EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers, S. Eggers U. of Washington

Goals To provide kernel extensibility –Without compromising kernel safety Unlike Windows –Without compromising kernel performance Unlike micro-kernel based systems Extensibility means here adding new features to the kernel, not just installing device drivers

Four basic techniques Co-location of extensions in kernel address space Enforced modularity through use of Modula-3, which enforces interface boundaries between modules Logical protection domains : kernel namespaces that contain code and exported interfaces Dynamic binding

System overview Set of extension services and a core system Primarily written in Modula-3 Does not require applications to be written in any specific language –Used SPIN to implement a UNIX OS server Bulk of server is written in C and runs within its own address space

Extensions Can be loaded into the kernel at any time – Think of plug and play Have used extensions to implement specialized versions of SPIN –Client/server video system

Client/server video system Built SPIN extensions for a video service –Server extension provides direct in kernel path from disk to network –Client extension decompresses incoming video packets and sends them to the video frame buffer

Motivation Most OS balance generality and specialization –Can tailor OS for specific applications –Not without degrading performance of other applications Both Windows and [old] MacOS allow application programmers to modify data structures and code –Makes system less stable and less secure

Current state of the art UNIX Mach Windows safefast extensible

Previous Work Hydra: –Allowed applications to manage resources through multi-level policies –Used a weighty capability-based protection mechanism

Previous Work (continued) Microkernels: –Very extensible (in user space) –High communication overhead of cross- domain calls Nearly 100 times cost of regular procedure call Acceptable only for coarse-grained services

Previous Work (continued) Write extensions in “little languages” –Allows extensions written in these languages to be added into the kernel –Extension code is interpreted by kernel at run time Limited scope of language limits usefulness of approach

Previous Work (continued) Use software-fault isolation techniques –Allows collocation of extensions in kernel address space –Extensions can be written in any language –Uses a binary tool that inserts explicit checks around memory references and branch instructions –Not yet proven

Previous Work (continued) Aegis – Had an efficient trap redirection mechanism –Implemented OS services as libraries executing in an application address space Pilot et al. –Relied on language features to provide protection inside a shared address space

SPIN Architecture Provides a software infrastructure for safety –Protection model supports efficient fine- grained access control of resources –Extension model allows extensions to be defined at the granularity of a procedure call Makes few demands on the hardware –Relies on language to enforce safety

Modula-3 Supports interfaces –They declare visible parts of an implementation module: all other definitions are hidden –Restriction is enforced at compile-time Is t ype-safe: –Restriction is enforced through type-specific pointers, checks on array indexes and automatic storage management

Protection Model (I) All kernel resources are referenced by capabilities [tickets] SPIN implements capabilities directly through the use of pointers Compiler prevents pointers to be forged or dereferenced in a way inconsistent with its type at compile time : –No run time overhead for using a pointer

Protection Model (II) A pointer can be passed to a user-level application through an externalized reference: –Index into a per-application table of safe references to kernel data structures Protection domains define the set of names accessible to a given execution context

Operations on domains (I) Create: initializes a domain with the contnst of a safe object file Resolve: resolves any unresolved symbols in a target domain against symbols exported from a source domain Target has A u nresolved Source exports A

Operations on domains (II) Combine: creates linkable namespaces that are the union of existing domains

The extension model SPIN extension model –Provides a controlled communication facility between extensions and base system –Allows for a variety of communication styles Extensions can passively monitor the system, offer hints or even entirely replace a system service

Performance SPIN offers the option of protected in-kernel calls that are much cheaper than a system call SPIN has lower virtual memory operation overhead than other OSes: –SPIN uses kernel extensions to define application-specific system calls

Conclusions Can combine extensibility, safety and performance in a single system Static type-checking mechanisms, implemented through the Modula-3 compiler, make this possible