cs161 Lecture 28: Extensible Operating Systems What's the problem? OS doesn't give applications enough control OS is trying to please all workloads DBs are "different" (random I/O) Servers are "different" (I/O throughput) Scientific computing is "different" (all cpu/mem) Multimedia is "different" (soft real time) Interactive apps are... you get the idea. (low latency) Maybe no application is truly pleased We've seen nice OS interfaces, we've talked about extensibility... This involves more sharing, among distrustful apps Yes, kernel must protect itself, must also let apps protect themselves Main approaches: Spin: "sandbox" (linguistically), make many kernel calls "events" Focus is on fast extensions (they care about scheduling) Xok: provide low-level, carefully designed interfaces Not really extension Worry a lot about apps affecting other apps "Separate protection from management" Spin details: Compile and link to kernel Optimize singleton hooks to function call, else generate code Export "useful" interfaces Doesn't this just move the problem? Domain.Create takes a "standard coff file" Spin seems best for monitoring, hinting Is there a security story? My packets or yours? My disk blocks or yours? Spin case study: Extensible memory management Clients call Allocate Reference may raise events (page faults), handled by client Cache evictions are "polite" Xok details: Expose allocation, names, revocation, information Upcalls from scheduler, mem mgmt Buffer cache registry (not itself a cache) Wakeup predicates and packet filtering (arbitrary, but checkable. codegen) XN Xok case study: XN Why is disk so hard? OS must enforce: persistent ownership on huge data. coherent caching ordered writes (because to do otherwise compromises ownership) Attempts Store a capability for ecah block? Where? Self-describing metadata. Have to change FSs? Declarative templates for a few types. Description language? XN lets a new FS use code to describe its data FS supplies a deterministic function to grovel over a type used to confirm allocate and deallocate Xok can track tainted blocks. FS can not lie about what it points to FS also uses code to epxlain who has perms to a block