Finally, Our Own OS – Oh Yes!

At last – we’ve done it!

I’ve anticipated this day for ages – the day when the first commercially available mass market hardware device based our own secure operating system landed on my desk. And here she is, the beaut.

This unassuming black box is a protected layer 3 switch powered by Kaspersky OS and designed for networks with extreme requirements for data security.

And there’s plenty more in the pipeline where this came from too, meaning the tech will be applied in other Internet-connected bits of kit, aka the Internet of Things (IoT). Why? Because this OS just so happens to be ideal for applications where a small, optimized and secure platform is required.

The operating system boasts several distinctive features. Let me run through the main ones briefly…

First, it’s based on microkernel architecture, which allows to assemble ‘from blocks’ different modifications of the operating system depending on a customer’s specific requirements.

Second, there’s its built-in security system, which controls the behavior of applications and the OS’s modules. In order to hack this platform a cyber-baddie would need to break the digital signature, which – any time before the introduction of quantum computers – would be exorbitantly expensive.

Third, everything has been built from scratch. Anticipating your questions: not even the slightest smell of Linux. All the popular operating systems aren’t designed with security in mind, so it’s simpler and safer to start from the ground up and do everything correctly. Which is just what we did.

And just the other day we celebrated the birth of this new OS!

The very first meeting held regarding this project took place 14 (fourteen!) years ago almost to the day – on November 11! Not that we’ve been diligently coding and testing since then; in that amount of time with sufficient resources you could see several projects through to the end and update and improve them all several times over!

No, in the first several years not a single line of code was written. We met from time to time, discussed technical details, architecture, and drew pretty pictures on large sheets of paper. Then we built up a team – very slowly, since OS specialists are few and far between. And onwards we move, slowly but surely. Fast forward several years, and today we aren’t simply celebrating the latest team discussion, but our first commercial hardware device actually ready!

November 11 is of course easy to remember as it’s 11-11. Which is birthday of our big, ambitious project. Indeed, within the company the project is known simply as ’11-11′.

14 years is a serious age for any project. Looking back it seems so quaint now how at the start we argued about the architecture and the basic parameters of the future OS and felt a little bit like… alchemists with compasses trying to make squares out of circles.

The question to which we were searching for an answer was this: how can we build an operating system that will be impossible to hack in principle? Is it possible in practice? Meanwhile, all around this alchemy folks were fairly astonished: just what were we thinking? We’d decided to make an unhackable platform and ruin our other security business model?!

Indeed, we were often asked why such an OS is really necessary. Here’s why:

Once, cyberthreats targeting critical infrastructure, telecoms and other modern-life-essential systems looked mostly like science fiction. No one – besides us paranoids (actually, and also the most advanced hackers, cyber-spies and cyber-militaries) really had any idea that data security could directly affect physical security. Nor were they aware that literally all digital systems in existence around the world can be hacked. After all, we started our project long before Stuxnet, and even before Die Hard 4, where the cyber-baddies hacked and wrecked critical infrastructure. But as time has passed the general level of understanding of the threats has gradually – and increasingly conspicuously – risen…

The serious problem of security of critical infrastructure started to be discussed at high-profile international conferences. Then, gradually, the topic started to spread into the imaginations of Hollywood (Die Hard 4, Skyfall…). Next, literally in the last year to 18 months, attention has risen still further – exponentially – to finally make the topic of cybersecurity one of the main topics at various top-level international summits and meetings of world leaders. Meanwhile, quietly in the background all this time, alchemists KL experts were toiling away in their workshops edging ever nearer to the unveiling of our very own OS!

We realized that the operating system needed to have lots of different applications.

First, it should provide a basis for the development of protected industrial control systems.

Second, it should provide a basis for the development of protected embedded devices, including the IoT. Btw, the recent DDoS attack on Dyn’s DNS servers, which brought down sites like Amazon and Twitter, was carried out by a botnet that had infected ‘smart’ (actually, rather stupid:) devices like IP-cameras. The attack generated an astounding 1.2 terabytes a second – the biggest DDoS in history.

So, I’m hoping it’s obvious by now how protecting the IoT and, of course, critical infrastructure (industry, transport, telecoms, etc.) from IT threats is simply mandatory. I also hope it’s clear that it’s better – no matter how difficult – to build IoT/infrastructure devices from the very beginning in such a way that hacking them is practically impossible. Indeed, that is a fundamental goal with Kaspersky OS.

