Interview with Genode co-founder Norman Feske
The following interview appeared in issue 36 of the Brazilian Espírito Livre Magazine (Portuguese language) in June 2012.
One of the creators of Project Genode, speaks exclusively to Espírito Livre Magazine. Learn more about this fascinating framework for special operating systems.
By Marlon John Ferrari and Fernando Costa Junior
What was the incentive behind the creation of a special-purpose operating systems framework?
Genode has its roots in academic research in the domain of systems security. Prior having started Genode, we experimented with a lot of different OS technologies and came to the conclusion that the key in overcoming the ever more concerning security and privacy threats of today lies in component-based, and in particular microkernel-based, operating systems. Unfortunately, we found the microkernel universe to be extremely fragmented. There existed plenty of different kernels with different strengths and weaknesses and each kernel was accompanied with its own minimalistic user land. There was no common ground to base OS development on. As a result, none of those OS projects has gained enough momentum to enter main-stream computing.
We developed an architectural vision of how a secure and scalable component-based OS should look like. But we also wanted to profit from the diverse landscape of available kernels and Open-Source technologies. So the idea was born to bring the term "component-based" to the next level: To create not an OS but an OS framework. In line with Unix philosophy, this framework is a collection of small building blocks, out of which complex systems can be composed. But unlike Unix, those building blocks include not only applications but all classical OS functionalities including kernels, device drivers, and protocol stacks.
Genode is based on a novel Architecture. Was there any kind of criteria that this architecture stood out from the others?
In contrast to today's commodity OS architectures, Genode takes the principle of the separation of duties to the extreme. Each OS functionality is encapsulated in an isolated component that is embedded within a rigid organizational structure and interacts with other components in a well-defined manner. Because of this structure, security-critical functions can be protected from large and untrusted application software running on the same machine.
Let me give you an example: Assume you receive an email with a PDF file as attachment and you decide to forward a digitally-signed copy of this email to another person. Before hitting the forward button, you open the PDF. By doing so on a current-generation OS, you are accepting the risk that the PDF file may exploit a bug in the PDF viewer and thereby compromise your computer. If this is the case, all the private data stored in user's account is exposed to the attacker. Now, the next time, your private crypto key is used to sign or encrypt an email, this key may leak, which is disastrous.
In fact, when using a current main-stream OS, such credentials and the integrity of all user data relies on the correctness to millions of lines of code. This assumption does of course not hold, and thus, client-side exploits such as this one remain predominant attack vectors used to compromise computers to form bot nets, break into corporate networks, or steal identities.
Genode's architecture improves the situation in two ways. First, because the PDF viewer runs as isolated component, it cannot interact with the whole system but only with those parts that are needed to display the PDF file. In particular, it cannot access the file system. If compromised, all the bugged program can do is displaying wrong information but it cannot compromise any files permanently stored on the system. And second, by storing the cryptographic keys next to the cryptography code inside an isolated component, those credentials never leave this protected component. This way, the critical information is exposed to less than 50,000 rather than millions of lines of code.
Of course, this is just an example but there is a general pattern. On classical OSes, developers and system integrators have to spend extra efforts to make programs more secure, e.g., Google implements sandboxing into the Chrome web browser. On Genode, it is quite the opposite. Each program is sandboxed by default. The developers and system integrators have to take a concious decision to define the interaction with the rest of the system.
There was any trouble during the creation of the project?
Because for most computer users Genode does not solve any tangible need, our project received very little attention outside the circles of the microkernel community since its first release as an Open-Source project in 2008. Without Genode Labs backing the project, it would possibly not exist as a personal project or as community activity.
Given the support of this company, however, we haven't had any major trouble with bringing the project forward. But there are things that are concerning or even frightening us. I'm speaking of software patents. Being an Open-Source project developing a new technology, we are aware that someone or some company may patent our ideas and there is not much we can do against this. I fear software patents as a cancerous threat to projects such as ours.
What is the essential difference between modify an open source general-purpose OS, like Linux and use Genode Project?
Let me use an analogy: Linux is to Genode what Transformers are to Lego. A Transformer as a toy is extremely versatile. You can change its shape to incredibly large varieties and it looks cool. At the same time, with all those hinges and special elements, it tends to be quite complex. So if a hinge breaks, the toy becomes useless. Also, you can change the function of the toy only within a certain degree of freedom as intended by the designer.
Genode, on the other hand, is more like a bunch of Lego bricks. When looking just at the bricks, its hard to get excited about them. But when realizing how cleverly they can be combined to form entirely new toys, the possibilities are without bounds.
That said, there is no either-or decision between Genode and existing Open-Source operating systems. Genode is not self sustaining but it massively profits from the Free-Software and Open-Source community. For example, we use the USB stack, sound drivers, and GPU drivers of the Linux kernel but execute them as individual components. The same applies for many other components that we integrated such as the lwIP TCP/IP stack, the Qt4 framework, Freetype, Python, ncurses and many more.
