A New Protection Model for Component-Based Operating Systems by Law, G & McCann, JA
A New Protection Model for Component-Based Operating Systems 
Greg Law & Julie McCann, 
Dept. of Computing, 
City University, 
London, UK 
email: {gel, jam}@soi.city.ac.uk 
Abstract 
This paper describes a new model of program pro- 
tection particularly suited to  component-based operat- 
ing systems. Instead of the traditional separate user 
and kernel processor modes and paging, segmentation 
is combined with a sample software technique to  avoid 
the use of separate processor modes while maintain- 
ing full protection. This new model oflers dramati- 
cally improved performance, simplified and improved 
architectures and increased flexibility. 
A component-based OS (called Go!) has been im- 
plemented using such techniques and early experiences 
with it are described in this paper. I n  this paper we 
show that Go! o f e r s  fully protected round-trip R P C  
in just  85 cycles on the Pentium, and the single pro- 
cessor mode allows the Object Request Broker (Go!’s 
analogue of a kernel) to be responsible only for  compo- 
nent management. W e  show that such a system allows 
multithreading, device management, and even inter- 
rupt handling to  be provided by separate ‘application 
level’ components without compromising protection. 
1 Introduction 
Traditional operating system kernels (monolithic 
and micro) are amorphous masses of code support- 
ing several monolithic processes. Over the last year or 
two, several operating system kernels have been devel- 
oped which exhibit component-based behaviour them- 
selves [3, 111. Here the kernel is replaced with a nu- 
cleus - a nano-kernel which manages components and 
their interaction. All other services are moved out into 
components which execute in user mode. However, 
certain services which have nothing to do with compo- 
nent management (e.g., interrupt and device manage- 
ment) must be provided by the nucleus because only 
it has sufficient privileges. That is, separate proces- 
sor modes prevent protection being cleanly separated 
from management [8]. 
This paper examines protection in such systems, 
and proposes a novel protection model. The new 
0-7803-5979-8100 $1 0.00 0 2000 IEEF 
model allows improved performance, flexibility and 
software engineering. As a proof of concept, a new OS 
(Go!) has been developed using such a model. Early 
experiences with Go! are also reported. 
Section 2 of this paper introduces component-based 
operating systems. Section 3 examines traditional OS 
protection, including separate processor modes, pag- 
ing and segmentation. Section 4 describes how protec- 
tion can be realised with a single hardware privilege 
level if segmentation is combined with a simple soft- 
ware technique, and section 5 addresses limitations of 
this model and explains how they can be overcome. 
Section 6 introduces Go! and its protection model. 
Section 7 gives some preliminary results from early 
experimentation with Go!, and section 8 concludes. 
2 Component-base operating systems 
This section introduces a new breed of operat- 
ing systems: component-based systems, and explains 
briefly their advantages. 
Over the last few years applications have changed. 
With modern component technology such as CORBA 
[13], Java [12] and COM[5], the boundaries between 
applications have become blurred and software is be- 
coming a collection of cooperating components. For 
example, when using a Java applet inside your web- 
browser, you are not using a single application, but 
the web-browser, the Java VM and the Java applet. 
A component is defined here as an object encapsu- 
lating state and behaviour in order to achieve some 
specific task. Components are isolated and protected 
from one another, as with conventional processes. 
Components differ from processes in that they are 
typed, each component realising at least one inter- 
face, which defines the operations available on that 
component. There are zero or more implementations 
of each interface, and several instances of each imple- 
mentation may be created and destroyed dynamically. 
Components often use object-oriented techniques such 
as interface-inheritance and polymorphism. Compo- 
537 
nents differ from objects in that they are protected 
from one another and are fundamental building blocks 
of the operating system as well as applications. 
For some time now, the benefits to software en- 
gineering of object-orientation and componentisation 
have been widely recognised. However, systems pro- 
grammers have been denied these benefits. This is 
particularly ironic since OS programming is notori- 
ously difficult and error-prone. 
Over the last decade several object-oriented oper- 
ating systems have been developed. This might mean 
the kernel was written in an object-oriented fashion 
(perhaps using C++) as with Choices [2], that the OS 
was tailoured specifically to suit object-oriented ap- 
plications (e.g., Clouds [6]) or that the OS used an 
orthogonal object-model in user and kernel space as 
in Spring [2O]. 
