Quote: use a small system nucleus for multiprogramming: implements internal and external processes, message communication, and privileged functions [»brinP4_1970]

Quote: write an operating system with a high-level language and a system nucleus

Quote: traditional operating systems hide information about machine resources with high-level abstractions; prevents domain-specific optimization and discourages alternatives [»englDR12_1995]

Quote: an exokernel separates protection of a physical resource from its management; an exokernel does not provide high-level concepts such as windows and files [»englDR12_1995]

Quote: the V kernel is about 50K bytes of code and data on a Motorola 68000 [»cherDR4_1984]

Quote: the Oberon system and compiler is described by 15 KLOC of source [»wirtN9_1989]

Quote: Apache has a small core server, a well-defined interface, and various ancillary projects; informal coordination for core team; highly efficient [»mockA7_2002]

Quote: EMERALDS is an extensible microkernel; rich set of OS services in 13 kbytes of code [»zubeKM10_2001]

Quote: EMERALDS maps the kernel into each address space; efficient system calls [»zubeKM10_2001]

Quote: build a hierarchy of processes on top of the system nucleus; implements operator communication, program scheduling, resource allocation, and other system strategies [»brinP4_1970]

Quote: structure an operating system as layers of insensitive, abstract machines

Quote: can implement and execute multiple operating systems on the same system nucleus [»brinP4_1970]

Quote: Topaz -- fine grained threads and multiple address spaces [»mcjoPR1_1989]

Quote: all kernel operations are atomic; either complete within a deadline or no observable effect [»shapJS1_2002]

Quote: the Mach kernel provides a small set of primitive functions and abstractions for building complete system environments [»acceM6_1986]

Quote: be careful of functions in low-level subsystems; every application will pay for it; limited information to do job efficiently [»saltJH11_1984]

Quote: Mach's primitive functions allow more complex services and resources to be represented as references to objects

Quote: the Mach kernel supports four basic abstractions: tasks, threads, ports, and messages. These match multiprocessor hardware [»acceM6_1986]

Quote: Mach tasks may handle page faults and page-out data requests independently of the kernel [»acceM6_1986]

Quote: EROS is 3x faster than Linux fork/exec and 1000x faster than Linux page faults and memory management [»shapJS1_2002]

Quote: Thoth's operating system includes memory management, messaging, multi-tasking, delays, and file I/O [»cherDR2_1979, OK]

Quote: Pilot provides streams, packet communications, hierarchical, virtual memory with large files, concurrent programming, and a modular language [»redeDD2_1980]

Quote: Pilot's managers implement file management and complex virtual memory operations

Quote: Pilot's kernel manages virtual memory access to special files and to preexisting, fixed-size normal files [»redeDD2_1980]

Quote: the Mach kernel only does scheduling, communication, and virtual memory; everything else at user level [»tevaA11_1989]

Quote: all operating system resources must be accounted for [»shapJS1_2002]

Quote: an exokernel exports secure binds to hardware resources with cooperative resource revocation and forced revocation [»englDR12_1995]

Quote: the EROS kernel cannot create or destroy resources; uses main memory as a cache [»shapJS1_2002]

Quote: the EROS kernel caches all state; requires explicit allocation of the memory map and dependency tracking [»shapJS1_2002]

Quote: the lowest level of a system is not safe; e.g., bus addresses for an I/O controller [»nelsG_1991]

Quote: the Styx protocol implements local device drivers with procedure calls and remote devices with mount driver and remote procedure calls [»dorwSM1_1997]

Quote: Inferno applications use a fixed set of files for devices and system services [»dorwSM1_1997]

Quote: represent device drivers with a data file and a control file

Quote: the A-7E flight software consists of a hardware-hiding module (hardware interfaces), a behavior-hiding module, and a software decision module (performance-related decisions)

Quote: recovery by restarting a device driver; most problems are rare or due to timing [»taneAS5_2006]

