Paper by Engler, Kaashoek, O’Toole
Presentation by Charles Haiber




Exokernels
•
•
• Overview vs. traditional kernels
Library Operating Systems
Design Principals
 Secure Bindings
 Visible Resource Revocation
 Abort Protocol
Testing
• Hypothesizes
• Results/Conclusion
Is it secure?


The main goal of an exokernel:
• The separation of protection from management

Instead of emulating hardware resources, it exports them directly to the applications

In addition to the exokernel, a “Library
OS” can act as an abstraction layer between hardware and application


Fixed, high-level abstractions, provided by kernels to enable as many types of applications to run on the system, tend to have a very high cost in system resources
•
•
• Hurts the performance of applications
Hides information from applications
Limits the functionality of applications


Exokernels exist as a thin layer on top of the hardware that multiplexes and exports physical resources securely

The idea is that an application will better know how it wants to manage it’s resources than a monolithic kernel or microkernel



Multiple Library Operating Systems can exist
Exist to provide specialized abstractions
• One OS might cater specifically to networking

Library OS are not trusted by the exokernel
• They are free to trust the applications
• They run on the application level themselves

Allow applications to be ran on any hardware


Securely expose hardware
• Avoid hardware management, except when required for the protection of the system



Expose allocation to Library OS
Expose names of physical resources
Expose revocation protocol


Secure Bindings

• Allows applications to securely bind themselves to resources
Visible Resource Revocation

• Applications participate in a resource revocation protocol
Abort Protocol
• The exokernel can forcibly break secure bindings of uncooperative applications


Protection mechanism that separates authorization from the use of a resource
•
• Authorization only checked at bind time
Applications responsible for resources with complex hardware semantics (networks, file systems, etc.)

• This frees up the exokernel to perform access checks at access time
Allows the kernel to protect hardware resources without needing to understand them


Traditionally, resource revocation is invisible to applications in monolithic and micro-kernels

By exposing resource revocation, the exokernel allows applications and
Library OSs to monitor resource usage and act accordingly


Allows the exokernel to retrieve resources from a Library OS that is not responding to revocation requests
• Revocation request – “Please return a memory page”

• Revocation imperative – “Return a memory page within 50 microseconds”
Secure binding is broken, and the Library
OS sent a repossession exception


Aegis – an experimental exokernel

• Exports the processor, physical memory, exceptions, interrupts, and network resources
ExOS – an experimental Library OS

• Provides processes, virtual memory, user-level exceptions, interprocess abstractions, and several network protocols
Ultrix is a mature monolithic Unix-based
OS


Exokernels are very efficient

Low-level, secure multiplexing can be efficient

Traditional OS abstractions can be implemented efficiently at application level

Applications can create special-purpose implementations of these abstractions

• Both Aegis and Ultrix ran on the same hardware

No overhead added to procedure calls

Exception dispatch about 100x faster in
Aegis

ExOS’s implementation of pipes about
100x faster


All four hypothesizes were proven to be correct when compared to Ultrix

Results show that the exokernel design is well suited as a high-performance, extensible OS. Additionally, previous research found that applications benefit greatly from specialized abstractions, and ExOS backed those conclusions up as well


Total mediation: NO

• OS does very little resource management and only authorizes resource usage at bind time
Trustworthy: YES

• Only the exokernel is part of the TCB, with the
Library OSs being ran at application level
Verifiable: YES
• Kernel is extremely small, with only two goals:
 Present hardware resources
 Do so securely




Exokernel: An Operating System Architecture for
Application-Level Resource Management
• Dawson R. Engler, M. Frans Kaashoek, and James O’Toole Jr.,
M.I.T. Laboratory for Computer Science
The Operating System Kernel as a Secure
Programmable Machine
• Dawson R. Engler, M. Frans Kaashoek, and James O'Toole Jr.,
M.I.T. Laboratory for Computer Science
The case for application-specific operating systems.
• Thomas E. Anderson, Division of Computer Science, University of California at Berkeley