1 / 30

Exokernel : An Operating System Architecture for Application-Level Resource Management

Exokernel : An Operating System Architecture for Application-Level Resource Management. Dawson Engler , Frans Kaashoek , James O’Toole MIT Laboratory for Computer Science. Function of Traditional Kernel. Provides abstraction(s) of the hardware Processes Virtual Memory File System

keon
Download Presentation

Exokernel : An Operating System Architecture for Application-Level Resource Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Exokernel: An Operating System Architecture for Application-Level Resource Management Dawson Engler, FransKaashoek, James O’Toole MIT Laboratory for Computer Science

  2. Function of Traditional Kernel • Provides abstraction(s) of the hardware • Processes • Virtual Memory • File System • Provides Protection • Hardware • Kernel Itself • Users From Each Other

  3. Motivation: A Database • I/O Abstraction: Cooked I/O • Operating System buffers I/O • Database Requirement • Cannot tell a Database user that transaction has committed until log pages have hit the surface of the disk • Database may need to sequence writes • Database better at predicting future I/O

  4. The Ever Shrinking Kernel • Linux Windows –VM,FS.. • MicroKernels – Fewer Abstractions: rm FS • Mach • L4 • Virtual Machines (VMM is between OS and hardware) -- Virtualization • DISCO • Xen • ExoKernel -- Multiplexing • Aegis • XOK

  5. Exokernel Architecture Environments Request Revoke

  6. Securely Expose Hardware • Hardware: • Disks, Physical Memory, TLB, Frame Buffer, Network Access • Less Tangible Resources: • CPU Time Slices • Interrupts, Exceptions, Cross Domain Calls • DMA • Privileged Instructions • Exokernel Exports (readonly): • Freelists, cached TLBentries, disk arm positions

  7. Exokernel Functions • Resource Allocation (Inter-environment) • Grant (or not) Resource Requests (Policy <- SysAd) • Process Release (Dealloc) Requests • Revoke Resources • Visible Revocation (May get to chose which to free) • Abort • Note: Usually some resources exempt: page table mem • Track Resource Ownership • Guard all resource usage or binding points

  8. Resource Allocation • Allocation (almost always explicit) • Alloc system call • Deallocation • Dealloc System Call • Visible Revocation • E.g.: Loss of the CPU when time slices expires: • Library OS must save required processor state • Abort Protocol • Break all existing secure bindings • Library OS gets a Repossession Exception – includes a Repossession Vector

  9. Secure Bindings • Break up protection into bind and access • Can be implemented in: • Hardware • TLB • Frame Buffer Ownership Tag • Software • STLB • Downloading Code into ExoKernel • Dynamic Packet Filter

  10. Examples • Physical Page • Bind: Get Exokernel to Load Mapping into TLB • Page allocation • Exokernel grants self-authenticating capability (R/W) • LibOS stores capability in Page Table • Passes Capability, Mapping on TLB write request • Access: LibOS/Application code uses TLB • Network Access • Bind: Download DPF (Dynamic Packet Filter) • Access: Exokernel Runs DPF on every incoming pkt • Sends packets to correct Environment

  11. m = malloc (3000); . . . emacs strcpy(m, “The Ever Shrinking Kernel”); Virtual Physical CAP Library OS 17 2 R only freelist Req Alloc 2 2 2 5 STLB v RW ExoKernel freelist Check 2 5 Miss TLB Hardware MIPs 0 1 2 3 4 5

  12. Downloading Code • Advantages: • Avoid Kernel Crossing • Executed when environment is not scheduled • Allowed because execution time is bounded • Specification • High Level Language • Individual DPF code can be merged • Safety by Language • C • Application Specific Handlers • Dynamic Message Vectoring • Message Initiation • Protection: SFI (Sandboxing), Infinite Loop??

  13. TLB Miss in Aegis • Aegis checks if mapping is in STLB. If so, load into TLB. • If the virtual address is one of the pinned pages, Aegis loads the mapping into the TLB. • Environment checks its page tables for segmentation fault. If not, use page tables to get physical page and associated capability. • Aegis checks the capability. If valid, loads mapping into TLB. • Control returned to the environment.

  14. Protected Control Transfer • Two Properties  Use Registers to Pass Msg • Operation is Atomic • No overwrite of environment-visible registers • Acall • Donate remainder of Current Timeslice • Scall • Donate all timeslices

  15. Micro benchmarks

  16. IPC Performance ExOS vs. Ultrix

  17. Performance Summary • Microbenchmarks: 10X • Cheetah web server (XOK) 8X

  18. Persistent Storage • Disk Block Shadowing • Disk Block tag • Low level metadata language • Untrusted Deterministic Function

  19. Persistent storage PhD Thesis emacs ExOS Library OS ExOS Library OS XOK crash Disk

  20. Conclusions • Microbenchmarks and #Kernel Crossings not critical • Power (E.g. downloaded code) is critical factor • Top Down vs. Bottom Up • Encourages Innovation • Writing an OS is like writing a compiler • Operating System is Untrusted • Untrusted Code Evolves Faster than Trusted

  21. …and Caveats • Hardware Specific: MIPs vs. 486 • Persistent Storage is Complex • MultiCPU and scaleability?? • Are all of the DISCO tricks available here??

  22. Additional References • Application Performance and Flexibility on Exokernel Systems, FransKaashoek, Dawson Engler, Gregory Ganger et al • Pdos.csail.mit.edu/exo/exo-slides/sld001.htm

  23. Overriding Abstractions • OS Extensions • How to override generic abstractions implemented in protected kernel, with better application specific abstractions in user space • Even if possible, won’t be efficient

More Related