Extensibility, Safety and Performance in the SPIN Operating System

B. Bershad, S. Savage, P. Pardyak, E. Sirer, M. Fiuczynski, D. Becker, S. Eggers, and C. Chambers. 1995

Presented by Nguyet Minh Nguyen (nguyetnm@cs.ubc.ca)

Presentation Slides [pdf][ppt]

Discussion

Here are some points that we discussed in the class

• Objective C -  too high level, and there is always a concern about using C, C++ at low level.
• Using Ada instead? - Ada is interesting but not innovative enough.
• Some projects are now trying to use better languages (Singularity Project - Microsoft).
• Why did it take so long to see problems in C? - Some reasons are hard to trust new language/compiler,  hard to trust reliability of languages, and still hard to give low-level access to hardware/memory. Also, a high level language expects us to ignore memory management, and this can't always be done.
• SPIN was a big project with lots of strong students for two years.
• SPIN scalability for a lot of extensions - large extensions will cause slowdowns for all. However, we can't replace the politics of which extensions are excepted. It is also difficult to manage install/removal of extensions.
• Customizable system vs. extensible systems - the system isn't locked to fixed extensions, and we want to minimize control over extensions.
• Is the system fair? Do we decide fairness based on application? Do we want fairness for all?.

Submitted Questions

Haoran Song

The system  solves protection by using type checking, but it not totally secure. I think that some malicious application programs with type-safe extension could harm the system as well. What do you think?

 Modula-3 is type-safe language. But there are some other type-safe languages, which provides a much safer and neater programming environment, such as SML. Is there any particular reason for them to choose Modula-3 rather than other type-safe languages?

 I am wondering whether the single dispatcher would cause performance bottleneck when there are large number of extensions?

Alfred Pang

Safety essentially comes from the language, Modula-3. The paper's architectural description makes SPIN sound like an event-driven system with a lot of safety features built in. The performance figures in the paper shows that SPIN has excellent performance. Supposing that we ignore the obvious issue of using a near-dead language like Modula-3, are there any architectural weaknesses in SPIN? Perhaps having an operating system that is too customizable makes it difficult for application writers to have a set of representative platforms to test on. 

As well, is it possible for applications to "load" conflicting kernel extensions?

How long will it be, before a commercially popular OS will be written in anything but C/C++? 

Wai Lun Fung

While Modulo-3 is a language supporting garbage collection, how does it allocate/deallocate resources inside the kernel when Modulo-3 is used to implement memory management?

Why would anyone be extending an OS using type-safe language/compiler which are slow and limited when its performance is similar to micro-kernel?

Anoop Karollil

Isn't an extension the equivalent of a Linux kernel module? When you do a modprobe/insmod, aren't you dynamically binding the module with the kernel?

Capabilities are basically checked by type safety of the Modula-3 programming language. How restrictive is this in building extensions?

Ivan King Yu Sham

How is the SPIN operating system different from a micro-kernel based system such as L4?  SPIN does provide a network services, but are there any fundemental differences between SPIN and L4?

How can a system like SPIN be implemented with a languare that is NOT type-safe (ie. C)?

Dutch Meyer

How hard or easy does this make extension (eg driver) development?  For example, what would DMA with modula-3 look like?

Could we use the time quantum event property (top of page 7) to make a real time system? (which begs the question - would we want to?)

How much does load time performance as a result of their dynamic linking scheme?

Ali Bakhoda

It seems that the complexity of dispatcher's task increases significantly if a large number of guards and handlers are installed. How can we deal with performance degradation of dispatcher in such cases?

How much does SPIN improve IPC in comparison with Sandboxing and L4?

Michael DiBernardo

It seems like a lot of the protection afforded by the approach described here is supplied by the modified Modula-3 compiler -- that is, the support is in the language. What happens if vendors want to supply their own customization language? How much of the system safety goes out the window if the compiler is poorly implemented, or if the compiler vendor chooses not to implement some of the safety mechanisms? How much safety is provided by the "raw" interface to the OS on its own (i.e. at the syscall level)?

How much protection does this scheme afford in the face of "soft" stupidity? For instance, if I write an application that provides a ton of extensions to the OS, this might potentially degrade the performance of other unrelated applications. Does their approach guard well against this sort of thing?

Now that open-source operating systems are more common, is this approach still really useful? That is, is it easier in most cases just to modify the code of a monolithic O/S like Linux instead of writing cute application-specific extensions using an extension-specific language? If so, why hasn't this technique caught on yet?

The system as implemented provides a basal level of OS functionality, and allows the application writer to implement extensions to enrich this functionality. However, is this base set of features sufficient for most small-to-medium size tasks, or is it the case that one would have to take the time write extensions for even small projects?

Mirna Limic

I don't really understand why event guards are necessary if all of the code is written in a type safe language?

The trusted code cannot be extended, and could this be a potential obstacle to extensions?

