OS Structures Exokernel

1
OS Structures - Exokernel
2
Exokernel
3
Exokernel approach

• Separate protection from managament
• Export hardware resources securely
• Secure binding
• Visible resource revocation
• Abort protocol

4
Exokernel design
5
Exokernel tasks

• Track ownership
• Guard all resources through bind points
• Revoke access to resources

6
Design principle

• Expose hardware (securely)
• Expose allocation
• Expose names
• Expose revocation

7
Secure binding

• Decouples authorization from use
• Allows kernel to protect resource without
  understanding their semantics
• Example TLB entry
• Virtual to physical mapping performed in the
  library (above exokernel)
• Binding loaded into the kernel used multiple
  times
• Example packet filter
• Predicates loaded into the kernel
• Checked on each packet arrival

8
Implementing secure bindings

• Hardware mechanisms
• Capability for physical pages of a file
• Frame buffer regions (SGI)
• Software caching
• Exokernel large software TLB overlaying the
  hardware TLB
• Downloading code into kernel
• Avoid expensive boundary crossings
• Similar to the SPIN idea

9
Examples of secure binding

• Physical memory allocation (hardware supported
  binding)
• Library allocates physical page
• Exokernel records the allocator and the
  permissions and returns a capability an
  encrypted cypher
• Every access to this page by the library requires
  this capability

• Page fault
• Kernel fields it
• Kicks it up to the library
• Library allocated a page gets an encrypted
  capability
• Library calls the kernel to enter a particular
  translation into the TLB
• by presenting the capability

10

• Download code into kernel to establish secure
  binding
• Packet filter for demultiplexing network packets
• Exactly similar to SPIN
• How to ensure authenticity?
• Only trusted servers (library OS) can download
  code into the kernel
• Other use of downloaded code
• Execute code on behalf of an app that is not
  currently scheduled
• E.g. application handler for garbage collection
  could be installed in the kernel

11
Visible resource revocation

• Most resources are visibly revoked
• E.g. processor physical page
• Library can then perform necessary action before
  relinquishing the resource
• E.g. needed state saving for a processor
• E.g. update of page table

12
Abort protocol

• Repossession exception passed to the library OS
• Repossession vector
• Gives info to the library OS as to what was
  repossessed so that corrective action can be
  taken
• Library OS can seed the vector to enable
  exokernel to autosave (e.g. disk blocks to which
  a physical page being repossessed should be
  written to)

13
Aegis an exokernel
14
Aegis processor time slice

• Linear vector of time slots
• Round robin
• An application can mark its position in the
  vector for scheduling
• Timer interrupt
• Beginning and end of time slices
• Control transferred to library specified handler
  for actual saving/restoring
• Time to save/restore is bounded
• Penalty? loss of a time slice next time!

15
Aegis processor environments

• Exception context
• Program generated
• Interrupt context
• External e,g. timer
• Protected entry context
• Cross domain calls
• Addressing context
• Guaranteed mappings implemented by software TLB
  mimicking the library OS page table

16
Aegis performance
17
Aegis - Address translation

• On TLB miss
• Kernel installs hardware from software TLB for
  guaranteed mappings
• Otherwise application handler called
• Application establishes mapping
• TLB entry with associated capability presented to
  the kernel
• Kernel installs and resumes execution of the
  application

18
ExOS library OS

• IPC abstraction
• VM
• Remote communication using ASH (application
  specific safe handlers)
• Takeaway
• significant performance improvement possible
  compared to a monolithic implementation