Brussels / 31 January & 1 February 2015


The FLK project

Security by the language, no MMU, no processes

EIFFEL the language and SCOOP(*) allow the creation of a kernel without neither MMU nor processes but secured.

The removal of MMU and processes improves the switching time of contexts and minimize the memory cost of concurrency. The kernel provides unlimited concurrency and native synchronisation/acquiring of multiple resources.

The security is primarily given through EIFFEL's exports at the API level and is enforced by tightly coupling the kernel and the compiler. The low-level unsafe API are available only available to the kernel.

(*) SCOOP: Simple Concurrent Object-Oriented Programming

The common state of the art is focused on POSIX implementation: C programming, processes, threads, mutexes, etc... But this has some issues: one stack per thread with strong separation of processes made by the use of MMU.

By changing the language, this concepts are becoming obsoletes and the issues disappearing. But the security remains and even more is enforceable at an API level.

SCOOP, the Simple Concurrent Object-Oriented Programming, is expressing the concurrency inside the language (without need of IPC or IDL) by linking (sub)systems to abstract processors.

Each of the SCOOP abstract processor has its own isolated memory. The FLK ( implementation ensures the isolation of the memory at the language level. This done, no MMU is no more needed. Yes, the memory is managed by the kernel, but using only one common addressing space, a flat model.

SCOOP provides the model of synchronizing multiple resources. This synchronisation is native and is made using Rhee's algorithm that can be distributed. Having this avoid any need of mutexes, semaphores.

Conversely, this model tends to multiply the count of abstract processor in a way that can not be implemented using threads because of their weight. But it allows to change the underlying mechanism. Abstract processors are not executed within a private context/stack but on the current execution context that crosses processors.

New security behaviours tends to include security at the API level. The coupling of the compiler with the kernel allow to enforce this behaviour at compile time, installation time and (if very paranoiac) at runtime.


José Bollo