During the last few years, several component-based 
operating systems have materialised [3, 111. These 
abandon the tradition of a kernel supporting processes 
for a nucleus managing many user components. 
Componentising operating systems has several ad- 
vantages: system development is made considerably 
easier by the improved software engineering; such OSs 
have the potential to be more robust (due to finer- 
grained protection); they are more flexible (compo- 
nents can enter and leave the system at will); and they 
provide better support for modern component-based 
applications. 
3 Traditional OS protection 
Many modern operating systems offer protection to 
applications. This section describes briefly what pro- 
tection means, and how traditional operating systems 
(such as Unix) provide it. Protection means that a 
buggy or malicious application is unable to bring the 
entire system down: it may only affect itself and those 
applications dependent on it. Protection needs sup- 
port from the microprocessor as well as the operating 
system. In order to afford protection: 
1. applications must be prevented from executing 
certain privileged instructions (e.g., disabling in- 
terrupts, since this would prevent the currently 
executing thread from being preempted, possibly 
live-locking the entire system). 
2. applications must be prevented from accessing 
memory which they should not (e.g., another ap- 
plication’s private memory). 
Traditionally, these two aspects of protection have 
been provided by separate processor modes and paging 
respectively, both of which are described below. 
By providing different privilege modes, micropro- 
cessors can catch unprivileged applications attempting 
to execute privileged instructions. All applications run 
in user mode, meaning that the attempted execution of 
a privileged instruction will alert the operating system 
(usually via a dedicated interrupt or exception). The 
OS executes in the kernel operating mode, in which 
any instruction may be issued. Special instructions 
are provided to enable user-code to call kernel-code 
in a controlled fashion. These instructions atomically 
switch to kernel mode and take control to well-known 
entry-points within the kernel, meaning applications 
cannot put themselves into kernel mode. Such a trans- 
fer of control to kernel mode is typically known as a 
system call. 
Paging divides memory up into a series of fixed 
sized regions called pages. Each page (typically 4kB) 
has associated with it a set of access protection bits 
that specify whether a page is readable, writable, or 
executable. Any violation of these protection bits 
(e.g., attempting to write to a read-only page) is de- 
tected by the hardware and the operating system is 
alerted (usually resulting in the termination of the of- 
fending process). 
There is another, less widely used, mechanism to 
prevent illegal memory access: segmentation. With 
segmentation, rather than grouping memory into a 
set of fixed size pages, memory is grouped into sev- 
eral variable sized, contiguous regions called segments. 
Each segment starts at  an arbitrary address in physical 
memory, known as the linear base address. There are 
usually several different types of segments, including 
readlwrite and read-only data segments, stack seg- 
ments, and code segments. A segment’s descriptor 
identifies its linear base address, size and type. A de- 
scriptor table describes each segment in the system. A 
segment is identified by a selector, which is an index 
into this table. The processor contains several segment 
selectors in dedicated registers, often including a cur- 
rent data segment, code segment and a stack segment. 
Each memory reference is an offset into a particular 
segment, either identified explicitly or implicitly based 
on the instruction type. E.g. JMP 50 will jump to 
offset 50 of the current code segment (linear address 
codesegment. base + 50). JMP 8 : 30 would transfer 
control to offset 30 of the segment identified by se- 
lector 8 (code-segment <- descriptor-table [ 8 ]  ; 
PC <- 30;). Any attempted illegal operation on a 
segment (e.g., accessing beyond its limit, or attempt- 
ing to write to a read-only segment) alerts the oper- 
ating system as with illegal instruction execution or 
page faults. Applications are free to load any segment 
538 
available in the descriptor table. On a context switch 
the OS kernel manipulates the descriptor tables in a 
fashion analogous to the way paged kernels manipu- 
late page tables. 
Paging is more popular than segmentation for sev- 
eral reasons: segmentation leads to external fragmen- 
tation; it complicates programming; and due to com- 
mon misunderstandings. Adding paging orthogonally 
behind segmentation [17] can resolve the first two is- 
sues: 
Figure 1: Orthogonal Segmentation and Paging 
Combining segmentation with paging solves the 
fragmentation issue since segments are no longer re- 
quired to exist in contiguous physical memory. This 
can actually reduce fragmentation over simple paging 
since paging causes internal fragmentation (unless all 
objects are page sized, or multiples thereof). In the 
case of single address space systems each segment still 
has the full virtual address range (4 GB on 32 bit sys- 
tems), alleviating fragmentation of the virtual address 
space. 