That was all mostly a teaser really. Coming up soon – more details about our secure operating system.

READ COMMENTS 51
Comments 51 Leave a note

Ernest

This is very interesting. Congratulations! Do share more on the new OS/device.

12
Reply to conversation

shakil

Excellent! excited to know Kaspersky OS! Good luck.

4
Reply to conversation

Laurentiu

Congratulations, Eugene !

4
Reply to conversation

Sivabudh Umpudh

Will the OS source code be Github’ed? In what programming language is the OS written in?

49
Reply to conversation

Erkin Alp Güney

Sorry, I could not find the link to buy a license or download an image.

9
Reply to conversation

29Mighty

Yes, this would be great to know.
I’m also interested to buy and test this.

2
Reply to conversation

Dominik Rodler

There is also a huge market for private / small business applications, where there are no skilled resources to protect against cyber threats.
Are there any specific plans in that direction?

2
Reply to conversation

Vasileios Anagnostopoulos

Fantastic, especially the challenge to create an OS from scratch. I am waiting for the price later.

1
Reply to conversation

Elcid

Great achivement. Congrats & good luck. Look forward to getting more details. Thanks.

0
Reply to conversation

John

Hello,
How would karspersky OS compare to http://flint.cs.yale.edu/certikos/ or https://wiki.sel4.systems/FrontPage ?

Is there any formal evidence backing up the layer3 sec. claims ? (formal verification, property based testing, etc?)

Regards

8
Reply to conversation

Ben Jones

Nice!

0
Reply to conversation

Tachimen

fopen mode=rb?
If you have binary and non-binary modes in your OS, then it’s already an edge-case. You say it’s that secure? ;-)

4
Reply to conversation

Angin Topan

This means no existing program will run on this OS right?

0
Reply to conversation

Ged Carroll

Any information on how to purchase and pricing Eugene?

1
Reply to conversation

Swapnil Bhartiya

How do we know it’s secure. You have the source code, it’s proprietary, what if there are back doors? Can we audit the code? What is it’s a spyware disguised as secure OS? I really can’t see people trusting it without access to the code.

18
Reply to conversation

john

there are a few things i really wish this OS has to be usable for me:

1. GPL licence
2. seL4 MicroKernel based (it’s securely proven)
3. compatible with Linux software (FlatPak would be awesome!)
4. KDE Plasma GUI (or LXQt, at least)

(if it was based on Genode i would be very happy as well!)

3
Reply to conversation

Charlie

Did you license QNX, work up from Minix, deploy the HURD, or write a completely new kernel yourself?

Whatever you did, it’s a great accomplishment! I am hoping that some of what you’ve learned with it will end up strengthening an existing OS architecture.

0
Reply to conversation

Mustafa Shib

Finally, a serious device can make us more safer. Great job, and I hope to see it in the market soon.

0
Reply to conversation

alsoeric

Looks fantastic.

It would be interesting to see your take on another, potentially more socially relevant problem specifically handicap accessibility. At first glance, people do not see that accessibility is a security problem but in order to do accessibility right for people like me using speech recognition or people using text-to-speech you need to get into an application and read and write data that will influence the application’s operation.

For example, if I want to edit a document, I need to know the structure of the document inside so I can build a grammar to allow me to navigate and manipulate elements within the document. Then I need to add, delete, or modify elements. On top of that, I may want to create automatic processes/macros to further make it easier for me to work with documents.

Every single feature you need to build a good accessible interface is exactly what an attacker needs to gain access and manipulate the system.

This is quite a problem. From my limited perspective, it looks like we get to choose between making systems accessible to everyone or we make them secure. I would welcome a discussion on this.

1
Reply to conversation

BobC

Obvious Question #1: When can I demo KOS on my RasPi3?

1
Reply to conversation

Mike

This is such excellent news you wouldn’t believe how happy I am to see it!

Provided no crypto keys ever leaked.

