Lecture: exokernel I

Exokernel: An Operating System Architecture for Application-Level Resource Management, SOSP 1995

Question

Suppose you are running two applications A and B on an exokernel. A first successfully allocates a physical page n. B then tries to allocate the same page n. How does an exokernel make sure the second allocation from B will fail? What if B tries to trick the kernel into deallocating n (which it doesn’t own)? Describe what kind of data structures an exokernel might need for bookkeeping.

As a concrete example, Appendix B.3 of Dawson Engler’s PhD thesis describes the system calls for physical memory management in the Aegis exokernel:

int ae_p_alloc(int n): Allocate page n. Fails if page is already allocated.
int ae_p_unref(int n): Remove reference to page n. If no other process has a reference to the page it is deallocated. Fails if the current process lacks permissions.
int ae_p_add(int prot, int pid, int n): Give process pid access to page n with protections prot. Fails if the current process lacks appropriate permissions.

Question

Suppose you are developing two mutually distrustful networked applications on an exokernel; there is only one network interface card (NIC). When the NIC receives a packet, how does the exokernel decide which application to deliver the packet to (i.e., demultiplexing)? In other words, can a malicious application hijack packets destined to the other application? What are the proposed & implemented solutions, as well as their pros and cons?

As a comparison: consider two applications on Linux, both invoking and waiting on the recv(sockfd, ...) syscall with different sockets. Think how the Linux kernel associates network packets with sockets and applications, and whether an exokernel can do the same.

On a side note: if you have done the JOS labs in your ugrad OS class, there is a related challenge problem in lab 6 (search for “multiple network servers”). This is just FYI; you don’t need to do the lab to understand the paper.

Question

Section 6.2 (Table 10) evaluates the performance of virtual memory, using a set of benchmarks from Appel and Li (we will see these benchmarks again in Dune and Hyperkernel). Why do you think Aegis/ExOS outperforms Ultrix, except for prot100 and unprot100? Do you find the evaluation convincing?

Question

Provide a list of questions you would like to discuss in class. Feel free to provide any comments on the paper and related topics (e.g., which parts you like and which parts you find confusing).

discussions from last lecture’s app-level OS paper
- cost of abstractions: information hiding, repeated work, etc.
- common themes
  - upper level provides “hints” to lower level
    - open flags (O_DIRECT), socket options, BigTable to GFS
    - specialized operations: sendfile
  - lower level exposes more primitive abstractions
    - examples: exokernel, open-channel SSDs
    - challenge: API design to provide multiplexing, protection with less information
background
- virtual memory: MMU, hardware/software-managed TLB
- syscalls/exceptions/interrupts/traps - see also Figure 1 in Hardware and Software Support for Efficient Exception Handling
- self-authenticating capabilities
  - Amoeba: use a check field (e.g., hashing object name + access rights)
  - will see kernel-enforced capabilities in EROS
  - Capability-Based Computer Systems
goals: performance, flexibility, extensiblity
- through giving applications control over kernel as much as possible
- but not too much: isolation & sharing, fairness, revocation
- hard part: what abstractions? what about using VMMs?
- interface design
  - traditional OS interface/POSIX
    - processes, files, IPC, virtual memory
    - programming/management and protection
  - exokernel: separate interfaces
    - exokernel interface: protection
    - library OS: programming/management (untrusted)
      - (more optimized) POSIX abstractions
      - application-specific abstractions
end-to-end design principles: expose lowest-level control (to only perform protection/multiplexing)
- protection; no management
- expose low-level names - why?
- expose allocation/revocation - what if two applications compete for resources?
secure binding - what does this mean?
- example: multiplex physical memory - how would you implement this
  - hardware tagging
  - no shared pages: keep an array mapping physical pages to owning processes - what if a process gets killed?
  - shared pages: linked list, hash table, graph (e.g., seL4), VA, self-authenticating capabilities
- example: multiplex send/recv
  - how does it work in a traditional OS - someone needs to perform lookup
  - hardware support: more recent examples - SR-IOV & scalable IOV
  - packet filters: eBPF, DPF (SIGCOMM’96) / `C (POPL’96) / VCODE (PLDI’96)
  - pros/cons for each approach
- example: multiplex CPU
  - expose time slices
  - applications implement scheduling policies
- how about disk?
- ASH - how is this useful?
- abort protocol - how does it work?