Segmentation complicates programming since 
pointers to objects must be dereferenced via the ap- 
propriate segment. This is particularly cumbersome 
when taking addresses of objects in the stack segment. 
Paging can be used to allow the data segment and 
stack segment to appear to overlap each other. This 
has slight space and time costs, but the programmer 
has the choice of whether or not to pay this price. 
The misunderstanding about segmentation comes 
from the so-called segmentation offered by early Intel 
x86 microprocessors. The only thing the 8086 scheme 
has in common with real segmentation is its name: in 
reality this was a hack to allow a 16 bit machine to 
address a megabyte of memory. The Intel 80386 and 
up (aka IA32) provide orthogonal segmentation and 
paging as described above. 
Segmentation also means that components can ex- 
ist in a single address space without requiring relo- 
cation on instantiation. This is because each compo- 
nent’s data are linked at zero, relative to their data 
segment - the linear base address of a component’s 
data segment effectively relocates it. In paged single 
address space systems, applications need to be relo- 
cated at load time, increasing load times and system 
complexity. 
4 A new protection model 
This section describes why traditional protection 
models are poorly suited to component-based systems 
and introduces a more suitable alternative: segmenta- 
tion and a single processor privilege mode. The new 
model provides complete protection with several sig- 
nificant advantages. 
Assuming that componentisation is desirable, then 
the finer-grained and more widespread componentisa- 
tion can become, the better. Also, since encapsulation 
is one of the most fundamental aspects of componenti- 
sation, it is reasonable to stipulate that a component- 
based OS should provide protection on the basis of 
components (i.e., a component’s data should be ac- 
cessible to its code exclusively). 
The separation of user mode and kernel mode im- 
plemented by modern microprocessors (referred to 
here as the ‘system call barrier’) works well for tradi- 
tional kernel operating systems. Older object-oriented 
OSs such as Spring [20] use an identical object-model 
in both user and kernel mode, but the system call 
barrier renders the object-model of each side invisible 
to the other. This means that the benefits of object- 
orientation of applications are denied to the kernel, 
and vice versa. Modern component-based operating 
systems work hard to hide the distinction between user 
mode and kernel model. The system call barrier im- 
poses both architectural and performance bottlenecks 
on such component-based systems and thus is an in- 
appropriate protection mechanism. 
In the new model, all components and an Object 
Request Broker (ORB - the analogue of a kernel) 
execute in a single processor mode (with full privi- 
leges). However, most components are prevented from 
containing any instructions that would be illegal in 
user mode. This is accomplished by scanning a com- 
ponent’s code section on loading, and rejecting com- 
ponents which contain instructions that they are not 
Whether a component executes in kernel mode or user mode 
is of concern to its implementation only; it should not be possi- 
ble to determine from the outside in which mode a component 
operates since this makes no difference to a component’s client. 
539 
sufficiently privileged to execute. Such scanning takes 
only a few cycles per instruction, and needs to be per- 
formed just once per implementation type (when it is 
installed on the system). 
If the code-scanning technique is extended to pre- 
vent applications loading segment registers with arbi- 
trary values (restricting such privileges to the ORB) 
then holding a segment’s selector in a segment regis- 
ter is effectively a capability to access that segment 
[MI. Context switching is made much more efficient 
too: rather than the usually expensive manipulation 
of complicated page/descriptor tables to effect a con- 
text switch, the ORB simply loads the code, data and 
stack segment registers with new values (approx. 3 
cycles each on the Pentium). This also prevents the 
problem of self-modifying code (and so preventing ap- 
plications changing themselves to gain privileges) since 
they are unable to load the code segment selector into 
the data segment register. Components are prevented 
from calling others arbitrarily because inter-segment 
jumps are classed as segment register loads and so 
prohibited by the code-scanning technique described 
above. However, to allow components to call the ORB 
at well-known entry-points, a few immediate inter- 
segment jumps are permitted (e.g. c a l l  0 : 0 calls off- 
set zero of the segment at  zero, transferring control 
to a well-known entry-point and swapping contexts 
atomically: the analogue of a system call). 
