Application Performance and Flexibility on Exokernel Systems, SOSP 1997
Suppose there are two applications running on top of an exokernel,
each with its own libOS/libFS.
One application wants to open and read /README,
a small file under its root directory.
How can the application prove to the exokernel that it does own this file’s content?
If you believe the exokernel can be convinced to safely allow the access,
list the checks it needs to perform;
otherwise, outline a possible attack where the application may
read a file that belongs to the other application.
The Cheetah HTTP Server performs a set of optimizations. Do you think one can implement these optimizations in a server running on a conventional OS (e.g., Linux), or are they exokernel-specific? Feel free to discuss other types of applications in this context.
There are several code downloading mechanisms and domain-specific languages described by the two papers: DPF (dynamic packet filters), ASH (application-specific handlers), wakeup predicates, and XN templates. Any comments on the pros and cons? What changes/improvements would you like to make?
Just FYI - you may be interested in Chapter 6, “Reflections on Downloading Code” in Dawson Engler’s PhD thesis. Draft your answers to the question before reading it.
Provide a list of questions you would like to discuss in class. Feel free to share your thoughts on the exokernel architecture, either technical or sociological.
The use of UDF is very neat. XN can reason about the correctness by induction. It can check initially the “root entry” is correct through UDF, and then every time when the libFS adds a link, it check if a typed graph is correctly formed.
This has two implications. One, XN needs to manage block allocation/deallocation. Two, it seems hard for XN to track reference counting on its own—either it requires each block is pointed to once (which may be too restrictive), or it needs another UDF to track the referenc count of blocks (and verify it every time the refcnt is changed).