Quote: inter-process communication for user-mode drivers by fixed-length messages and synchronous rendezvous; pending interrupt bitmap; less than 10% penalty [»taneAS5_2006]

Quote: receive livelock--responding to interrupts all of the time; can happen with host-based routing, passive network monitoring, network file service [»moguJC8_1997]

Quote: system boot requires a security coprocessor to store cyrptographic keys for sealed storage and attestation; verifies the kernel's digest and starts in a well-defined state [»englP7_2003]

Quote: the nexus is a security-critical system manager with an isolated address space, secure agents, authenticated operations, and secure user input and output [»englP7_2003]

Quote: SPIN OS provides language-based, fine-grained access control and fine-grained user extensions; static type checking and dynamic linking [»bersBN12_1995]

Quote: SPIN's core services (e.g., memory and processor) must be trusted; incorrect usage isolated to the extension [»bersBN12_1995]

Quote: EROS uses capabilities to run active systems of user code; allows broken or hostile code [»shapJS1_2002]

Quote: an exokernel uses capabilities to guard access to physical memory pages [»englDR12_1995]

Quote: EROS has formal verification of security properties and very little performance loss [»shapJS1_2002]

Quote: EROS is a large space of capability-protected objects; memory pages, capability nodes, CPU time, network connections; only way to invoke operations [»shapJS1_2002]

Quote: the EROS kernel does not maintain state; user-allocated storage stores the security and execution state; may be cached [»shapJS1_2002]

Quote: EROS truncates messages to undefined destinations; otherwise, fault handlers may lead to denial-of-service, buffering creates local state, and timeouts are not repeatable under load [»shapJS1_2002]

Quote: many systems for untrusted OS extensions depend on a trusted garbage collector [»walkD7_2000]

Quote: explicitly designate the source of any authority [»shapJS1_2002]

Quote: a secure system must start in a consistent and secure state; EROS periodically verifies a consistent, global checkpoint of the entire state of the machine; used for bootstrapping [»shapJS1_2002]

Quote: Nooks wraps a device driver in a lightweight protection domain; copies kernel objects and checks parameters [»taneAS5_2006]

Quote: principle-driven design allows effective checks for errors; in eight years, every EROS kernel bug was caught by an assertion check [»shapJS1_2002]

Quote: many operating systems will crash and require a complete restart; often due to incorrect coordination of concurrent activity; better now [»dennPJ_1980]

Quote: the operating system must behave deterministically relative to its finite state model; if not, add global variables to state; each state represented by an equivalence class [»chenH8_2002]

Quote: Eventrons can replace even the lowest system levels with safe, managed code

Quote: new operating systems needed for extended databases used by separate modules; e.g., airline reservations and project management [»balzRM_1986]

Quote: operating system services are often too slow or inappropriate for databases; should support them [»stonM7_1981]

Quote: an upcall calls a higher level function across protection boundaries; an alternative to asynchronous signals [»clarDD12_1995]

Quote: an exokernel allows much faster protected control transfers and exception dispatch; five to seven times faster than the best reported implementation [»englDR12_1995]

Quote: exokernel interfaces are non-portable; use an library operating system to implement a standard interface [»englDR12_1995]

Quote: rewriting a downcall protocol as upcalls improved performance and code size by 5-10x [»clarDD12_1995]

Quote: use unique capabilities to avoid copying user data into kernel space and to ensure mutually exclusive access [»walkD7_2000]

Quote: timing services are woefully inadequate, even for computational tasks [»kernBW7_1998]

Quote: use an interrupting clock to regulate the bottom layer of the operating system [»dijkEW2_1971]

Quote: workload must not effect correct operations [»shapJS1_2002]

Quote: most system threads are too heavy-weight to support 10,000 threads in Java; implement virtual threads [»allmE7_2004]

Quote: Sing# has formal message passing semantics; all processes run in one virtual address space without overwriting data; avoids kernel traps and context switches [»taneAS5_2006]