While I have confidence in you being able to keep them safe, I’m not very optimistic when it comes to third parties. How is that gonna work? Your signed “kernel” for a CPU architecture, with vendor-signed HAL’s? When the HAL key is released (not IF, but WHEN) it’s game over again as I see it. Only CPU’s I know of having the ability to run stuff in kmode, but still “restricted” is x86 (ring 1) and MC68k (master mode).

I’m looking forward to you elaborating on the OS, and how this is prevented. It it based on an L4 derivative, or 100% in-house? Has it been (or can it be) mathematically proofed like the specific L4 kernel managing that feat?

1
Reply to conversation

Erik Thiart

Cisco/HP/Juniper – junos is also built from scratch… What sets this apart?

0
Reply to conversation

stumbles

Sorry Juniper isn’t built from the ground up its *BSD based.

0
Reply to conversation

Anonymous

Will there ever be a consumer version, e.g. For online banking?

3
Reply to conversation

Matthias D.

Nice project! Hope to get more information about this soon.

0
Reply to conversation

Mansurah

Kaspersky OS!! This is soooo incredible!

0
Reply to conversation

Dubravko Gacina

Nice! That “Kraftway” thing (hardware) is based on what CPU architecture?

0
Reply to conversation

Charivari

Is there also som secure programming language embedded, so that unintended vulnerabilities are avoided to get introduced, e.g. with G (LabView-like visual programming style)?
Is an static/dynamic vulnerability analysis included, so every peache of new coding get audited in an automatic way?

0
Reply to conversation

Shan

That’s a great news. Would love to experience it. Hope it does not get reverse engineering proof.

0
Reply to conversation

Jack

How does it compare to Secure QNX?

0
Reply to conversation

Warren

Security through obscurity, Kaspersky style.

6
Reply to conversation

Denis

Hi Warren,
I doubt obsurity is possible here. Any vendor who wants to supply gov orgs in any country should provide the source code

3
Reply to conversation

Manuel Moreno

Congratz dear Eugene. Any datasheet or specs to see more details? When is this avalaible to partners?

1
Reply to conversation

alan chavez

When Karsperky OS for Desktop and Workstations and Servers
?

1
Reply to conversation

Mukesh

Sounds a secure OS, sure great steps have been taken, However not very clear from information here as to how you claim it to be secure in many aspects
– how you deal with protocols inherent issues/upgrades ?
– Is having micro kernel architecture address all possible L3 security issues or even DDoS ?

0
Reply to conversation

scott

how many pps does can this sucker process?

0
Reply to conversation

Sam Talib

any possibility that it will be available for consumer level?

0
Reply to conversation

David Demelier

Is it open source? If not, I won’t use it ;)

2
Reply to conversation

Syahir Asyraf

Will it be available for consumer level and not just the high corporations? Seriously excited about this new OS

0
Reply to conversation

Yeniaul

“how can we build an operating system that will be impossible to hack in principle? Is it possible in practice?”
In principle? No. In practice? No.
Rules of computing:
Rule 1: NOTHING is unhackable.

2
Reply to conversation

leet

Interesting, but remember, Everything can and will be hacked sooner or later:)

2
Reply to conversation

Stan

Congratulation I so love it

0
Reply to conversation

Mr.ArH

Viva Kasperksy

1
Reply to conversation

Marlon Mark

when can we start testing it..? :)

1
Reply to conversation

Andrés Arce

Congratulations Mr. Kaspersky. I´m from Colombia south America and I am technical proffessional. God bless you.

0
Reply to conversation

Ashish

Amazing advancement in operating system and security!
Kaspersky has always been the best and with this new OS, It has reached a new level compared to the other entities. Certainly curious to experience the Kaspersky OS 11-11!
Great work Eugene!

0
Reply to conversation

Agent_X

I’ll Hack this Eugene..stay calm!

1
Reply to conversation

manikanta

Congrats…When can we test it…?

0
Reply to conversation

Unknown

Do you sell this operating system to the military also?
I really have concerns about “unhackable” weapons that we can not destroy to prevent wars.
If you implemented a backdoor I ironically would be calmer.

0
Reply to conversation

Kosay Hatem

Can I use Kaspersky OS , or Kaspersky OS works with special hardware ?

0
Reply to conversation

Someone

Intel had a nice sticker back in ’99. It was saying, and I quote, “Intel inside, Idiot outside”

0
Reply to conversation
Leave a note