From: Muench, Joanna (jmuench_at_fhcrc.org)
Date: Mon Mar 01 2004 - 14:36:29 PST
And the award for most-readable paper goes to... Denali!!! (round of
applause).
Whitaker, et al. (2002) introduce the Denali isolation kernel as a scalable
solution to provide a secure infrastructure for Internet applications. The
system is unabashedly directed as a solution to a narrow (but sizable)
problem space. The virtual architecture is not designed to support
unmodified legacy systems, although such systems could be altered to run on
Denali.
The minimalist kernel that makes up Denali clearly inherits a great deal
from Exokernel, especially the first principle of exposing only low-level
resources. An interesting aspect of security that I hadn't considered is the
issue of layer-below attacks, where a resource can be exploited by access
from a layer below the layer of enforcement. There are also similarities to
Disco in terms of the use of a virtual machine monitor, but instead of
trying to emulate the underlying architecture, Denali allows the virtual
architecture to deviate from the physical architecture.
The actual implementation of Denali is designed for simplicity. Interfaces
to I/O devices are provided, but in a simplified fashion. Similar to the
Exokernel libOS's, the VM shares its address space with applications. This
is very effective for the lightweight Internet applications Denali is
designed for, although would probably not work well for larger applications.
The authors choose static allocation for memory management, trading some
disk capacity for enhanced performance and scalability.
The system seemed to meet its stated goals of simplicity, security and
scalability. There were a few bottlenecks identified; the significant once
appeared to be a problem with mbuf entropy, the implications of which I
didn't entirely grasp. However the roots are the issue of how the guest
operating system deals with paging, as well as in memory allocation and
de-allocation routines.
No paper is perfect, and while this paper is nicely organized and presents a
novel application of a virtual machine monitor, the authors fall down on a
key detail. Why would one be content with testing the performance of Denali
as a Quake II platform without getting some real user feedback?
This archive was generated by hypermail 2.1.6 : Mon Mar 01 2004 - 14:36:42 PST