Extensibility, Safety and Performance in the SPIN Operating System (Bershad et al.) This paper describes the research, implementation and performance of the SPIN OS, another example of an extensible OS, where extensibility can be implemented through non-trusted applications. The motivation for the research is the observation that a general purpose OS is tasked to balance generality and specialization, and as such, will run many programs but only a few well. While these general purpose OSs can be tuned for a specific task, this tuning process may be costly for some applications. Their goal is to create a system that is extensible, can be dynamically tailored for individual applications safe and provides a basis for good application performance. They suggest (and implement in SPIN) four techniques to improve application performance: co-location -- OS extensions are linked into the kernel, providing low cost (procedure call) communications between application and kernel; enforced modularity -- this is a result of their extension programming language choice, Modula-3 a language that provides interfaces, type safety and garbage collection; logical protection domains -- partitioned kernel namespaces, with the ability for communication across namespaces; and dynamic call binding -- extensions execute in response to system events and provides a mechanism for installing handlers. While the authors provide a lot of detail, portions seemed a little difficult to read (maybe it is too late at night.). The motivation is good. Some of the more interesting ideas include: Using language features to ensure safety. The choice of Modula-3, which provides type checking, interfaces, threads, namespace protection, and exceptions, removes the need to reinvent safety mechanism such as sandboxing and software fault isolation. (I'm not sure about the utility of garbage collection though.) Capabilities - these are secure references to system resources implemented in software. Software based capabilities provide flexibility. (I do have questions about the scalability -- see below.) Guards - providing fine grained access to resources, and protection domains - the set of accessible resources available to an execution context are also of interest. Question(s) I have about SPIN: Is the protection that is offered by Modula-3 (i.e., software protection) sufficient and scalable? They touched on this in the workshop paper we read a couple of days ago. I'd guess theoretically software protection is sufficient, but in practice what are the performance penalties that are associated with this?