What it takes to make an OS: 1.3 million lines of code, 18,000 commits and 4,000 fixed bugs

Kaspersky recently celebrated the anniversary of its security-by-design concept which has grown into the full-fledged KasperskyOS operating system 

Kaspersky has analyzed what’s needed to develop the core components of an operating system from scratch – looking back at its own experience with KasperskyOS. From 2012 to 2022, product developers wrote 1.3 million lines of code for the kernel, drivers and basic services, and Kaspersky Security System – key ingredients of KasperskyOS. The team fixed 3,950 bugs[1] and once even rewrote the whole system from one programming language to another.  

20 years ago, in 2002, Kaspersky started working on the concept of cybersecurity-by-design – a technology or a solution that would allow making security an essential property of an IT system. It was a time when Kaspersky experts understood that to protect business from ever emerging new cyber threats it is necessary to develop a fundamentally new approach to cybersecurity different from currently existing model ‘virus appeared – develop antivirus’. In 2012, the active development of KasperskyOS begun. Today, KasperskyOS is recognized as the key to enable this secure-by-design, or Cyber Immune approach. 

The kernel of KasperskyOS only consists of 100,000 lines of code which makes it a microkernel[1]. For comparison, Linux’s kernel involves 27.8 million lines of code. However, for its development along with drivers and basic services, 1.3 million code lines were written and 18,000 commits were made to submit changes in the source code. Almost 13,500 lines more were written on assemblers for different architectures. 

Kaspersky Security System is an important part of KasperskyOS that ensures that only authorized communications happen among the system components. To create it and its relevant libraries, Kaspersky developers wrote down 126,000 lines of text including approximately 100,000 lines of Haskell code. These changes composed together other 2,067 commits.

The project of KasperskyOS involves many more parts. It is the result of long discussions and iterations, changes of concept and positioning. Once the team even rewrote the whole project from C++ to C to simplify verification and use more compilers and tools available for C. As a result, developers managed to implement the concept of a secure operating system that has a minimal number of trusted components, security domain isolation (MILS architecture approach) and inspection of inter-process communications. Altogether, they ensure that most types of attacks are not able to affect the system. 

Today, the Kaspersky Cyber Immunity® trademark is registered in three regions - Russia, the United Kingdom and the USA. 

KasperskyOS provides necessary interfaces and tools for Cyber Immune solutions development, including the isolation of security domains and control of the interaction between them. KasperskyOS-based products can cost less in terms of security than similar products based on other special-purpose operating systems of earlier generations.

Such Cyber Immune solutions are in demand in the industrial and energy sector as well as in financial and educational institutions, transport infrastructure and smart cities. Product development based on KasperskyOS is moving from protecting industrial environments and the Internet of Things towards protecting professional mobile devices and connected cars.

“We have been travelling through an exciting journey with KasperskyOS. This is not just another operating system but a protected OS where security is its essential, innate feature. While the development took a huge amount of research and programming, we achieved our goal and made the system compact and efficient to meet its primary goal of enabling Cyber Immune IT systems through its current solutions. Kaspersky continues enhancing the operating system to make it applicable to diverse use cases of Industrial IoT, Smart City, remote workplaces,” comments Andrey Suvorov, Head of KasperskyOS Business Unit at Kaspersky. 

The value of the IT solutions’ “innate” security is beginning to be realized by industry and government regulators. We see that the regulation in the automotive industry is already changing - global automakers are required to ensure data transmission security, large software developers such as 

AWS

 are applying the secure-by-design approach to their services, and the cybersecurity agency of Singapore issued the 

Security by Design Framework document

. The secure-by-design approach is fundamental in the concept of Cyber Immunity and the Cyber Immune development of Kaspersky.