Objectives of KeyKOS
Download
Report
Transcript Objectives of KeyKOS
Microkernels
How to build a dependable, modular
and secure operating system?
Goals of Lecture
to show that operating system can be
divided into sets of abstractions,
mechanisms and policies
to explain the alternative way an operating
system can be built
to present main design issues of KeyKOS
microkernel
Structure of Lecture
introduction to microkernel technology
comparison of monolithic OS with
microkernel based OS
description of KeyKOS microkernel
Concept of Microkernel
the idea dates back to 1969 when was
introduced by Per Brinch Hansen
alternative approach to operating system
construction
attempt to make operating systems more
modular, more extendable, more secure and
more reliable
Monolithic Operating System
kernel of monolithic operating system
provides high-level abstractions and realises
sophisticated resource scheduling policies
as kernel does too many things, it tends to
be large and unreliable
additionally, monolithic OS cannot evolve
over time to meet new requirements
Microkernel Approach
microkernel implements only small set of
simple abstractions and mechanisms
higher level abstraction and services are
provided by ordinary sequential processes
the computing environment is created by
co-operating processes
Advantages of Microkernel
various parts of OS can be designed,
implemented, tested and executed
independently
as components of OS and their mutual
relations can change over time, the
evolution is easy to take place
more operating systems can run on top of
microkernel simultaneously
Disadvantages of Microkernels
as most of services are provided by
computational processes, there are much
more context switches and larger
communication overhead compared to
monolithic OS
KeyKOS
The nanokernel architecture
Objectives of KeyKOS
To solve the security, data sharing, pricing,
reliability and extensibility requirements of
a commercial computer service in a network
environment
History of KeyKOS
1972
1974
1976
1979
written description
development funding
first terminal message
public presentation
Architectural Foundations
Stateless kernel
Single-level store
Capabilities
Stateless Kernel
the system outside the microkernel is
completely described by contents of pages
and nodes, which are persistent
all microkernel state can be derived after
system crash or power outage
memory functions merely as a disk cache
Single-Level Persistent Store
applications, like memory pages, are
persistent
data consistency is guaranteed by making
periodic checkpoint
persistence is rule, not exception
Objects and Capabilities
every object in the system is exclusively
referred to by one or more capabilities
capability gives its holder the authority to
request a service from object it names;
object has no intrinsic authority
messages are the only form of interaction
between objects
Computing Model
it is worth to view microkernel as a virtual
machine which provides objects with
communication capability and primitive
objects
further, the notion of isolated application
can be replaced by the paradigm of cooperating components
Primitive Objects
all state information in the system is stored
in two types of primitive objects
pages which can store data
nodes which can store capabilities
primitive objects are persistent
it follows that any non-primitive object in
the system is persistent as well
Fundamental Objects
objects built from one or more nodes and/or
pages and interpreted by the kernel itself
domains provide an environment in which
process can execute
segments define a portion of memory storage
meters control and measure computer resources
Computing Issues
all policy issues are removed from kernel by
introducing the concept of keepers
domain keeper
segment keeper
meter keeper
Security Issues
we cannot always anticipate the security
policies which will be needed in the future
it proves useful to separate security
(policies) from protection (mechanisms)
system should obey the Principle of Least
Authority