* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Monolithic, Mikrokernel and Exokernel
Survey
Document related concepts
Mobile operating system wikipedia , lookup
Copland (operating system) wikipedia , lookup
Berkeley Software Distribution wikipedia , lookup
Plan 9 from Bell Labs wikipedia , lookup
Linux kernel wikipedia , lookup
Unix security wikipedia , lookup
Process management (computing) wikipedia , lookup
Security-focused operating system wikipedia , lookup
Distributed operating system wikipedia , lookup
Transcript
Structural variants Monolithic, Mikrokernel and Exokernel 5.12.2005 OS kernel: a definition • • Quick and dirty definition: • • mandatory part of the OS common to all applications • • • security managability enables a uniform execution environment Responsible for OS-kernel: a definition • An operating system kernel provides • • • • • virtualization of hardware resources isolation of individual tasks and applications common platform-independent abstractions secure access to hardware devices access control and policy enforcement Virtualization • Present logical resources not physical entities • • • • manage isolated access by multiple users lock physical entities at the kernel level expose “virtual” resources based on the capabilities of the physical devices hide the fact that physical resources are scarce and may only be controlled by a single owner multiplex access to hardware resources enforce access conditions and permissions • • Virtualization: CPU • Virtualization of CPU resources • • Execution is continuous starting of the current program counter controlled by the program’s instructions restricted to the current address space However different applications will execute in different spaces a context switch requires heightened privileges • • • • • • potential security problem! Virtualization: CPU • • Provide multiple “virtual” CPUs • • • use time-division to provide individual timeslices periodically take a scheduling decision execute the context switch from a trusted environment to avoid privilege escalation OS kernel implementation • • provides exception (and IRQ) handlers runs in supervisor mode Virtualization: CPU • • Implementation details • • • a task list with memory context execution context: area for “register spillage” an exception handler for a periodic (timer) interrupt a scheduling algorithm • • Every process seems a dedicated “virtual” CPU Virtualization: I/O • Ethernet • • Background Dedicated, serial transmission medium Transmits frames from memory buffers to the transmission medium Problem Central instance needed • • • • • to classify incoming packets to distribute packets to individual applications Abstraction • Abstraction • • Definition reduce and manage complexity factor out details to focus on few concepts Example: block-devices in UNIX Provision of a common interface Hides the details of various devices and media e.g.: Flash media vs. a hard-disk • • • • OS kernel variants • Three major strategies to implement an operating system kernel • • • • • Monolithic kernels Microkernel systems Pure microkernel designs Hybrid microkernel designs Exokernel approach • • All have different advantages an drawbacks There is no single “silver bullet” Monolithic kernels • The OS kernel is a single (monolithic) structure • • • executing entirely in supervisor mode process management memory management drivers for hardware provides a set of system calls to interface with operating system services may use modules to optimize resource utilization • • • Monolithic kernels • Typical examples • • Traditional UNIX kernels (System V and BSD flavours) FreeBSD Solaris Linux (see www.kernel.org for source code) • • Monolithic kernels • • • Advantages • • Efficiently using function calls between kernel modules Requires a low number of context switches • • Limitations in robustness No fault or privilege isolation • In widespread use before MMUs became common Drawbacks History Monolithic kernels • Summary • • easy to design and develop hard to evolve without risking growing pains Microkernel designs • Design goals • • use a very simple abstraction over hardware thread management address spaces interprocess communication reduce the functionality in supervisor mode move specific drivers to user-space isolate individual network services in a separate context • • • • • Microkernel designs • Examples • • • • • • • • AIX AmigaOS Amoeba Chorus Mach Minix (remember Tannenbaum vs. Torvalds?) QNX Symbian OS Microkernel designs • Overall architecture • • • OS consists of a kernel and “servers” “Servers” provide high-level functionality external pager device drivers communication is performed using IPC/RPC potential performance problem context switches are expensive • • • • Using an external pager the software technology advantages ous: abstractions than the typical Unix primitives. In addition to the new mechanisms, providing an API compatible with Unix or another conventional operating system was a sine qua non; hence implementing Unix on top of the new systems was a natural consequence. Therefore, the microkernel idea became widely accepted by operating-system designers for two completely different reasons: (1) general flexibility and power and (2) the fact that microkernels offered a technique for preserving Unix compatibility while permitting development of novel operating systems. Many academic projects took this path, including Amoeba [19], Choices [4], Ra [1], and V [7]; some even moved to commercial use, particularly Chorus [11], L3 [15], and Mach [10], which became the flag- pplication program interfaces (APIs), le systems, and perhaps even different ating system strategies can coexist in one ey are implemented as competing or ng servers. m