From: Praveen Rao (psrao_at_windows.microsoft.com)
Date: Wed Jan 21 2004 - 15:36:21 PST
This paper discusses exokernel operating system architecture that gives
user-mode software greater control over hardware and software resources.
The key idea here is separating management from protection. Authors
argue that restricting resource management to the kernel is flawed
because application demands vary widely. Exokernel architectures gets
around this by providing untrusted applications as much control over
resources as possible, and keeps only the necessary things in the
kernel. This way applications can extract the best performance for their
needs.
To me this is yet another attempt to make the general purpose machine as
close to a special purpose machine as possible for any given task -
which is a worthwhile attempt.
Authors argue that this approach also brings Operating System
programming to "masses" and facilitates Operating System innovation. My
reservation is that it only obviates the need for kernel mode
programming - apart from that there is not much reduction in complexity.
Authors contrast exokernel approach to other approaches to extensible
operating systems, namely, microkernels, virtual machines and
downloading untrusted code into the kernel. Authors argue that the
former two do not really give control of resources to applications and
the last one is complementary to exokernel approach.
Of course, not every application should be forced to write complicated
code to access/control resources. Authors propose LibOS'es for this
purpose which are libraries applications link with. These libraries hide
the resource access/control from applications.
Authors state the following principles for their work:
Separate protection from management
* Expose allocation
* Expose names
* Expose revocation
* Expose information
Authors discuss kernel support needed for protected abstractions. They
mention mutual trust as the common case to be optimized for. I am not
convinced of that. Even though two processes are launched under the same
user privileges, it should not be assumed that they trust each other. In
fact, this very thing is one of the major drawbacks of prevalent
Operating Systems, causing security issues. Authors mention
unidirectional trust and mutual distrust scenarios as well, which I
would think are (or should be) as common ad mutual trust scenarios.
Authors then discuss multiplexing of stable storages and approach taken
to implement this in detail. The discussion goes to show that there is
significant complexity involved in achieving the goals of exokernel.
Authors discuss Xok And ExOS as examples of LibOSes. With LibOSes
keeping global state becomes difficult. ExOS gets around this by keeping
things in shared memory. Misuse of this shared memory is probably not a
concern as it is used by LibOSes which should have OS level reliability.
Authors measured performance of exokernel systems and showed that it is
as fast for common apps as unmodified Unix and sometimes faster. Some of
the protections semantics were not implemented at the time of writing of
the paper and hence the numbers for exokernel systems would be a bit
lower than shown.
Authors discuss some of the applications where exokernel flexibility can
be exploited e.g. Binary emulation, XCP, Cheetah and show the
performance gains. AUthors
This archive was generated by hypermail 2.1.6 : Wed Jan 21 2004 - 15:36:29 PST