Exokernel An Operating System Architecture for Application Level Resource Management Dawson R Engler M Frans Kaashoek and James O Toole Jr M I T Laboratory for Computer Science Cambridge MA 02139 U S A engler kaashoek james lcs mit edu Traditional operating systems limit the performance flexibility and functionality of applications by fixing the interface and implementation of operating system abstractions such as interprocess communication and virtual memory The exokernel operating system architecture addresses this problem by providing application level management of physical resources In the exokernel architecture a small kernel securely exports all hardware resources through a lowlevel interface to untrusted library operating systems Library operating systems use this interface to implement system objects and policies This separation of resource protection from management allows application specific customization of traditional operating system abstractions by extending specializing or even replacing libraries We have implemented a prototype exokernel operating system Measurements show that most primitive kernel operations such as exception handling and protected control transfer are ten to 100 times faster than in Ultrix a mature monolithic UNIX operating system In addition we demonstrate that an exokernel allows applications to control machine resources in ways not possible in traditional operating systems For instance virtual memory and interprocess communication abstractions are implemented entirely within an application level library Measurements show that application level virtual memory and interprocess communication primitives are five to 40 times faster than Ultrix s kernel primitives Compared to state of the art implementations from the literature the prototype exokernel system is at least five times faster on operations such as exception dispatching and interprocess communication Operating systems define the interface between applications and physical resources Unfortunately this interface can significantly limit the performance and implementation freedom of applications Traditionally operating systems hide information about machine resources behind high level abstractions such as processes files address spaces and interprocess communication These abstractions define a virtual machine on which applications execute their implementation cannot be replaced or modified by untrusted applications Hardcoding the implementations of these abstractions is This research was supported in part by the Advanced Research Projects Agency under contract N00014 94 1 0985 and by a NSF National Young Investigator Award Copyright c 1995 by the Association for Computing Machinery Inc Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that new copies bear this notice and the full citation on the first page Copyrights for components of this WORK owned by others than ACM must be honored Abstracting with credit is permitted To copy otherwise to republish to post on servers or to redistribute to lists requires prior specific permission and or a fee Request Permissions from Publications Dept ACM Inc Fax 1 212 869 0481 or permissions acm org inappropriate for three main reasons it denies applications the advantages of domain specific optimizations it discourages changes to the implementations of existing abstractions and it restricts the flexibility of application builders since new abstractions can only be added by awkward emulation on top of existing ones if they can be added at all We believe these problems can be solved through applicationlevel i e untrusted resource management To this end we have designed a new operating system architecture exokernel in which traditional operating system abstractions such as virtual memory VM and interprocess communication IPC are implemented entirely at application level by untrusted software In this architecture a minimal kernel which we call an exokernel securely multiplexes available hardware resources Library operating systems working above the exokernel interface implement higher level abstractions Application writers select libraries or implement their own New implementations of library operating systems are incorporated by simply relinking application executables Substantial evidence exists that applications can benefit greatly from having more control over how machine resources are used to implement higher level abstractions Appel and Li 5 reported that the high cost of general purpose virtual memory primitives reduces the performance of persistent stores garbage collectors and distributed shared memory systems Cao et al 10 reported that application level control over file caching can reduce application running time by 45 Harty and Cheriton 26 and Krueger et al 30 showed how application specific virtual memory policies can increase application performance Stonebraker 47 argued that inappropriate file system implementation decisions can have a dramatic impact on the performance of databases Thekkath and Levy 50 demonstrated that exceptions can be made an order of magnitude faster by deferring signal handling to applications To provide applications control over machine resources an exokernel defines a low level interface The exokernel architecture is founded on and motivated by a single simple and old observation the lower the level of a primitive the more efficiently it can be implemented and the more latitude it grants to implementors of higher level abstractions To provide an interface that is as low level as possible ideally just the hardware interface an exokernel designer has a single overriding goal to separate protection from management For instance an exokernel should protect framebuffers without understanding windowing systems and disks without understanding file systems One approach is to give each application its own virtual machine 17 As we discuss in Section 8 virtual machines can have severe performance penalties Therefore an exokernel uses a different approach it exports hardware resources rather than emulating them which allows an efficient and simple implementation An exokernel employs three techniques to export resources securely First by using secure bindings applications can securely bind to machine resources and handle events Second by using visible re Appears in