From: Greg Green (ggreen_at_cs.washington.edu)
Date: Sun Jan 18 2004 - 20:54:44 PST
This paper describes an exokernel implementation, Xok. An exokernel
protects resources, but delegates management of resources to
applications. A library of kernel routines is provided which any user
program can customize if different functionality is required. This
implementation has software regions, which are areas of memory that
can only be r/w by system calls. It has hierarchical capabilities for
access protection. An application can provide wake-up predicates, or
download code into the kernel to wakeup processes on arbitrary
conditions. It also provides critical sections to applications that
need them.
A file-system interface specific to exokernels is needed so that many
different filesystem implementations can safely share the disk. The XN
interface is described in some depth. The main functionality of the
interface is to determine the access rights of a principle to a given
disk block. The implementation provides facilities so that a
filesystem implementation can register templates for disk structures
needed on the disk. Each fs also provides 3 functions, owns-udf,
acl-uf, and size-uf. The rest of the interface is a read-only buffer
cache, ordered writes and crash recovery. One filesystem, C-FFS was
implemented on top of XN. This filesystem implements unix semantics
for access control, directories, and atomicity.
A library that supports unix abstractions was implemented, ExOS. some
performance measurements comparing Xok/ExOS, OpenBSD, and FreeBSD were
presented. The performance was comparable except that in some cases
the exokernel was faster. The paper ended with some application
examples that used the exokernel extensibility to increase performance
in http page serving, and file copying.
This paper presented a lot of new concepts to me. This is my first
exposure to the exokernel concept. I wonder how this concept would
work in the commercial world. I would think that allowing most
developers to modify base kernel functionality would result in very
poor performance, reliability, and security. That is probably just
pessimistic thinking however. It seems that this is a very powerful
idea and I would like to try it out myself.
The paper made some statements about verifiability that I didn't
quite follow. The first was with the owns-udf function in the XN
system. The paper said that XN can verify that the libraries proposed
modification can be verified to see that it does exactly what it says
it does. I couldn't understand that with the information given. The
other was in the example of downloading packet filters in the
kernel. The filter is supposed to tell the kernel whether the
application gets a given packet. It makes the statement that since it
is in the kernel, it can verify that it isn't stealing packets for
other applications. I didn't understand that either.
It was interesting that the benchmarks show the performance to be
comparable or faster than the BSD's. As with all benchmarks, though,
it is hard to draw any conclusions for general computing.
-- Greg Green
This archive was generated by hypermail 2.1.6 : Sun Jan 18 2004 - 20:54:47 PST