This has the advantage of avoiding the often costly 
penalties of traversing processor modes on most inter- 
rupts as well as system calls, and also of removing the 
architectural bottleneck imposed by the system call 
barrier. The technique is also more flexible: compo- 
nents can be allowed restricted use of some privileged 
instructions but not others (e.g., a device driver might 
be permitted use of certain 1/0 control instructions 
but not the ability to clear interrupts). 
The ORB handles component management 
only - i.e., instance creation/destruction, type 
(un)installation and inter-component method invo- 
cation/return. Application level components are 
used to manage devices, paging, and even to handle 
interrupts. Note that handling interrupts in this case 
does not mean that the ORB receives interrupts and 
dispatches them to handler components: because 
applications components execute in kernel-mode the 
ORB can remain entirely ignorant of interrupts. This 
is possible in this model as such components can be 
allowed to contain the relevant privileged instruc- 
tions. The use of separate processor modes to realise 
protection (as with other systems) restricts further 
componentisation of the nucleus. The nucleus needs 
to be involved in interrupt/fault handling, thread 
preemption, and paging, since such tasks require the 
use of privileged instructions. However, these tasks 
are quite separate from component management, 
and so ideally, should be separated out into other 
components. 
Note the different terminology: traditional sys- 
tems use kernels, which manage processes and devices; 
modern component-based systems use a nucleus which 
is primarily responsible for component management, 
but must perform other tasks which require the pro- 
cessor’s kernel mode (e.g. interrupt dispatching); and 
our model uses an ORB which is responsible for com- 
ponent management only. 
Segmentation also has the obvious advantage over 
paging of not wasting space for inconveniently-sized 
objects since segments are variable size. This is espe- 
cially useful for finely-grained component-based sys- 
tems2. 
Note that the use of a single processor mode is 
not the same as downloading code into the kernel [l]. 
In reality everything executes in kernel mode, so one 
might argue everything is downloaded into the ker- 
nel. However, our concept is different: there is no ker- 
nel/user mode divide at all; one could equally argue 
that all code is uploaded out of the kernel. 
5 Limitations of this model 
This section introduces the few limitations of the 
model, and explains how they can be overcome. 
This protection mechanism does not address the 
halting problem (i.e. where a server goes into an 
infinite loop, never returning control to its client) 
since it has been shown to be algorithmically insoluble 
[21]. Instead callers must arrange to respond to some 
watchdog timeout if they do not trust their callee to 
return (no different from traditional protection mod- 
els). 
This technique prevents self-modifying code since 
such code could break security after it had been in- 
stalled. It also prevents arbitrary data being embed- 
ded in code sections, as such data might appear to 
be privileged instructions. However, both these tech- 
niques are very rarely used in modern computing, and 
modern microprocessors severely penalise the use of 
such techniques anyway [16]. Hence these penalties 
are considered worth the price in most situations. In 
the unlikely case that these techniques are required, 
2Given uniform distribution of component sizes, on average 
anP bytes are wasted (where n is the number of components, 
and P the page size). n increases the finer the granularity, so 
that  this figure becomes significant for finely-grained systems. 
540 
these few components could be run in some less privi- 
leged mode. Note that this system does not preclude 
dynamic code generation (such as a Java JIT). 
Finally, machines with variable-length instructions 
expose a flaw in this system because immediate data 
can be executed as if they were instructions. For ex- 
ample, take the code: mov a l ,  OxFA; jmp -2; The 
first instruction places FAh into general purpose reg- 
ister a l ,  and the second jumps back to the mov in- 
struction (the first instruction consumes two bytes, 
hence -2). This will cause the executing thread to 
live-lock, but will not affect the system as a whole. 
Now take: mov a l ,  OxFA; jmp -1; This jumps into 
the middle of the mov instruction, and attempts to ex- 
ecute the immediate data FAh. FAh is the opcode to 
disable interrupts on Intel x86 processors so this se- 
quence of instructions will lock the entire system until 
it is reset. The best solution to this is to use a proces- 
sor with fixed-length instructions (e.g. any RISC ma- 
chine). However, this can be overcome even on CISC 
machines by using more advanced code-scanning tech- 
niques, such as Proof- Carrying Code [19]. 
