Microkernel vs. monolithic? Duqu, a Stuxnet-like worm, proves the monolithic operating system is dangerous.
Over the years, designers of operating systems have argued the merit of the two major approaches: microkernel and monolith. Microkernels: simple TCB, push OS services (networking, file systems) into user mode apps. Monolithic: run most everything in the kernel. The most famous public argument occurred for a period of years starting in 1992, between Linus Torvalds and Andrew Tanenbaum, OS professor and researcher. I admit the debate was less clear two decades ago when hardware performance promoted the kitchen sink approach. If someone were launching a new OS design today, it would be ludicrous not to use a microkernel.
While Linus finally gave an inch: “True, linux is monolithic, and I agree that microkernels are nicer. From a theoretical (and aesthetical) standpoint Linux loses,” he has continued to assert that monoliths are required to achieve adequate performance. He’s simply wrong. Continuing to claim that monolithic design is superior is like the Church of the 1630s hanging on to the Aristotelian cosmos, condemning Galileo for heliocentrism.
By now you’ve probably heard of Duqu , a Stuxnet-like worm enabled by a Windows flaw in…font parsing! From the Microsoft advisory : “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability.” The National Vulnerability Database has dubbed this CVE-2011-3402, assigning a severity rating of 9.3 (high).
As reported in Slashdot , “Many file formats like HTML, Office, and PDF support embedded fonts, and in NT4 and later fonts are parsed in kernel mode!”
You heard that right. Massive font code parsed in kernel mode. One flaw, and you’re toast. The Duqu attack is a direct result of Windows’ monolithic design.
This ignominy will surely engender a design change, right? Wrong. We are hopelessly dependent on monolithic operating systems (Linux, Windows, OSX). There is simply too much legacy, and it is growing–rapidly –every day, driven by the inexorable digitization of our world. Monolithic design in no way precludes awesome bells and whistles.
As passionate as I am about this microkernel vs. monolithic polemic, I also predict the debate will subside over time and become mostly irrelevant. Modern hardware features (some of the same ones that have made microkernels practical)–system virtualization support, application-specific accelerators, and multicore–also make it easy to run monoliths and microkernels on the same system at the same time. So we need not debate which design is better; we must be smart enough to use each one for its relative advantages. I talk about this dichotomy in some of my other blogs…
Dave Kleidermacher is CTO of Green Hills Software. He writes about security issues, sharing his insights on techniques to improve the security of software for highly critical embedded systems.