Billy Chi-Hong Cheung

The basic concept of the SPIN model is to provide what it calls 'hooks' for its Events that allows for extensions.  Yet, this sort of behaviour is exactly the kind frowned upon in most software developement (since there is some different between modularity and err...hook leaving).  Do you suppose this is just the way SPIN is, or is it actually a reflection of underlying differences in priority between OS and software designers?

Is the use of type safe languages, as SPIN has, as a means for security becoming more prevalent in OS design to counter things like buffer overflows?

Kevin Loken

Can you explain "logical protection domains"?

Memory is cheap, and disk is slow. The fault isolation paper, and this one (as well as significant discussion) has focused on the memory management / TLB issue. What are the implications of disabling swap / page to disk? Do the issues go away?

Seon Ah Lee

Would you draw the SPIN model compounding the protection model and the extension model in a picture? 

A sprand seems to be a useful concept. Why don’t common operating systems like Linux adopt the concept?

Henry Wong    

Existence of a "vetting" program sounds dangerous. Is it really any more safe than *no* protection? In an unprotected environment (e.g. WindowsXP, Linux), users only run code the user "trusts". Giving the user the power to run code users "trust" means that there really isn't any improvement in security....kinda like WindowsXP device driver signing, where manufacturers simply tell their customer to click "Install Anyway" when told the driver they're installing isn't signed.

Is this scheme compatible across compiler vendors/versions? It would seem like that the only way this scheme would work is if the Modula-3 compiler is proprietary and secret, so someone malicious doesn't create a malicious Modula-3 compiler that can sign its malicious object files.

What about performance comparisons against C/ASM monolithic OSs? Sure, in-kernel is faster than cross-address space (microkernel) communication, but what about in comparison to OSes with no protection? I'd speculate there is at least some overhead...

Lloyd Markle

Overall system protection gets a big boost from using a strongly typed language and doing static analysis of code.  These techniques have been around for a long time but have never been accepted, I think, because it's probably hard to work with a strongly typed language.  Do you think this point was overlooked or are languages like Modula-3 as easy to use as C? (It's sounds funny to call C "easy to use")

It's nice to see an architecture that's designed to be tuned for each application but doesn't this add a lot of work to the developer?  I guess SPIN would come with a lot of pre-built extensions but you still have to go through a process of evaluating them.

As a side note, it's nice to see events being used here.  To me it just plain makes sense to have the kernel notify processes of things rather than have the processes ask the kernel if anything is going on.

Jean-Sébastien Légaré

One of the goals of SPIN is to be highly extensible. Arbitrary users may customize SPIN  by writing and installing new kernel code, and user-defined extensions can be linked into the kernel's address space and dynamically integrated with the executing system. Could one increase performance by just linking every program of a computer into the kernel, rather than running them as regular user processes ?

Do you think that the conclusions regarding SPIN that were drawn from the microbenchmark results would have been different if  SPIN had been
compared with L4 instead of Mach ?

What would you need to do if you wanted to run a program in Linux' kernel space ?

Sam David

SPIN relies on the compiler to ensure that extensions are safe, but how do they know at runtime that an extension was compiled with a properly
functioning compiler? Shouldn't they verify the safety of extensions at load time (like the Java Virtual Machine does with the programs it
runs)? Otherwise, a malicious programmer could easily bypass the type-safety of Modula-3.

Is it expected that the average programmer will write extensions to SPIN, or would this only be done by a few people with specialized knowledge?

Gary Huang

In performance section, Table 3 demonstrates that SPINs direct approach to thread management is substantially faster than the other systems.
There are two cases for SPIN: SPIN layered and SPIN native.  What is different between two cases?

The paper didnt mention security issues.  Does SPIN Operating System need to consider system security?

Mehmet Argun Alparslan

In the paper it is stated that cross address space procedural calls can be implemented by system calls and domains. I`m a bit uncomfortable about why and how the return pahts are formed for protection, can you give your thoughts on that? Does this protection strategy is defend the system against malfunctioning messages?

Application specific schedulers can also be used in the kernel besides global scheduler which is responsible from time slicing the application specific scheduler as well. In case of a failure of the application specific scheduler is it possible for a global scheduler to replace the job of app-spec scheduler?

Jun Zhang

Could you give some points on the disadvantages and advantages of SPIN ?

As we know, Linux could be extended by loading new modules. Could you compare the two schemes ?

Could you analyze the security of SPIN operating system ? I think it is a big drawback for it.

Mayukh Saubhasik

How does the dispatcher decide on the order of invocation for the various event handlers which are registered on the same event ?

If type safe languages are the solution to all our safety/isolation woes, how come we are still programming in C ? (This paper was written
in 1995, I am just wondering what stopped type safe languages from becoming the defacto programming languages, given their advantages)

Aiman Erbad

How is this system different from Micro-kernels? what is the role of the programming language and the event based communication? What are the
mechanisms used in Micro-kernels?

What is the heirarchy of the threading system for a simple process? Does user level "strands" run over kernel level "strands"? Why do they use
different strand libraries? Can they reduce the effect on performance by merging the two?