6 Go! : A single mode protected 
This section describes Go!, a native operating sys- 
tem implemented on the Pentium. Go! was developed 
as a proof of concept vehicle of the protection mecha- 
nism described in this paper. 
In many ways, the Pentium is a poor choice of ar- 
chitecture on which to implement Go!, mainly because 
of its CISC architecture (and therefore variable-length 
instructions). However, the Pentium was chosen de- 
spite this disadvantage since Go! is a proof of concept 
vehicle only, and the huge amount of free OS develop- 
ment resources as well test machines at our disposal 
would significantly simplify development. 
Go! itself consists purely of the ORB, which deals 
with component management only. A library oper- 
ating system called GTE (Go! Test Environment) is 
currently under development to complete the proof 
of concept. Thread management, device manage- 
ment, paging and even interrupt dispatching are all 
delegated to ‘application level’ components. Sys- 
tems which divide the OS into a primitive supervisor 
part on top of which conventional OS services (e.g. 
threads) are provided, are called libray operating sys- 
tems [8]. Note though that the ORB is not a renamed 
nano-kernel. It supports life-cycle management and 
component-based system 
can deal entirely with what are traditionally system 
services (e.g. interrupts). 
Each component implementation type in Go! has its 
own code segment and the ORB maintains a method 
table (similar to a C++ v-table). Each component 
instance has its own data segment and shares its code 
segment and method table with others of that imple- 
mentation. By preventing code segments from loading 
other data segments’ selectors, each component can 
access only its own data, enforcing encapsulation on a 
per component level with minimal overheads. 
The ORB provides 6 methods (analogous to system 
calls in traditional operating systems): 
i n s t a l l  Install a new component type. 
un ins t a l l  Uninsitall an existing component type. 
c rea te  Create a new component instance. 
destroy Destroy an existing component instance. 
c a l l  Call a given method on a given component. 
r e tu rn  Return from the most recent ca l l .  
Certain system components need to contain privi- 
leged instructions (e.g., the interrupt dispatcher must 
be able to load the interrupt descriptor table regis- 
ter). The ORB itself is not responsible for scanning 
code segments for privileged instructions, but dele- 
gates this to a component. It is also the responsibility 
of this component to ensure that certain components 
can contain the necessary privileged instructions. e.g., 
device driver components are likely to require 1 / 0  in- 
structions, and the interrupt dispatcher can contain 
any instructions. 
Go! uses a passive component model [lo]. This 
means that the single thread of control3 transfers be- 
tween components as method calls are issued. 
A component can call another by placing the tar- 
get component ID (its data segment selector) and 
method number into registers, and calling the ORB’S 
c a l l  method. This transfers control to the relevant 
entry-point of the target component (looked up via 
the target component’s method table). The current 
data segment is also replaced with that of the callee, 
and the stack segment is ‘shrunk’ so that the caller’s 
stack frame is no longer accessible (but the arguments 
are). The ORB also passes the ID of the caller to 
._ - 
control transfer between components only. This does 
not mean that the oRB provides thin for sys- 
tern services with 0 t h  systems [81: since there is 
3Despite not providing multiple threads, the Go! ORB is re- 
entrant and supports multiple concurrent stacks. This means 
library 0% can implement their own threading-model with rela- 
tive ease (GTE provides fully preemptive multithreading in just 
1.2K of unoptimised C++) .  only one processor mode, application level components 
54 1 
the callee so that the caller can be securely authenti- 
cated (authorisation is left to the callee or library OS 
to implement). 
c a l l  is the most performance critical ORB method. 
As an example, the algorithm for c a l l  is shown below: 
1. push out-going data segment selector onto stack 
2. load ORB data segment selector into data seg- 
ment register 
3. validate target component ID & method number 
4. shrink stack by manipulating segment descriptor 
tables (since the stack grows towards zero, set 
descriptor-table [ stacksegment 1 . l imi t  to 
the value of the current stack pointer) 
5. increment current stack segment’s ‘call-depth’ 
6. look up code segment and offset in method table 
7. load callee data segment 
8. place caller’s ID in general purpose register 
9. jump into callee code segment at  offset indicated 
by method table 
hardware 
Pentium 
If the call requires parameters they must be pushed 
onto the stack after the return address (parameters 
are conventionally pushed before the return address 
- i.e. instructions are issued push; push; c a l l ) .  
