Paper by Engler, Kaashoek, O’Toole
Presentation by Charles Haiber
Exokernels
•
•
• Overview vs. traditional kernels
Library Operating Systems
Design Principals
Secure Bindings
Visible Resource Revocation
Abort Protocol
Testing
• Hypothesizes
• Results/Conclusion
Is it secure?
The main goal of an exokernel:
• The separation of protection from management
Instead of emulating hardware resources, it exports them directly to the applications
In addition to the exokernel, a “Library
OS” can act as an abstraction layer between hardware and application
Fixed, high-level abstractions, provided by kernels to enable as many types of applications to run on the system, tend to have a very high cost in system resources
•
•
• Hurts the performance of applications
Hides information from applications
Limits the functionality of applications
Exokernels exist as a thin layer on top of the hardware that multiplexes and exports physical resources securely
The idea is that an application will better know how it wants to manage it’s resources than a monolithic kernel or microkernel
Multiple Library Operating Systems can exist
Exist to provide specialized abstractions
• One OS might cater specifically to networking
Library OS are not trusted by the exokernel
• They are free to trust the applications
• They run on the application level themselves
Allow applications to be ran on any hardware
Securely expose hardware
• Avoid hardware management, except when required for the protection of the system
Expose allocation to Library OS
Expose names of physical resources
Expose revocation protocol
Secure Bindings
• Allows applications to securely bind themselves to resources
Visible Resource Revocation
• Applications participate in a resource revocation protocol
Abort Protocol
• The exokernel can forcibly break secure bindings of uncooperative applications
Protection mechanism that separates authorization from the use of a resource
•
• Authorization only checked at bind time
Applications responsible for resources with complex hardware semantics (networks, file systems, etc.)
• This frees up the exokernel to perform access checks at access time
Allows the kernel to protect hardware resources without needing to understand them
Traditionally, resource revocation is invisible to applications in monolithic and micro-kernels
By exposing resource revocation, the exokernel allows applications and
Library OSs to monitor resource usage and act accordingly
Allows the exokernel to retrieve resources from a Library OS that is not responding to revocation requests
• Revocation request – “Please return a memory page”
• Revocation imperative – “Return a memory page within 50 microseconds”
Secure binding is broken, and the Library
OS sent a repossession exception
Aegis – an experimental exokernel
• Exports the processor, physical memory, exceptions, interrupts, and network resources
ExOS – an experimental Library OS
• Provides processes, virtual memory, user-level exceptions, interprocess abstractions, and several network protocols
Ultrix is a mature monolithic Unix-based
OS
Exokernels are very efficient
Low-level, secure multiplexing can be efficient
Traditional OS abstractions can be implemented efficiently at application level
Applications can create special-purpose implementations of these abstractions
• Both Aegis and Ultrix ran on the same hardware
No overhead added to procedure calls
Exception dispatch about 100x faster in
Aegis
ExOS’s implementation of pipes about
100x faster
All four hypothesizes were proven to be correct when compared to Ultrix
Results show that the exokernel design is well suited as a high-performance, extensible OS. Additionally, previous research found that applications benefit greatly from specialized abstractions, and ExOS backed those conclusions up as well
Total mediation: NO
• OS does very little resource management and only authorizes resource usage at bind time
Trustworthy: YES
• Only the exokernel is part of the TCB, with the
Library OSs being ran at application level
Verifiable: YES
• Kernel is extremely small, with only two goals:
Present hardware resources
Do so securely
Exokernel: An Operating System Architecture for
Application-Level Resource Management
• Dawson R. Engler, M. Frans Kaashoek, and James O’Toole Jr.,
M.I.T. Laboratory for Computer Science
The Operating System Kernel as a Secure
Programmable Machine
• Dawson R. Engler, M. Frans Kaashoek, and James O'Toole Jr.,
M.I.T. Laboratory for Computer Science
The case for application-specific operating systems.
• Thomas E. Anderson, Division of Computer Science, University of California at Berkeley