From: Cem Paya 98 (Cem.Paya.98_at_Alum.Dartmouth.ORG)
Date: Wed Jan 21 2004 - 16:49:47 PST
Paper review: Application performance and flexibility on
exo-kernel systems
Cem Paya, CSE 551P
This paper describes the ExOS/Xok combination, which
implements a subset of the UNIX API on top of an exo-
kernel architecture, granting applications flexibility in
directly managing hardware resources ordinarily mediated
by the operating system itself. As the authors point out
this opens up an opportunity for experimenting and
innovation, since writing application level code is easier
and accessible to more developers than writing kernel mode
code. On the other hand it sounds like recipe for disaster—
reliability is one of the commonly cited reasons for
denying applications access to raw hardware, favoring
abstractions exposed by the operating system instead. This
paper attempts with mixed results to argue that protection
and management can be seperated, the former under complete
control of the kernel while the latter is driven by
individual applications, all without unduly impacting
performance. If that sounds like a high-wire act, rest of
the paper does little to dispel that concern.
It certainly does succeed at proving that exo-kernel
design can get very complicated. Basic functionality
generally associated with monolithic kernels (scheduling,
resource allocation, file system etc.) is now supported by
multiple, library operating systems or libOSes with
potentially different implementations. Exokernel oversees
that the different libOSes not interfere with each other
while sharing the same block oriented storage device. This
involves quite a few Rube-Goldberg contraptions because
the kernel is trying to enforce access controls without
understanding the semantics of file system structures. The
solution involves a primitive programming language for the
libOS to express various predicates that Xok can evaluate
to verify that the libOS is obeying its own rules. (Not
the only “virtual execution environment” introduced here—
there is also code injected into the kernel as wake-up
predicates, which are compiled on the fly into machine
language.) There are optimizations based on trust model
between libOSes: cooperating, one-way trust and mutually
suspicious—although the cooperation model which assumes
libOSes can write into each other’s address space does not
take into account the more common scenario of well-
intentioned but buggy application corrupting an
abstraction shared with another app.
There are surprises in the paper too: for example not only
are typical application not significantly slower in ExOS,
some of them are are considerably faster. Benchmarks
involved comparing ExOS/Xok combination to FreeBSD,
OpenBSD and OpenBSD running a port of the C-FFS filesystem
used by ExOS. More bewildering is an application of
extensibility that allows emualted code to run faster than
on native hardware. This is due to ExOS being able to
elliminate most of the error checking and parameter
validation code necessary to prevent kernel from panicing
on bad input; with an exokernel an application the point
is mute because the application will only crash its own
libOS. You can copy files without blitting contnet bits in
memory or serve HTTP responses without copying from file
to network send buffer as in the Cheetah HTTP server.
(Incidientally this ter is natively supported in Linux and
Windows, because it was recognized as key optimization for
web servers.) Perhaps the most unorthodox trend in this
paper is that the design chooses to expose as much as
information as possible about low-level kernel behavior to
applications. This goes against the grain of abstraction,
encapsulation and information hiding. Commodity operating
systems tend to guard hardware resources carefully. Useful
optimizations are exposed as special cases, such as
TransmiteFile() in Windows which is an analog of the
Cheetah server’s merging of file cache and TCP
retransmission pool or Linux futexes which are the analog
of inexpensive critical sections that the authors point
out are useful for libOSes. Perf-critical applications can
take advantage of transparency in exokernel design to
extract more performance, but jury is out on whether the
benefits justify the massive complexity.
This archive was generated by hypermail 2.1.6 : Wed Jan 21 2004 - 16:49:52 PST