Exokernel: An Operating System Architecture for Application-Level Resource Management D R Engler, M F Kaashoek, and J O'Toole Jr, Proc of 15th SOSP, December 1995, pp 251-266 Overview: *Exokernel strives to improve performance by providing the lowest possible level interface to physical resources. *Kernel multiplexes resources. *Separate protection from management. *Specialized application libraries implement operating systems under which specialized processes can run. *Because application library OS's are untrusted, they can run untrusted code without performing any checks on code. No kernel crossings. Motivation: *Fixing high-level interfaces to resources hurts application performance because there is no way to design an interface that is best for all applications. *High-level interfaces hide information from applications that could be used to improve application performance. *High-level interfaces limit the extensibility of the operating system itself. *End-to-end argument: implement functionality only where it is needed. Design: *To separate protection from management, exokernels do three things: 1.) Track ownership of resources. 2.) Ensure protection by guarding all resource usage or binding points. 3.) Revoke access to resources. *Securely expose hardware: give all applications access to privileged instructions and resources. *Expose allocation: Applications can request specific physical resources. *Expose names: memory is addressed by physical names rather than virtual names. *Expose revocation: let the application choose which resources to give back. -Secure Bindings: *Secure bindings protect resources without understanding resources. *Three basic techniques implement secure bindings: 1.) Hardware mechanisms: *VM page protection built into CPU. 2.) Software caching: *Software TLB cache. 3.) Download code into the kernel: *Implemented with safe languages, sandboxing, interpretation. *Packet filters (problem with malicious filters inspecting other protocol's data) -Visible Resource Revocation and Abort Protocol *The exokernel must expose revocations so application library OS's can manage memory. *An abort protocol is necessary if an application does not return a requested resource. Aegis: *Processor time is divided using a round-robin scheduling scheme. *Exceptions are handled such that when an exception occurs, Aegis passes the exception to an application specified handler and allows the application to continue. Thus the application can resume normal execution without entering the kernel. *Address Translations: the TLB is backed by a software cache. Each new entry in a TLB represents a secure binding, which then remains in the TLB or in the software TLB until it is revoked. *Protected Control Transfers: very fast method of IPC. Yields the processor to another application and can pass message data in registers. *Dynamic Packet Filter: compiles packet filter code at runtime to achieve better performance (JIT). ExOS: *IPC: pipe, lrpc *VM: simple VM with no swapping. *Application-Specific Safe Handlers (ASH): Code downloaded into the kernel. Because the kernel acts directly on incoming packets, a response can be made to a packet without having to wait for the receiving application to respond to the packet.