From Dependable Multi-user to Dependable Multi-application Operating Systems [Invited Talk] Wolfram Schulte Microsoft Research Redmond, WA 98052, USA
[email protected] Categories and Subject Descriptors
In this talk I will report on two operating system (OS) efforts at Microsoft Research: Singularity [1, 2] and Service OS [3, 4]. Singularity focuses on the construction of dependable multi-user operating systems through innovation in the areas of systems, languages, and tools. One of Singularity’s major innovations is for example that Singularity uses a new type safe language and an abstract instruction set to enable what we call Software Isolated Processes (SIPs). SIPs provide the strong isolation guarantees of OS processes without the overhead of hardware-enforced protection domains. Singularity runs each program, device driver, or system extension in its own SIP. SIPs cannot be extended at runtime ˇ share data, but they come with contracts and and donSt manifests that are statically enforced at compile- or install time. However designing an OS as a multi-user system might not be the right OS model for the future. Today most personal computers are no longer shared by different users, but shared by mutually distrusting applications. The browser platform is the prime example for this change: a single webpage often combines multiple applications from different service providers, all of which run within the same process without coherent support for resource access, control, and sharing. This makes web browsers a vulnerable platform. In the light of these changes we envision Service OS, a multi-service OS on which web applications and traditional desktop applications converge. A service can be either code or data. Services are hosted in the cloud and cached on the client. The owner of the service is an OS principal; in the context of a browser we use the origin of a website as a principal. Like traditional operating system, only the service OS kernel controls resources and can grant access. But unlike a traditional OS, Service OS needs new resource management policies, to capture the often hierarchical nature of application compositions. We will sketch the design of Service OS, discuss where we intend to leverage Singularity technology, and point out outstanding research challenges.
D.4.1 Operating Systems [Process Management]: [Synchronization; Concurrency; Multiprocessing/ multiprogramming/ multitasking]; H.4.3 Communications Applications [Information Systems applications]: [Information Browsers]
General Terms Languages, Performance, Reliability, Security, Verification
Keywords Multi-user Operating System, Singularity, Software-isolated Processes, Multi-application Operating System, Browsers, Gazelle
1.
REFERENCES
[1] Manuel F¨ ahndrich, Mark Aiken, Chris Hawblitzel, Orion Hodson, Galen C. Hunt, James R. Larus, and Steven Levi. Language Support for Fast and Reliable Message-based Communication in Singularity OS. In Yolande Berbers and Willy Zwaenepoel, editors, EuroSys, pages 177–190. ACM, 2006. [2] Galen C. Hunt and James R. Larus. Singularity: Rethinking the Software Stack. SIGOPS Oper. Syst. Rev., 41(2):37–49, 2007. [3] Helen J. Wang, Chris Grier, Alexander Moshchuk, Samuel T. King, Piali Choudhury, and Herman Venter. The Multi-principal OS Construction of the Gazelle Web Browser. In Proceedings of the 18th USENIX Security Symposium, Montreal, Canada, August 2009. [4] Helen J. Wang, Alexander Moshchuk, and Alan Bush. Convergence of Desktop and Web Applications on a Multi-Service OS. In Proceedings of USENIX Workshop on Hot Topics in Security (HotSec), August 2009.
Copyright is held by the author/owner(s). SecuCode’09, November 9, 2009, Chicago, Illinois, USA. ACM 978-1-60558-782-0/09/11.
1
