From: Nathan Dire (ndire_at_cs.washington.edu)
Date: Wed Jan 21 2004 - 17:36:48 PST
In "Improving the Reliability of Commodity Operating Systems", Swift, et al,
present Nooks, an OS subsystem for isolating kernel extension such that faults
in the extension don't crash the entire system. General PC operating systems
such as Windows and Linux allow for extension written by third-parties to
control hardware or provide some service. Such extension are a frequent
source of crashes. Since these operating systems only support two modes of
protection, kernel and user, and the extension must operate in the kernel,
faults in the extension may corrupt the entire system.
Nooks is not designed to handle all faults. A kernel extension can go into an
infinite loop and that behavior won't be detected. It also won't protect
against malicious code. The focus is handling common programming errors. A
major goal of Nooks is back wards compatibility, so it is limited by having to
work within the existing kernel architecture. I think this is a very
reasonable approach given that the structure of the most popular operating
systems don't change much from their initial design.
Nooks attempts to isolate kernel extensions and provides recovery from faults
in those extension. The basic mechanism is extension procedure call (XPC).
Calls from the extension to the kernel and from the kernel to the extension
are replaced XPC calls which are identical to existing calls. This allows the
Nooks layer to perform "object tracking", which controls access to kernel
objects, and allows the changes to be rolled back during recover.
The Nooks subsystem in the Linux kernel amounted to 22,000 lines of code, much
of which is generated code. This seems like a relatively small footprint in a
kernel of 2.4 million lines of code, especially considering that Linux appears
to have a relatively unstructured kernel interface. With the focus on
backwards compatibility, many extensions didn't need any modification, which
would allow this system to be used with existing third-party drivers.
Considering that Nooks adds a layer between the kernel and extension, the
performance penalty surprisingly small. The case where it was most
significant was with khttpd, a service which shouldn't be in the kernel
anyway. Furthermore, I think deployments where performance is critical are
likely to have tightly controlled hardware with fault tolerance at a higher
level, and for the average user, performance is bound by I/O anyway. Another
impressive result was the ability to detect bugs (in khttpd and the 3c90x
driver).
Overall, I would say that Nooks presents a good trade-off in solving the
problem of reliability. It works within existing kernel architectures, and
gives up some performance for better reliability. Once fully implemented, I
think it would make a good compile-time option for the Linux kernel, so that
more consumer-oriented distributions could decide to include it, and it would
be a powerful tool for debugging.
This archive was generated by hypermail 2.1.6 : Wed Jan 21 2004 - 20:15:19 PST