From: Sellakumaran Kanagarathnam (sellak_at_windows.microsoft.com)
Date: Tue Jan 20 2004 - 19:58:47 PST
This paper introduces the exokernel operating system, describes the
exokernel principles and focuses in on XN, Xok's multiplexing stable
storage; gives an overview of Xok/ExOS, compares the application
performance on Xok/ExOS with two Unix systems; demonstrates the
extensibility by explaining two applications: XCP and the Cheetah
HTTP/1.0 server; compares the global performance of Xok/ExOS with
FreeBSD UNIX version. It concludes with the clear advantages, costs and
the lessons learned.
The exokernel operating system architecture safely gives untrusted
software efficient control over hardware and software resources by
separating management from protection. The authors say that the
organization of traditional operating systems (kernel, privileged
servers and untrusted applications) is flawed. Designing interfaces for
the traditional systems would need to resolve all tradeoffs and
anticipate all ways the interface could be used which is infeasible.
Exokernel architecture solves this exact problem by giving untrusted
applications as much control as possible. The exokernel protect
resources but they delegate management to applications. Now every
application may not need customized resource management and this is
taken care of by providing unprivileged libraries libOSes. With the
help of libOSes, many UNIX applications can be run with out
modifications on exokernels. The comparison results show that some
applications run up to a factor of four faster on Xok/ExOS. And the
authors, on the performance front, demonstrate that they get up to 8
times performance for Cheetah server.
The exokernel architecture was proposed in 1995 by D.R. Engler & others.
The authors talk about the previous literature on extensible operating
systems (dating from 1970) under three heads: better microkernels,
virtual machines and downloading untrusted code into the kernel. Many
of these are directly or indirectly applicable to Exokernels/libOSes.
The goal of an exokernel is to give efficient control of resources to
untrusted applications in a secure, multi-user environment and the
following principles are followed to achieve that goal.
1) Separate protection and management
2) Expose allocation
3) Expose names (exokernels use physical names wherever possible)
4) Expose revocation (policies to applications)
5) Expose information
The authors explain kernel support for protected abstractions in
addition to direct access to low level resources.
It is good to note that the authors try to provide added interfaces for
protected abstractions but in my understanding; they essentially are
taking the traditional approach which was deemed infeasible by them.
Then they go on to explain protected sharing in exokernels/libOSes. The
exokernel provides four mechanisms libOSes can use to maintain
invariants in shared abstractions: software regions,
hierarchically-named capabilities, wakeup predicates and critical
sections. And three levels of trust determine what optimizations can be
used by the implementation of a shared abstraction: mutual trust,
unidirectional trust and mutual distrust.
The authors then go on to explain XN, Xok's low-level in-kernel stable
operating system which is used to multiplex disks among multiple library
file systems. They explain one particular libFS as well: C-FFS. XN uses
UDFs (untrusted deterministic functions). These are used by Kernel to
interact with libFS to make certain decisions. XN solves the issue of
efficiently determining the access rights by using templates and UDFs.
XN used tainted blocks for ordered disk writes and used buffer cache
registry for allowing protected sharing of disk blocks and their
metadata to physical pages.
The authors explain the implementation of UNIX abstractions (process,
IPC, file descriptors, files) on Xok using ExOS.
The next section explains the application performance on Xok. The
measurements establish two results. First, the base performance of
unaltered UNIX applications linked with ExOS is comparable to OpenBSD
and FreeBSD. Second, some unaltered applications perform better on
ExOS (and this is because of ExOS's high-performance file system.
This paper clearly explains Exokernels from two perspectives:
extensibility and performance. XN and C-FFS clearly demonstrate the
extensibility and some of the applications drive the point. Overall the
paper and the comparisons seem to validate the exokernel approach.
This archive was generated by hypermail 2.1.6 : Tue Jan 20 2004 - 19:59:42 PST