This is because the shrinking of the stack segment 
must preclude access to the return address so that it 
is incorruptible, but parameters must be accessible to 
the callee. 
Implementing shared memory in a component- 
based system involves a component granting access 
to its state to another. Despite breaking encapsula- 
tion, certain situations require this (e.g., a disk de- 
vice driver committing a component’s state to disk, 
or to achieve some optimisation). In Go! this is fa- 
cilitated by a callee granting access to its state to 
a caller (through some grantaccess  method). To 
achieve this, the callee simply invokes a specialisation 
of the ORB’S return method that copies the callee’s 
data segment into the ‘extra’ segment register. 
7 Results & comparisons with other 
This section reports on results pertaining to Go!% 
performance and compares them to that of other sys- 
tems. 
Inter-component communication is considered a 
good measure of performance because a) it can be 
systems 
Null RPC Domain Transfer 
55,000 13,000 
easily compared with other operating systems, and 
b) inter-component call times are critical to the suc- 
cess of finely-grained component-based systems. Inter- 
component timings are divided in two categories: null 
RPC and domain transfer. The former measures the 
time taken to return after calling a method of another 
component that takes no parameters, does no work, 
and produces no result. The latter measures the time 
simply to transfer control from one component to an- 
other without returning or recording information to 
do so. Go!’s measurements were made using the Pen- 
tium’s RDTSC instruction which counts the number of 
cycles that have elapsed since the machine was re- 
set. The test machine was a Pentium 90 with 32 MB 
of RAM. Results for comparison with other systems 
are extracted from published benchmarks [4], papers 
[14, 7, 9, 111 and experimentation. All results are in 
machine cycles. 
os 
BSD 
Mach 2.5 
Spring 
L4 
Pebble 
Go! 
3,000 1,600 
Pentium 
Note that some of the figures in this table were 
obtained on different hardware. However, despite the 
different architectures, it is clear that Go! significantly 
out-performs other operating systems. Also, the three 
most ‘useful’ results were all recorded on Pentium 
based machines. BSD gives a handle onto the cur- 
rent ‘industry standard’. L4 I151 is a lean research op- 
erating system, and represents the ‘best of the rest’. 
Note that although the table implies that Pebble out- 
performs L4, L4 on the MIPS outperforms Pebble (a 
one way IPC for L4 takes 86 cycles on a on a MIPS 
R4600, Pebble takes 114 cycles on a MIPS R5000). 
This suggests that should figures for Pebble on the 
Pentium be available they would show inferior IPC 
times than L4. 
As mentioned above, Go! itself does not handle in- 
terrupts; a novel approach in operating system de- 
sign. However, separating interrupt handling out to 
a server component implies poor interrupt latency. 
Component-based OSs which incorporate interrupt 
handling into their nucleus report an interrupt latency 
of 2000-3000 cycles [ll]. It is anticipated that GTE 
will offer interrupt latency of up to an order of magni- 
tude improvement over this. This is because to ensure 
a minimal nucleus other systems typically have inter- 
rupts signal a semaphore on which a handler thread 
542 
blocks. In GTE, the interrupt dispatcher directly sus- 
pends the current thread (50-100 cycles), and sched- 
ules a registered handler thread using a continuation 
[7] (taking another 50-100 cycles). Interrupt latency 
is reduced partly by the low overheads of a context 
switch in Go!, and not requiring a processor mode 
switch on an interrupt (due to the single processor 
mode). However, the main speed advantage comes 
from having the interrupt dispatcher at the same level 
of abstraction as threads and schedulers. 
8 Conclusion 
Using segmentation to restrict memory references 
and code-scanning to  prevent the execution of privi- 
leged instructions by untrusted components provides 
protection without the need for separate processor 
modes. This leads to extremely efficient and finely- 
grained componentised systems and also simplifies 
their architecture. A further advantage is that the 
operating system can become truly componentised - 
e.g., interrupt dispatching and inter-component pro- 
tection can be cleanly separated. 
Unfortunately, modern microprocessors tend not to 
support segmentation (despite both Intel’s and HP’s 
current architectures (IA32 and PA-RISC) supporting 
segmentation, even their new joint venture chip (IA64) 
does not support segmentation). We believe this lack 
of segmentation to be a mistake as component software 
technology becomes more widespread. 
