On traditional operating systems only trusted software such as privileged servers or the kernel can manage resources. This talk proposes a new approach, the exokernel architecture, which makes resource management unprivileged but safe by separating management from protection: an exokernel protects resources, while untrusted application-level software manages them. As a result, in an exokernel system, untrusted software (e.g., library operating systems) can implement abstractions such as virtual memory, file systems, and networking. Untrusted resource management yields dramatic benefits. Our prototype exokernel system runs a web server 8 times faster than the closest equivalent on the same hardware, common unaltered Unix applications up to three times faster, and improves global system performance up to a factor of five.

This talk proposes, describes, and evaluates the exokernel architecture. Results include the measured performance of real applications on Xok, an x86-based exokernel implementation, and a description of techniques invented to achieve the most difficult goals of the exokernel approach. The most unusual technique, untrusted deterministic functions, enables an exokernel to trust (potentially malicious) applications to track the resources they own, without understand how they do so. Additionally, the talk reflects on the sometimes painful lessons learned in building three exokernel-based systems and tentative results indicating that exokernel ideas can be transfered to existing operating systems

This is joint work with Frans Kaashoek, Greg Ganger, Hector Briceno, Russell Hunt, David Mazieres, Thomas Pinckney, and John Jannotti.