A critique of the GNU hurd multi-server operating system

The GNU Hurd's design was motivated by a desire to rectify a number of observed shortcomings in Unix. Foremost among these is that many policies that limit users exist simply as remnants of the design of the system's mechanisms and their implementation. To increase extensibility and integration, the Hurd adopts an object-based architecture and defines interfaces, in particular those for the composition of and access to name spaces, that are virtualizable. This paper is first a presentation of the Hurd's design goals and a characterization of its architecture primarily as it represents a departure from Unix's. We then critique the architecture and assess it in terms of the user environment of today focusing on security. Then follows an evaluation of Mach, the microkernel on which the Hurd is built, emphasizing the design constraints which Mach imposes as well as a number of deficiencies its design presents for multi-server like systems. Finally, we reflect on the properties such a system appears to require.

[1]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[2]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[3]  Gerald J. Popek,et al.  Formal requirements for virtualizable third generation architectures , 1974, SOSP '73.

[4]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[5]  Jerome H. Saltzer Naming and Binding of Objects , 1978, Advanced Course: Operating Systems.

[6]  Michael Stonebraker,et al.  Operating system support for database management , 1981, CACM.

[7]  Peter J. Denning,et al.  The working set model for program behavior , 1968, CACM.

[8]  Norman Hardy,et al.  KeyKOS architecture , 1985, OPSR.

[9]  Elliot Soloway,et al.  Where the bugs are , 1985, CHI '85.

[10]  David L. Black,et al.  The duality of memory and communication in the implementation of a multiprocessor operating system , 1987, SOSP '87.

[11]  John M. Boone,et al.  INTEGRITY-ORIENTED CONTROL OBJECTIVES: PROPOSED REVISIONS TO THE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA (TCSEC), DoD 5200.28-STD , 1991 .

[12]  C. R. Landau The checkpoint mechanism in KeyKOS , 1992, [1992] Proceedings of the Second International Workshop on Object Orientation in Operating Systems.

[13]  Jochen Liedtke,et al.  Improving IPC by kernel design , 1994, SOSP '93.

[14]  Gregor Kiczales,et al.  The need for customizable operating systems , 1993, Proceedings of IEEE 4th Workshop on Workstation Operating Systems. WWOS-III.

[15]  Jeff Bonwick,et al.  The Slab Allocator: An Object-Caching Kernel Memory Allocator , 1994, USENIX Summer.

[16]  Daniel P. Julin,et al.  Mach-US: Unix On Generic OS Object Servers , 1995, USENIX.

[17]  Sandeep K. Gupta,et al.  AVM: application-level virtual memory , 1995, Proceedings 5th Workshop on Hot Topics in Operating Systems (HotOS-V).

[18]  Mike Hibler,et al.  User-level checkpointing through exportable kernel state , 1996, Proceedings of the Fifth International Workshop on Object-Orientation in Operation Systems.

[19]  Brett D. Fleisch The failure of personalities to generalize , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[20]  M. Cox,et al.  Application-controlled demand paging for out-of-core visualization , 1997, Proceedings. Visualization '97 (Cat. No. 97CB36155).

[21]  Robert Grimm,et al.  Application performance and flexibility on exokernel systems , 1997, SOSP.

[22]  Willy Zwaenepoel,et al.  Extensible kernels are leading OS research astray , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[23]  Trent Jaeger,et al.  High-Performance Caching With The Lava Hit-Server , 1998, USENIX ATC.

[24]  Peter Druschel,et al.  Resource containers: a new facility for resource management in server systems , 1999, OSDI '99.

[25]  Rob Pike Lexical File Names in Plan 9, or, Getting Dot-Dot Right , 2000, USENIX Annual Technical Conference, General Track.

[26]  H. Domjan,et al.  Managing resource reservations and admission control for adaptive applications , 2001, International Conference on Parallel Processing, 2001..

[27]  Ka-Ping Yee,et al.  User Interaction Design for Secure Systems , 2002, ICICS.

[28]  Jonathan S. Shapiro,et al.  EROS: A Principle-Driven Operating System from the Ground Up , 2002, IEEE Softw..

[29]  Jonathan Adams,et al.  Design Evolution of the EROS Single-Level Store , 2002, USENIX Annual Technical Conference, General Track.

[30]  Elaine J. Weyuker,et al.  The distribution of faults in a large industrial software system , 2002, ISSTA '02.

[31]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[32]  Hermann Härtig,et al.  Reducing TCB size by using untrusted components: small kernels versus virtual-machine monitors , 2004, EW 11.

[33]  Mel Gorman,et al.  Understanding the Linux Virtual Memory Manager , 2004 .

[34]  Emery D. Berger,et al.  Garbage collection without paging , 2005, PLDI '05.

[35]  Calton Pu,et al.  Reducing TCB complexity for security-sensitive applications: three case studies , 2006, EuroSys.

[36]  Team Cymru,et al.  The Underground Economy: Priceless , 2006, login Usenix Mag..

[37]  Alan H. Karp,et al.  Polaris: virus-safe computing for Windows XP , 2006, CACM.

[38]  Mark S. Miller,et al.  Robust composition: towards a unified approach to access control and concurrency control , 2006 .