How big (in terms of lines of code) is TCB of Singularity?

Sep 10, 2009 at 11:24 AM
Edited Sep 10, 2009 at 11:29 AM


I am interested in techniques that are useful for building robust software systems. For good reasons it makes sense to make kernel-space experiments where it is possible to demonstrate the power of particular approach. Each approach has its own advantages and disadvantages. I am trying to evaluate the impact of usage of object-capability programming languages that allow us to use object-capability security model over untrusted in-kernel subsystems. Here is:

a small demo

What is interesting is how does particular approach impact the size of trusted computing base (TCB) and reliance relationship (which subsystem depends upon correct behavior of which other subsystem) for my kernel, but this alone is not interesting unless it is compared with other techniques (I reject blind belief).

Your document states "Galen C. Hunt, James R. Larus, David Tardity, Ted Wobber: Broad New OS Research" states that TCB of singularity is composed from the following subsystems:

  • processors and other hardware (like in most (all) other operating systems)
  • hardware abstraction layer (HAL) with essential assembly & C++ code
  • memory manager
  • metadata manager
  • loader
  • scheduler
  • channel manager
  • I/O manager
  • security manager
  • MSIL code translators

I have made some (fairly brutal) assessment of the size of this code in terms of lines of code. I simply counted lines in all

  • assembly files
  • C++ header files
  • C++ source files
  • C# source files
  • Sing# source files

In these two directories:

  • base/boot
  • base/Kernel

I know that I have omitted compiler (which also belongs to TCB but can be perhaps discussed separately because; it depends on how one defines TCB). There might be some code (various alternative subsystems providing the same basic functionality) so the line count may be higher than it should be. It may also be the case that I have disregarded implementation of TCB components located elsewhere in the source code tree. Can this number be refined and perhaps endorsed by people with a deep knowledge of Singularity internals that I can cite in my comparison I am currently trying to write?

Do you also have visualization of reliance relationship that captures client-server (and other) relationships among operating system subsystems (those inside as well as outside TCB) ?

Thanks in advance for the help,

Matej Kosik,