EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEMGoalsFour basic techniquesSystem overviewExtensionsClient/server video systemMotivationCurrent state of the artPrevious WorkPrevious Work (continued)Slide 11Slide 12Slide 13SPIN ArchitectureModula-3Protection Model (I)Protection Model (II)Operations on domains (I)Operations on domains (II)The extension modelPerformanceConclusionsEXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad , S. Savage, P. Pardyak ,E. G. Sirer, D. Becker, M. Fiuczynski,C. Chambers, S. Eggers U. of WashingtonGoals•To provide kernel extensibility –Without compromising kernel safety •Unlike Windows–Without compromising kernel performance•Unlike micro-kernel based systemsExtensibility means here adding new features to the kernel , not just installing device driversFour basic techniques•Co-location of extensions in kernel address space•Enforced modularity through use of Modula-3, which enforces interface boundaries between modules•Logical protection domains: kernel namespaces that contain code and exported interfaces•Dynamic bindingSystem overview•Set of extension services and a core system•Primarily written in Modula-3•Does not require applications to be written in any specific language–Used SPIN to implement a UNIX OS server•Bulk of server is written in C and runs within its own address spaceExtensions•Can be loaded into the kernel at any time–Think of plug and play•Have used extensions to implement specialized versions of SPIN–Client/server video systemClient/server video system•Built SPIN extensions for a video service–Server extension provides direct in kernel path from disk to network–Client extension decompresses incoming video packets and sends them to the video frame bufferMotivation•Most OS balance generality and specialization–Can tailor OS for specific applications–Not without degrading performance of other applications•Both Windows and [old] MacOS allow application programmers to modify data structures and code–Makes system less stable and less secureCurrent state of the artUNIXMachWindowssafe fastextensiblePrevious Work•Hydra:–Allowed applications to manage resources through multi-level policies–Used a weighty capability-based protection mechanismPrevious Work (continued)•Microkernels:–Very extensible (in user space)–High communication overhead of cross-domain calls•Nearly 100 times cost of regular procedure call•Acceptable only for coarse-grained servicesPrevious Work (continued)• Write extensions in “little languages”–Allows extensions written in these languages to be added into the kernel–Extension code is interpreted by kernel at run time•Limited scope of language limits usefulness of approachPrevious Work (continued)• Use software-fault isolation techniques–Allows collocation of extensions in kernel address space–Extensions can be written in any language–Uses a binary tool that inserts explicit checks around memory references and branch instructions–Not yet provenPrevious Work (continued)•Aegis– Had an efficient trap redirection mechanism–Implemented OS services as libraries executing in an application address space•Pilot et al.–Relied on language features to provide protection inside a shared address spaceSPIN Architecture•Provides a software infrastructure for safety–Protection model supports efficient fine-grained access control of resources–Extension model allows extensions to be defined at the granularity of a procedure call•Makes few demands on the hardware–Relies on language to enforce safetyModula-3•Supports interfaces–They declare visible parts of an implementation module: all other definitions are hidden–Restriction is enforced at compile-time•Is type-safe:–Restriction is enforced through type-specific pointers, checks on array indexes and automatic storage managementProtection Model (I)•All kernel resources are referenced by capabilities [tickets]•SPIN implements capabilities directly through the use of pointers•Compiler prevents pointers to be forged or dereferenced in a way inconsistent with its type at compile time: –No run time overhead for using a pointerProtection Model (II)•A pointer can be passed to a user-level application through an externalized reference:–Index into a per-application table of safe references to kernel data structures•Protection domains define the set of names accessible to a given execution contextOperations on domains (I)•Create: initializes a domain with the contnst of a safe object file•Resolve: resolves any unresolved symbols in a target domain against symbols exported from a source domainTarget has A unresolved Source exports AOperations on domains (II)•Combine: creates linkable namespaces that are the union of existing domainsThe extension model•SPIN extension model –Provides a controlled communication facility between extensions and base system–Allows for a variety of communication styles•Extensions can passively monitor the system, offer hints or even entirely replace a system servicePerformance•SPIN offers the option of protected in-kernel calls that are much cheaper than a system call•SPIN has lower virtual memory operation overhead than other OSes:–SPIN uses kernel extensions to define application-specific system callsConclusions•Can combine extensibility, safety and performance in a single system• Static type-checking mechanisms, implemented through the Modula-3 compiler, make this