TDT09 Topic 8

Monolithic, micro-, exokernels - one size fits all?

Operating system kernels were traditionally developed as large, monolithic programs that integrated all system-level functionality. This led to a number of problems, since components inside the kernel were not protected from each other, so a badly written device driver could bring down the whole operating system [1]. The problems of monolithic kernels were well-known in the early 1990, which led to Linus Torvalds' announcement of the first Linux version be harshly criticized by Andy Tanenbaum [2], who had designed Minix, a teaching-oriented Unix-like OS based on microkernel principles:
I still maintain the point that designing a monolithic kernel in 1991 is a fundamental error. Be thankful you are not my student. You would not get a high grade for such a design :-)

Accordingly, a number of approaches were developed to reduce the functionality implemented inside the OS kernel and, accordingly, the size of the kernel and the Trusted Computing Base (TCB) [3] and Reliable Computing Base [4] relevant for security and dependability. Early approaches such as Mach [5], however, still included device drivers in the kernel, which resulted in a large, complex architecture which was not much smaller than a typical monolithic kernel. Liedtke developed L4 [6], the first second-generation microkernel that enabled the building of small and performant microkernel-based operating systems.

Other approaches went more minimal, such as Engler's exokernel [7], which is a forerunner of today's system-level virtualization technologies such as Xen [8]. Accordingly, a debate started about the right approach to small kernel architectures. The Xen and L4 developers discussed whether virtual machine monitors were microkernels done right in two papers with the same title, but very different standpoints [9,10]. This debate is still going on today.

This topic is still highly relevant, as the level of abstraction from the hardware has influence on the overall performance of a system; furthermore, small privileged OS kernels enable better isolation of other system components to enable better security and reliability.

References

  1. Michael M. Swift, Muthukaruppan Annamalai, Brian N. Bershad, and Henry M. Levy. 2006. Recovering device drivers. ACM Trans. Comput. Syst. 24, 4 link
  2. Chris DiBona et al. Open Sources: Voices from the Open Source Revolution. O'Reilly 1999 - Appendix A: The Tanenbaum-Torvalds Debate link
  3. Lenin Singaravelu, Calton Pu, Hermann Härtig, and Christian Helmuth. 2006. Reducing TCB complexity for security-sensitive applications: three case studies. In Proceedings of EuroSys'04 link
  4. Michael Engel and Björn Döbel. The reliable computing base – A paradigm for software-based reliability. Proceedings of INFORMATIK 2012 link
  5. Alessandro Forin et al. Microkernel operating system architecture and Mach. Proceedings of the USENIX Workshop on Microlkernels and Other Kernel rchitectures, 1992A pdf
  6. Jochen Liedtke. Microkernels Must And Can Be Small. Proceedings of the 5th IEEE International Workshop on Object-Orientation in Operating Systems (IWOOOS), 1998 link
  7. D. R. Engler, M. F. Kaashoek, and J. O'Toole. 1995. Exokernel: an operating system architecture for application-level resource management. SIGOPS Oper. Syst. Rev. 29, 5 ( link
  8. Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warfield. 2003. Xen and the art of virtualization. SIGOPS Oper. Syst. Rev. 37, 5 link
  9. Steven Hand, Andrew Warfield, Keir Fraser, Evangelos Kottsovinos, and Dan Magen-heimer. Are virtual machine monitors microkernels done right? In Proceedings HOTOS10 pdf
  10. Gernot Heiser, Volkmar Uhlig, and Joshua LeVasseur. 2006. Are virtual-machine monitors microkernels done right? SIGOPS Oper. Syst. Rev. 40, 1 link