[eros-arch] The end of the "EROS at Penn" era

[Jonathan S. Shapiro]

Today I shut down eros.cis.upenn.edu, which has served as the mail
exchanger for the eros-os.org domain since 1994. Eros.cis was the last
EROS project machine at Penn. The machine has finally failed, and has
been replaced by a new mail server at Hopkins.

The work on EROS continues, but as we turn off the last piece of
equipment at the University of Pennsylvania I'm prompted to think about
all that has happened over the last 8 years. At the risk of immodesty, I
want to remind some of the people on the eros-arch list what we have
accomplished so far, and perhaps give some of the newer people on these
various lists a view of the history of the EROS project.


In 1994, the prevailing wisdom was that microkernels were a dead idea.
Brian Bershad's paper (The Impact of Operating System Structure on
Memory System Performance) had been published the year before, and
Jochen Liedtke's key papers on microkernel IPC performance would not be
published until late 1995. The first significant EROS paper, which
showed that you could achieve Jochen's performance levels without giving
up protection would follow in 1996. At the 1996 IWOOOS workshop, Jochen
and I gave papers whose performance figures were cycle for cycle
identical (with no prior communication, as it turned out). Together,
these papers showed how to reduce the cost of IPC operations by two, and
sometimes three, decimal orders of magnitude. Today, micorkernels seem
to be enjoying something of a renaissance.

In 1994, it was universally believed that capability systems could not
enforce the confinement policy. Boebert '84 (On the Inability of an
Unmodified Capability Machine to Enforce the *-property) and Kerger '84
(Improving Security and Performance for Capability Systems) had both
argued that this was impossible. An earlier paper by Harrison, Ruzzo,
and Ullman (1976: Protection in Operating Systems) had shown that
achieving decidable safety in protection systems is distressingly
difficult. Sam Weber and I formally verified the EROS Constructor
mechanism (closely derived from the KeyKOS factory mechanism) in 1997.
It would take us nearly three years to get this result published at the
IEEE Symposium on Security and Privacy in 2000.

In 1994, no formal access model existed that could account for the
secure behavior of user-level memory managers. An EROS-based revision of
Matt Bishop's take-grant model provided such an account in 1999.

In 1994, it was widely believed that an efficient capability system
required hardware support. Needless to say, nobody thinks that anymore.

In 1994, people believed that meaningfully secure operating systems were
impossible. Just this week, Mark Miller gave a talk at the Naval
Postgraduate School in Monterey where one of the strongest and brightest
group of multilevel security experts is now going to re-examine
capability ideas and how they might be fused into more dynamic MLS
designs.

Today (as I write, in fact), we are preparing to start the first serious
commercial effort around the EROS system.


Over the years since its installation, eros.cis (the machine) processed
24,905 messages on the EROS-related lists and the E language lists.
Participants in the discussions have included people like Paul Karger,
Bryan Ford, Jochen Liedtke, Jonathan Smith, Jay Lepreau, all of the
KeyKOS team, Ben Laurie, Alan Cox, Eric S. Raymond, Dave Farber, and
many others. It has, over the years, attracted the attention at one
point or another of almost every currently practicing operating systems
researcher. The E programming language list, for its part, has included
involvement from some of the most brilliant programming language
designers of the last 30 years.

The EROS and E lists have also been Iand continue to be) a source of
knowledge and education for many new practitioners. A few are now
entering Ph.D. programs in several places (one at Hopkins), or building
on the work we have done in a variety of ways. Others have looked at the
work we have done and decided to go their own ways, often with their
visions dramatically changed.

So: as we start into the next decade of work on this project, with
security becoming an ever more serious concern in computing systems, I'm
looking forward to your help in bringing this technology to completion
and getting it into the field where it can be used. As we do that, I
want to give particular acknowledgement to five people without whom the
EROS project would be impossible:

	Norm Hardy, Charlie Landau, and Bill Frantz of the
		KeyKOS team
	Jonathan Smith and David Farber of the University
		of Pennsylvania

I also want to take a moment to thank all of you who have participated
and continue to participate. Stick around, there are many more "firsts"
to come!

Regards,



Jonathan S. Shapiro
Assistant Professor, Department of Computer Science
Johns Hopkins University