important for providers and owners to prove due diligence. Being able to show you have taken every possible measure to avoid unforeseen consequences could mean avoiding hefty legal penalties.