Exokernels Summary: Exokernel's achieve extensibility by exporting raw hardware to applications. The Exokernel is taked with safely multiplexing raw hardware between applications. Main points: * Exokernels allow applications to have completely control over a subset of hardware resources. Applications see hardware registers and physical resource names. * Applications bind to physical resources using "secure bindings" - hardware mechanisms (TLB) - software cache (software TLB) - downloaded code (packet filters) * Resource revocation is exposed to applications. * Downloaded code is NOT used for efficiency, since the cost of domain crossings is low relative to IO cost. Rather, downloaded code can be inspected and verified (and therefore trusted). Code provides a layer of indirection. * Writing Exokernel interfaces is difficult. The authors report that some kernel interfaces have gone through several interations. * Includes support for coordinating schedudling between applications. Comments: * Very little discussion of resource management issues. For example, the page allocation policy is not discussed. In SOSP 97, it is argued that an Exokernel provides reasonable isolation for a set of competing applications. * Packet demultiplexing appears to be trusted (as of SOSP 95). * Isolation is difficult here because all applications exist in a single name space (in this case, physical names rather than OS abstractions). This means that all resources are potentially shareable. Also, protection is done on a per-resource basis: packet filters for the network, untrusted deterministic functions for disk blocks, self-authenticating capabilities for physical memory. * Exokernels do not enforce protection in terms of high level abstractions. But, crucially, they are designed to allow applications/libOSes to enforce protection in terms of high-level abstractions. Thus, the security of the system is equivalent to the security of the libOS. * Supporting only application-level paging creates problems. For example, the Exokernel must be sure not to page out the pager.