Return-Path: iang@cs.berkeley.edu
Received: from hofmann.CS.Berkeley.EDU (hofmann.CS.Berkeley.EDU [128.32.35.123]) by orodruin.CS.Berkeley.EDU (8.7.Gamma.0/8.7.Gamma.0) with SMTP id OAA04989 for <gribble@orodruin.CS.Berkeley.EDU>; Sun, 21 Jul 1996 14:06:11 -0700 (PDT)
Received: from abraham.cs.berkeley.edu (abraham.CS.Berkeley.EDU [128.32.37.121]) by hofmann.CS.Berkeley.EDU (8.6.11/8.6.6.Beta11) with ESMTP id OAA17234 for <gribble@cs.berkeley.edu>; Sun, 21 Jul 1996 14:06:10 -0700
Received: (from iang@localhost) by abraham.cs.berkeley.edu (8.7.5/local) id OAA12249 for gribble@cs.berkeley.edu; Sun, 21 Jul 1996 14:06:07 -0700
From: Ian Goldberg <iang@cs.berkeley.edu>
Message-Id: <199607212106.OAA12249@abraham.cs.berkeley.edu>
Subject: Exokernel.html
To: gribble@cs.berkeley.edu
Date: Sun, 21 Jul 1996 14:06:04 -0700 (PDT)
X-Mailer: ELM [version 2.4 PL25]
Premail-Auth: Good signature from user "Ian Goldberg <iang@cs.berkeley.edu>".

<HTML><HEAD>
<BASE HREF="http://www.cs.berkeley.edu/~gribble/osprelims/summaries/exokernel.html">
<TITLE>Summary of Exokernel: An Operating System Architecture
for Application-Level Resource Management, Engler et al.</TITLE>
<LINK REV="made" HREF="mailto:iang@cs.berkeley.edu">
</HEAD>
<BODY>
<H1>Exokernel: An Operating System Architecture
for Application-Level Resource Management</H1>
<H2>Engler, Kaashoek, O'Toole</H2>
<H2>Overview</H2>
<UL><LI>move management of physical resources away from the kernel and
into untrusted user-level libraries
<LI>the kernel simply multiplexes resources
<LI>provides much more flexibility and opportunity for domain-specific
optimizations
<LI>separate protection from management; e.g. protect framebuffers
without understanding windowing systems, protect disks without
understanding filesystems
</UL>
<H2>Design</H2>
An exokernel must
<UL><LI>track ownership of resources
<LI>ensure protection by guarding all resource usage or binding points
<LI>revoke access to resources when necessary
</UL>

<H3>Secure bindings</H3>
<UL><LI>preform authorization only at bind time
<LI>can do this with hardware (e.g. ownership tags on pixels in
framebuffer), software caching (e.g. software TLB), or downloading
code into the kernel (e.g. packet filters)
</UL>

<H3>Visible resource revokation</H3>
<UL><LI>inform an application if some resource (e.g. CPU, memory)
is about to be taken away
<LI>the application knows better than the kernel which page it is least
likely to use
<LI>the application can also track its resource usage so that it can,
for example, manage threads (switch threads when one blocks on a page
fault)
</UL>

<H3>Abort protocol</H3>
<UL><LI>if the application in uncooperative in releasing a resource, the
kernel breaks the secure bindings to the resource and sends an exception
to the application
<LI>an application can keep a handful of "vital" resources (e.g. memory
pages) that the kernel will not take by force, unless absolutely
necessary
</UL>
<P>
The paper gives the example of Aegis, a sample exokernel.  It shows that
exokernels can be implemented very efficiently.

<H2>Library Operating Systems</H2>
ExOS is a library operating system that sits on top of Aegis.  By
obviating the need to trap to the kernel in order to do some tasks, like
IPC, it achieves performance considerably better than Ultrix and other
research operating systems.
<P>
<H3>ASHs</H3>
Library operating systems can install application-specific safe handlers
(ASHs) into the kernel.  These are pieces of code that are examined and
sandboxed to make sure they are safe, and that execute on certain
asynchronous events (such as packet arrival).  An ASH executes in the
kernel's context, so it does not need to wait until some particular
process gets a time slice.  It can copy data directly into user memory
(to save on multiple copies), and initiate messages (for low-latency
replies), as well as perform general computation.
</BODY>
<!-- SOME LINK HREF'S ON THIS PAGE HAVE BEEN REWRITTEN BY THE WAYBACK MACHINE
OF THE INTERNET ARCHIVE IN ORDER TO PRESERVE THE TEMPORAL INTEGRITY OF THE SESSION. -->


<SCRIPT language="Javascript">
<!--

// FILE ARCHIVED ON 20010702141715 AND RETRIEVED FROM THE
// INTERNET ARCHIVE ON 20020425171212.
// JAVASCRIPT APPENDED BY WAYBACK MACHINE, COPYRIGHT INTERNET ARCHIVE.
// ALL OTHER CONTENT MAY ALSO BE PROTECTED BY COPYRIGHT (17 U.S.C.
// SECTION 108(a)(3)).

   var sWayBackCGI = "http://web.archive.org/web/20010702141715/";

   function xLateUrl(aCollection, sProp) {
      var i = 0;
      for(i = 0; i < aCollection.length; i++)
         if (aCollection[i][sProp].indexOf("mailto:") == -1 &&
             aCollection[i][sProp].indexOf("javascript:") == -1)
            aCollection[i][sProp] = sWayBackCGI + aCollection[i][sProp];
   }

   if (document.links)  xLateUrl(document.links, "href");
   if (document.images) xLateUrl(document.images, "src");
   if (document.embeds) xLateUrl(document.embeds, "src");

   if (document.body && document.body.background)
      document.body.background = sWayBackCGI + document.body.background;

//-->
</SCRIPT>

</HTML>