Extenszbzlzty can be based on cross-address-space communacatzon or on graflang applzcation-specafic modules znto the operatzng system For comparang both approaches, we need to explore the best achzeuable performance for both models Thzs paper reports the achzeved performance of cross-address-space communzcataon for the L4 p-kernel on Intel Pentium, Maps R4600 and DEC Alpha. The direct costs range from 45 cycles (Alpha) to 121 cycles (Pentaum). Since only 2.3% of the L I cache are requzred (Pentaum), the average zndzrect costs are not to be expected much higher 1 Motivation: extensibility "Extensibility" is a relatively new buzzword in OS research. Nevertheless, the requirement for extensibility i s neither specific tmo operating systems nor new. Editors are extended by macros associating new functions to keys, programming languages are extended by libraries, database systems are extended by applicationspecific functions, word processing systems are extended by customized texts, et cetera, et cetera.What makes extensibility an OS-specific topic? Security and safety! When extending an operating system by a new or modified service, we require that (a) the service can be introduced only for selected clients and that (b) a potential malfunction of the new service affects only those clients that use it. In accordance to (a), diffferent clients can, of course, use different services for the same event. (a) is difficult because the operating system controls central resources; (b) is difficult because (i) these resources are critical with respect to the correct functioning of the ent,ire system and (ii) services need to be protect,ed from each ot,her making uncont,rolled interference impossible.The multiple-server approach An obvious (and well-known) solut,ion: use mult>iple servers, protect them by classical operating syst,ern mechanisms, i.e. address spa.ces, and make t,hern freely att,achable t.0 applications. Basically, that is t,he pkernel approach, pioneered by Amoeba, Mach and Chorus. further developed by L4 [Liedtke 19951, Fluke [Ford et al. 19961 and others. This method i s best-suited to incorporat,e general. well-known software techniques for extensibility. Functionally, it, i s most flexible and most, genera.].However, good performance of the multiple-server technique requires that the direct and indirect cost,s of cross-address-space communication (including addressspace switching) are sufficiently low. Unfort,unately. years ago, IPC was considered to be expensive.
The grafting approachA further solution i s to graft additional modules into the monolithic server (the operating system). Early applications of this technique are widely used but insecure and/or of limited flexibility: mounting new file systems, adding new device drivers et cetera.New research projects, in particular Spin [Bershad et al. 19951 and Vino [Seltzer et al. 19961 experiment with compile-time and run-time (compiler-supported) security for "grafted" kernel components. Spin [Bershad et al. 19951 inserts type-checked modules into the ...
