| Commercial operating systems are expensive to extend and very often their "one-size-fits-all" design approach provides non-optimal support for important classes of applications. Several successful, and some not so successful, attempts have been made to build extensible operating systems. Three common characteristics of such attempts stand out. First, the typical strategy has been to build a core infrastructure that facilitates the construction of extensible system services. Second, the technology is almost always based on breaking up operating system functionality into easily manageable pieces. Finally, most attempts have resulted in completely new operating systems that are incompatible with existing commercial systems.;This dissertation addresses three specific objectives. First, it introduces an infrastructure based on Protected Shared Libraries (PSLs)--a new form of modularity that is easy to use and replace. Second, it demonstrates that this infrastructure can be integrated into an existing commercial operating system. Finally, by quantitatively comparing PSL-based protection with four other protection schemes, the dissertation dispels some existing myths about the cost of providing protection in modern systems.;Protected Shared Libraries (PSLs) extend the familiar notion of UNIX shared libraries to provide an efficient form of modularity that can be easily replaced and manipulated. PSLs provide protected state and can be invoked only through well-defined entry points. Communication is supported both through function call parameters and context-specific shared state. The inherent replacability of dynamically loadable libraries makes PSLs a good basis for building extensible systems. A functional prototype of the PSL infrastructure has been integrated into the IBM AIX 3.2.5 operating system.;The experimental results support the following assertions: The cost of hardware-based protection is proportional to the number of transitions from the client to the service. For software-based protection, cost is proportional to the number of instructions executed in the unprotected service domain. The effect of protection on the memory subsystem is unimportant. The impact of sharing data between client and service is important for subpage size data granularities but not for larger data granularities. The evolution of technology will favor hardware-based protection schemes over software-based schemes. |