References 
B. Bershad, C. Chambers, S. Eggers, C. Maeda, 
D. McNamee, P. Pardyak, S. Savage, and E. Sirer. 
SPIN - an extensible microkernel for application- 
specific operating system services. In Proc. 1994 Eu- 
ropean SIGOPS Workshop, 1994. 
R. Campbell, G. Johnston, and V. Russo. Choices 
(class hierachical open interface for custom embedded 
systems). Operating Systems Review 21, pages 9-17, 
July 1987. 
M. Clark and G. Coulson. An architecture for dy- 
namically extensible operating systems. In Proc. 4th 
ICCDS, Annapolis, Maryland, May 1998. 
BitMover Corp. Lm-bench 1.1 summary, 1997. 
http: //www. bit mover .com/lmbench/lmbench- 
summary/. 
Microsoft Corporation. COM: Server operat- 
ing system: A technology overview. Tech- 
nical report, Microsoft Corporation, 1999. 
http://www.microsoft .com/com/wpaper/compsvcs.asp/ 
P. Dasgupta, R. LeBlanc, M. Ahamad, and U. Ra- 
machandran. The clouds distributed operating sys- 
tem. IEEE Computer 24, November 1992. 
[7] R. Draves, B. Bershad, R. Rashid, and R. Dean. Using 
continuations to implement thread management and 
communication in operating systems. In Proc. The 
13th ACM Symposium on Operating Systems Princi- 
ples, Operating Systems Review, pages 122-136, Pa- 
cific Grove CA (USA), October 1991. 
[8] D. Engler, M. Kaashoek, and J. O’Toole. Exokernel: 
An operating sytem architecture for application-level 
resource management. In Proc. 15th ACM Symposium 
on Operating System Principles, pages 251-266, 1995. 
[9] J. Liedtke et al. Achieved ipc performance. In Proc. 
6th Workshop on Hot Topics in Operating Systems 
(HotOS), pages 28-31, May 1998. 
[lo] B. Ford and J. Lepreau. Microkernels should support 
passive objects. In Proc. Internation Workshop on 
Object- Oriented Operating Systems, 1993. 
[ll] E. Gabber, J. Bruno, J. Brustoloni, A. Silberscatz, 
and C. Small. The pebble component-based operating 
system. In Proc. 1999 USENIX Technical Conference, 
Monterey, CA, June 1999. 
[12] J. Gosling, B. Joy, and G .  Steele. The Java Language 
Specification. Addison-Wesley, 1996. 
[13] Object Management Group. CORBA - Common 
Object Request Broker Architecture. Technical re- 
port, OMG, 1999. http://www.omg.org/. 
[14] G. Hamilton and P. Kougiouris. The Spring nucleus: 
A microkernel for objects. In Proc. The USENIX 
Summer Conference, pages 147-159, 1993. 
[15] H. Hiirtig, M. Hohmuth, J. Liedtke, S. Schonberg, 
and J. Wolter. The performance of p-Kernel-based 
systems. In Proceedings of the ACM 16th Symposium 
on Operating Systems Princpiles, pages 66-77, 1997. 
[16] Intel Corporation. Intel Architecture Optimisation 
Manual, 1999. Order No. 242816-003. 
[17] J. Keedy. Paging and small segments: A memory 
management model. In Proc. 8th World Computer 
Congress, Melbourne, 1980. 
[la] J. Keedy and J. Rosenberg. Support for objects in 
the MONADS architecture. In Proc. Workshop on 
persistent object systems, pages 202-213, Newcastle 
NSW (Australia), January 1989. 
[19] George C. Necula. Proof-carrying code. In Pro- 
ceedings of the 24th ACM Symposium on Principles 
of Programming Languages, Paris, France, January 
1997. 
[20] S. Radia, G. Hamilton, P. Kessler, and M. Powell. 
The Spring object model. In Proc. USENIX Conf. on 
Object-Oriented Technologies, Monterey CA (USA), 
June 1995. http://www.usenix.org/. 
[21] A. M. Turing. On computable numbers, with an ap- 
plication to the entscheidungsproblem. Proceedings of 
the London Mathematical Society, Series 2(42):230- 
265, 1936-1937. 
543 
