DRAFT: work in progress - - - comments solicited evolving Mach 3.0 to use migrating threads

technical reportLike most operating systems, Mach 3.0 views threads as statically associated with a single task. An alternative model is that of migrating threads, in which a single thread abstraction moves between tasks with the logical flow of control, and "server" code is passively executed. We have compatibly replaced Mach's static threads with migrating threads, isolating that aspect of operating system design and implementation. The key element of our design is a decoupling of the thread abstraction into the controllable execution context and the schedulable thread of control, consisting of a chain of contexts. A key element of our implementation is that threads are now "based" in the kernel, and temporarily make excursions into tasks via upcalls. The new system provides cleaner and more powerful semantics for thread manipulation, allows scheduling and accounting attributes to follow threads, simplifies both kernel and server code, and improves RPC performance. We have retained the old thread and IPC interfaces for backwards compatibility, with no changes required to existing client programs and only a minimal change to servers, as demonstrated by a functional Unix single server and clients. Code size along the critical RPC path has been reduced by a factor of three, while its logical complexity has been reduced by an order of magnitude. Initial timings show that the performance of local RPC, doing normal marshaling, has also improved by a factor of three. We conclude that a migrating thread model is superior to a static model, and that it is feasible to improve existing operating systems in this manner

Program specialization using the OMOS system

technical reportAbstraction and modularity provide many software engineering benefits. Hiding details of module internals can, however, prevent system implementors from being able to provide anything but a highly general implementation of a given module. We describe OMOS, a programmable linker/loader and system server that manages module implementations. OMOS allows system builders to describe system architectures in high-level terms, via a module construction scripting language. Using scripts, system implementors can provide modules that can test and react to both their static and run time environments. These modules, which we refer to as electric libraries, can produce implementations that are optimized at link or run time, without sacrificing modularity, expanding interfaces, or requiring changes in client programs. We identify and implement three types of specializations that OMOS can perform, and quantify the impact of two of them on a few standard Unix utilities: performance improvements ranged from 6% to 47%.

A Java-based active network operating system (JANOS)

technical reportThe JANOS prqjects' primary objective was to develop a principle local operating system for active network nodes. The operating system is oriented toward executing untrusted Java bytecode, primarily for management and control.,The original document contains color images

The Fluke Security Project

technical reportThis document presents the final report of the University of Utah-based project officially titled ""Mach 4 Kernel and IDL Infrastructure for Security"" but often referred to as the ""Fluke Security"" Project. This project is noteworthy for the number diversity, scale, robustness, and documentation of the six new software systems that were designed and developed. Although the project's primary focus was security and resource management in local operating systems, independently valuable results were also achieved in diverse technical areas conceived in support of the primary goals. These included compilation of interface definition languages, component-based software and software reuse, typesafe language technology, and distributed object systems

Active Protocols for Agile Censor-Resistant Networks

In this paper we argue that content distribution in the face of censorship is a compelling and feasible application of active networking. In the face of a determined and powerful adversary, every fixed protocol can become known and subsequently monitored, blocked, or its member nodes identified and attacked. Frequent and diverse protocol change is key to allowing information to continue to flow. Typically, decentralized and locally-customized protocol evolution is also an important aspect in providing censor-resistance

Evolving Mach 3.0 to a Migrating Thread Model

We have modified Mach 3.0 to treat cross-domain remote procedure call (RPC) as a single entity, instead of a sequence of message passing operations. With RPC thus elevated, we improved the transfer of control during RPC by changing the thread model. Like most operating systems, Mach views threads as statically associated with a single task, with two threads involved in an RPC. An alternate model is that of migrating threads, in which, during RPC, a single thread abstraction moves between tasks with the logical flow of control, and "server" code is passively executed. We have compatibly replaced Mach's static threads with migrating threads, in an attempt to isolate this aspect of operating system design and implementation. The key element of our design is a decoupling of the thread abstraction into the execution context and the schedulable thread of control, consisting of a chain of contexts. A key element of our implementation is that threads are now "based" in the kernel, and temporar..

Hybrid Resource Control of Active Extensions

The ability of active networks technology to allow customized router computation critically depends on having resource control techniques that prevent buggy, malicious, or greedy code from affecting the integrity or availability of node resources. It is hard to choose between static and dynamic checking for resource control. Dynamic checking has the advantage of basing its decisions on precise real-time information about what the extension is doing but causes runtime overhead and asynchronous termination. Static checking, on the other hand, has the advantage of avoiding asynchronous termination and runtime overhead, but is overly conservative. This paper presents a hybrid solution: static checking is used to reject extremely resource-greedy code from the kernel fast path, while dynamic checking is used to enforce overall resource control. This hybrid solution reduces runtime overhead and avoids the problem of asynchronous termination by delaying extension termination until times when no extension code is running, i.e., between processing of packets

Nested Java processes: OS structure for mobile code

The majority of work on protection in single-language mobile code environments focuses on information security issues and looks to the language environment for solutions. What is needed in these environments are not ad-hoc or incremental changes but a coherent approach to security, failure isolation, and resource management. Protection, separation, and control of the resources used by mutually untrusting components, applets, applications, or agents are exactly the same problems faced by multi-user operating systems. Therefore, we believe that real solutions will come only if an OS model is rigorously and uniformly applied. We present our initial experience developing a Java-based system which seeks to emulate a highly structured OS based on hardware-enforced protection, Fluke, and provides features appropriate to mobile code

The Case for Using Middleware to Manage Diverse Soft Real-Time Schedulers

Although a number of general-purpose operating systems have been extended with soft real-time schedulers and have the potential to support coexisting, independently developed real-time applications, this potential is currently largel