Exokernel: An OS Architechture for Application-Level Resource Management
Dawson Engler, M. Frans Kaashoek, and James O'Toole Jr.

The authors present a detailed discussion of "exokernels" and a
prototype implementation, Aegis, running the ExOS application
operating system.  The central idea behind an exokernel is that
operating systems should provide application-level management of
physical resources in the interest of "performance, flexibility, and
functionality".  Rather than implementing an abstract virtual machine,
an exokernel acts as a secure multiplexer of physical resources (CPU,
memory, disk I/O, etc.).  The advantage of this approach, the authors
claim, is that it makes possible domain specific optimizations,
encourages changes to the implementation of existing abstractions, and
gives application builders greater flexibility.  To achieve these
goals, an exokernel exports a low-level, hardware dependent interface
and strives to divorce protection from management and allocation
policies.  Thus, exokernels such as Aegis exports hardware resources
rather than emulating them.  An exokernel safely exports hardware
using the combination of three mechanisms: (1) secure binding, (2)
visible resource revocation (3) an abort protocol.  The secure binding
mechanism allows an application to be authenticated once and then
continue to access physical resources without compromising the system.
For instance, a secure binding for physical memory pages can be
implemented by mediating control to the TLB.  Once a TLB entry is
inserted with proper authentication, access to the physical pages
referenced by the TLB entry proceeds without further runtime
authentication.  The purpose of *visible* resource revocation is to
allow the exokernel to reclaim physical resources and still avoid
hiding information useful to a library operating system.  For
instance, a typical Unix application does not know that its physical
pages have been reclaimed for use by another process.  If the
application were notified with low overhead, it might be able to make
use of special knowledge to handle the reclamation more efficiently
(e.g. by suggesting a different page).  Finally, the exokernel must
implement an "abort protocol" in order to deal with ill-behaved
application programs.  If an application refuses or fails to
relinquish resources that the exokernel has attempted to reclaim, the
exokernel initiates the abort protocol to forcibly break the secure
bindings of a particular application to a given resource.

The remainder of the paper discusses the philosophy and motivation for
exokernels in greater detail, touches upon problems related to
multiplexing particular resources (e.g. packet networks where the
higher layer protocols are not implemented by the exokernel), and the
implementation and evaluation of Aegis itself.  The implementation and
analysis section was thorough.  Not only do they describe the "base"
system, but also they discuss the potential for extensibility and
performance enhancements under ExOS.  The authors focus in particular
on extensible RPC, paging data structures, and the implementation of a
stride scheduler.