becomes more flexible and extensible. more easily and effectively adapted to are or new applications. Only selected ed to be modified or added to the sysrticular, the impact of such modificabe restricted to a subset of the system, so rocesses are not affected. Furthermore, ons do not require buildkernel; they can be made online. can use the mechanisms Application by the microkernel, such as ding and IPC. function is as isolated as page plication malfunction. fault resume antages also hold for ers. crokernel interface more modular system struc- • • A page-fault is handled by an external pager The RPC to the pager appears to originate from the faulting process ernel can be more easily d and should be less prone ndencies between the varif the system can be restrict- Pager RPC Microkernel Figure 1. Page fault processing Fast IPC • • Issues in IPC • • context switch overheads additional processing for policy enforcement • Reduce additional processing Policy enforcement is not part of the kernel Visibility provides security at the kernel level Reduce context switch overheads No intermediate switch to kernel mode The L4 approach • • • • Benefit of microkernels • Essential to trusted computing concepts • • • • Provides a small, controlled operating system core Controls the hardware and resources Holds initial ownership of all resources Delegates individual resources to trusted processes Isolates privileges and resources Can provide service level guarantees • • L4: a microkernel • Small number of mechanisms • • • Address spaces Creating address spaces Mapping pages into address spaces Revoking mappings Scheduling Yielding the current time-slice to a specific thread Interprocess communication Performing message transfer to specific threads • • • • • L4: a microkernel • Small number of mechanisms (continued) • IPC protocols for specific functions external pager (pagefault handling) interrupt notification preemption notification exception notification • • • • L4: Security • • Selective address space manipulation (system partitioning) provides as a framework for security Memory permissions reflect process permissions kernel. Memory managers can easily be stacked; the initial memory server Application address spaces (described in maps or grants parts of the physical Application the next Application section), threads, memory to memory server 1 and and IPC—implements only B memory server 2. Now we have two seven system calls, and needs Application coexisting main-memory managers. receive (‘map,’ virt. addr. in B) Pager 2 only 12 Kbytes of code. A pager may be integrated with a Across-address-space IPC on Driver map IPC memory manager or use a memorya 486-DX50 takes 5 µs for an send (‘map,’ virt. addr. in A) Pager 1 8-byte argument and 18 µs managing server. Pagers use the Driver for 512 bytes. The corremicrokernel’s A grant, map, and sponding Mach numbers are demap primitives. The remaining µs (8 Mem server 1 Mem115 server 2 bytes) and 172 µs interfaces, pager-client, pager-memo(512 bytes). With 2 x 5 µs, ry server, and pager-device are the basic L4-RPC is twice as Figure 5. Recursively constructed driver, address spaces completely based on IPC and are ) as a conventional Unix Initial space (physical memoryfast system call. It remains unknown whether L4’soutside spaces on top of the initial space, the microkernel prodefined the kernel. Pagers abstractions, despite being substantially more flexivides three operations: grant, map, and demap. can be used to implement traditional 3 ble than the abstractions of the first generation, are The owner of an address space can grant any of its paged virtual memory and file/dataflexible and powerful enough for all types of operpages to another space, provided the recipient Figure 6. A maps page by IPC to B base mapping, asagrees. well as The unpaged res-page is removed from the ating systems. granted Microkernel designs • Summary • • Hard to design the component interfaces Provides long-term security and reliability benefits Hybrid kernels • • • The other approach to optimizing IPC • • Optimize performance, reduce latency Don’t focus on IPC • • typically the pager frequently other OS services • • MacOS X: XNU Windows NT and later Moves non-essential functionality into the kernel Examples Exokernels • • A special case of microkernels • • Reduction of mechanisms in supervisor space Moves all abstractions to user-space Limited to virtualization Exposes the hardware to user-space programs • • Currently available as research prototypes only Exokernel design • Kernel mechanisms • • similar to those of L4 in many respects control of processor access control of address spaces different in controlling all functionality from the kernel primitives for different devices and device classes e.g., block devices, network devices, ... not designed for user-space device drivers • • • • Recommended Reading • • • Engler D.R., Kaashock M.F., O’Toole J. Jr Exokernel: An Operating System Architecture for Application-Level Resource Management Engler D.R., Kaashock M.F. Exterminate all Operating System Abstractions Engler D.R., Kaashock M.F., O’Toole J. Jr The Operating System as a Secure Programmable Machine Recommended Reading • • Bershad B. N. The Increasing Irrelevance of IPC Performance for Microkernel-Based Operating Systems Rashid R., et al. Mach: A System Software Kernel Recommended Reading • • • Liedtke J. On μ-Kernel Construction Liedtke J. Improving IPC by Kernel Design Härtig H., Hohmuth M., Liedtke J., et al. The Performance of μ-Kernel-based systems Recommended Reading • • Härtig H., Hohmuth M., Wolter J. Taming Linux LeVasseur J., Uhlig V., Stoess J., Götz S. Unmodified Device Driver Reuse and Improved System Dependability via Virtual Machines