How Genode's community is organized? There's a hierarchy or a benevolent dictator that controls the changes?
The community is still rather small. The mainline development tree is managed by two guys namely Christian Helmuth and myself. Most contributions originate from the other members of Genode Labs. Technical discussions are taken to the issue tracker and mailing list, which has a calm and polite tone. So there hasn't been any disputes, yet. I believe that when having a disciplined discussion culture, no ruling of a dictator is needed but I guess the current situation could be characterized with having a team of two benevolent dictators.
There is some corporation, organization or group that supports the project, by giving professional help, money or ideas?
Indeed, the project is supported and funded by a company called Genode Labs. It is an independent and self-sustaining company founded by the original creators of Genode with the stated mission to bring this technology to main-stream computing.
About supporting, how interested people can help Genode project?
The best way is to check out the code and start experimenting, providing feedback, and getting involved with the project at GitHub (https://github.com/genodelabs/genode). To see where the project is heading, there is a road map (http://genode.org/about/road-map) and a compilation of future ideas (http://genode.org/about/challenges) to be found at our website.
If this wets your appetite to get hands-on experience, you may grab an issue from the issue tracker and start investigating and discussing the topic with us. Furthermore, the mailing list is a good place to get involved.
The goal for 2012 is the transition of the framework from a toolkit for building special-purpose operating systems to a fully functional general-purpose OS. What was the need for it?
We wish to demonstrate how Genode fulfils the promises I stated above. There is no better way to show our confidence in the maturity and flexibility of the framework than to actually use it for our personal computing needs. Furthermore, we hope that this undertaking will draw our attention to those parts of the framework that are possibly still underdeveloped for real-world use. So we can focus on the right things.
And of course, being geeks ourselves, we are curious to see if we are up to this challenge.
Still about the goals, how do you want to see Genode in the next years? Dominating a platform specifically?
To me, the success story of GNU/Linux is very inspiring. It tells me that open technology that started as a grass-roots effort is able to have a huge impact and receive broad adoption.
As for GNU/Linux, Genode is not geared towards a specific platform. Any platform that is connected to the internet and potentially endangered by malware could benefit from Genode. With respect to users, I wish that Genode will be universally regarded as the technical solution of today's ever-increasing security and privacy problems.
As an engineer, I envision that Genode provides a common ground for future component-based OSes similar to how POSIX was able to unify the software development for today's monolithic OSes.
In the future, the Genode can be ready for the end user? Tablets or smarttvs?
Yes, this is definitely the plan. However, the use of Genode will be pretty much transparent to the end user. For example, I think that Android or Chrome OS could benefit from being built upon Genode without end users taking notice.
Some enterprises and organizations don't believe in opensource project supported by community. What do you think about it?
These are actually two questions depending on whether the organization plays the role of a contributor or the role as a user of an Open-Source project.
Changing the technology world can hardly be done by a single person. It requires the great minds of many individuals working together as a community. Of course, such a community can have the form of a team working at a large company on a proprietary code base. Or it can have the form of an open community. Whether taking either approach or some path in-between largely depends on the goals of the organization. Large corporations tend to be protective about their intellectual property, which, in turn, limits their ability to engage in open communities. Consequently, they have to build communities inside their organizations. In a way, working in such a managed community corresponds to living in a state-directed economy where the freedom of each individual is subordinated to the master plan defined by a few leaders. For the most part, this plan pursues the growth of the company and the financial gain of stock owners as primary goals. Technological progress and making the world a better place are secondary concerns.
In contrast, an open community respects and promotes the freedom of each individual. It acts in the interests of many whereas a managed community acts in the interest of only a few. Members of an open community don't have to subordinate their individual passion about technology to the goals of a few leaders. Personally, I find living and working in such a free environment much more desirable than participating in a managed community.
For the past three years, we conducted the development of Genode mostly inside Genode Labs and released the results of our work in the form of source code at regular intervals. But we finally realized that in order to let Genode change the world, it needs more than our little company. It needs a thriving community of users and developers. As we find that building a large managed community within Genode Labs neither feasible nor desirable, we are convinced that opening up the project to an open community is the way to go. This is where we are now.
Speaking of an organization adopting a community project, I think it is pivotal to have a predictable and trustworthy development process as well as competent commercial support. Ideally, there should be an ecosystem of businesses around a community project that provides confidence in the adoption of the project. This is where Genode Labs comes into play.
Would you have a message for our readers from Espírito Livre Magazine?
Thank you for your interest in our work. If you are curious to learn more about what we are up to, please have a look at the YouTube video at
I hope, we will hear from each other soon.