COVER FEATURE OUTLOOK

Outlook on Operating Systems

Dejan Milojičić, Hewlett Packard Labs Timothy Roscoe, ETH Zurich

Will OSs in 2025 still resemble the Unix-like consensus of today, or will a very different design achieve widespread adoption?

eventeen years ago, six renowned technolo- more technical: by following the argument that the OS gists attempted to predict the future of OSs will change, we can identify the most promising paths for an article in the January 1999 issue of IEEE for OS research to follow—toward either a radically dif- Concurrency.1 With the benefit of hindsight, ferent model or the evolution of existing systems. In Sthe results were decidedly mixed. These six experts research, it’s often better to overshoot (and then figure correctly predicted the emergence of scale-out archi- out what worked) than to undershoot. tectures, nonuniform memory access (NUMA) perfor- Current trends in both computer hardware and mance issues, and the increasing importance of OS application software strongly suggest that OSs will security. But they failed to predict the dominance of need to be designed differently in the future. Whether Linux and open source software, the decline of propri- this means that Linux, Windows, and the like will be etary Unix variants, and the success of vertically inte- replaced by something else or simply evolve rapidly grated Mac OS X and iOS. will be determined by a combination of various tech- The reasons to believe that OS design won’t change nical, business, and social factors beyond the con- much going forward are well known and rehearsed: trol of OS technologists and researchers. Similarly, requirements for backward compatibility, the Unix mod- the change might come from incumbent vendors and el’s historical resilience and adaptability,2 and so on. “If open source communities, or from players in new it ain’t broke, don’t fix it.” markets with requirements that aren’t satisfied by However, we argue that OSs will change radically. existing designs. Our motivation for this argument is two-fold. The first Ultimately, though, things are going to have to change. has been called the “Innovator’s Dilemma,” after the book of the same name:3 a variety of interests, both com- HARDWARE TRENDS mercial and open source, have invested substantially in Hardware is changing at the levels of individual devices, current OS structures and view disruption with suspi- cores, boards, and complete computer systems, with cion. We seek to counterbalance this view. The second is deep implications for OS design.

COMPUTER 0018-9162/16/$33.00 © 2016 IEEE JANUARY 2016 43 OUTLOOK

Complexity hardware—such as cores, devices, OS—and perhaps application—level. Hardware is becoming increasingly and memory—can be powered up and They will be able to execute adaptive more complex. Today, the program- down at any point during execution. algorithms subject to memory access ming manual for a system-on-chip patterns. Memory controller functions (SoC) part for a phone or server blade Nonvolatile main memory will be executed closer to memory typically runs to more than 6,000 As technology advances, we expect (outside CPUs), implementing optimi- pages, usually not including documen- large, nonvolatile main memories zations such as encryption, compres- tation for the main application cores. to become prevalent.5 This doesn’t sion, and quality-of-service functions. Large numbers of peripheral devices only mean that most data will per- are integrated onto a die, each with sist in nonvolatile memory (NVM) as Systems complex, varying programming mod- opposed to DRAM or disk, but also that Taking a step back, we see that the els. More and more of these devices— packaging, cost, and power efficiency boundaries of today’s machines are networking adaptors, radios, graphics will make it possible to architect and different from traditional scale-up processors, power controllers, and so deploy far more nonvolatile RAM and scale-out systems. The resources on—are now built as specialized pro- (NVRAM) than DRAM. Main memory of a closely coupled cluster such as a cessors that execute specialized firm- will be mostly persistent and will have rack-scale InfiniBand cluster must be ware with little OS integration. much greater capacity than today’s managed at a timescale the OS is used The OS communicates with these disks and disk arrays. to, rather than those used for tradi- peripherals via proprietary messag- With large numbers of heteroge- tional middleware. ing protocols specific to producers of neous processors, this memory will be We’re so accustomed to thinking peripheral devices. This marks the highly distributed but perhaps not in of Linux or Windows as OSs—because beginning of the trend toward dark the way we see today. Photonic inter- they started that way—that it’s rare to silicon, a large collection of highly connects and high-radix switches can consider a functional definition of an specialized processors, only a few of expand the load-store domain (where OS. Consider the following traditional which can be used at a time.4 cores can issue cache-line reads and definition of an OS: “an OS is a col- These devices’ interconnects are writes) across multiple server units lection of system software that man- also becoming more complex. A mod- (within a rack or even a datacenter) ages the complete hardware platform ern machine is a heterogeneous net- and potentially flatten the switch and securely multiplexes resources work of links, interconnects, buses, hierarchy, resulting in more uniform between tasks.” and addressing models. Not all devices memory access.6 Linux, Windows, and Mac OS all are accessible from all general-purpose This further enlarges the memory fail this definition. A cellphone OS cores, and the same is true of memory: accessible from a single CPU beyond is a mishmash of proprietary device the cozy view of a computer as a single that supported by modern 64-bit pro- firmware, embedded real-time execu- cache-coherent physical address space cessors, which implement no more tives, and the Linux or iOS kernel and containing RAM and devices has been than 52 bits of physical address space its daemons that run applications and a myth for at least the last decade. and as little as 42 bits for some CPUs. manage a fraction of the hardware. The In the short term (it’ll be a few years OS of a datacenter or rack-scale appli- Energy until processor vendors implement ance is typically a collection of differ- These systems aren’t static, either. As more address bits), this will lead to con- ent Linux installations as well as cus- a system resource to be managed by figurable apertures or windows into tom and off-the-shelf middleware. If the OS, energy is now just as import- available memory. Typical time scales we want to examine the structure of a ant as CPU cycles, bytes of RAM, of general-purpose OSs span multiple real-world, contemporary OS, we need or network bandwidth, whether in decades, whereas real-time and embed- to look elsewhere. A great deal of tra- the form of cellphone battery life or ded OS lifetimes are only a few years. ditional OS functionality is now occur- datacenter power consumption. Not In the longer term, memory con- ring outside of general-purpose OSs; it’s least among the many implications trollers are likely to become more moved to the top-of-rack management for new OS design is that most of the intelligent and programmable at the server, closer to memory (memory-side

44 COMPUTER WWW.COMPUTER.ORG/COMPUTER controllers), to various appliances (intru- example) is light: applications are very backplane network. Allocating inter- sion detection systems, and storage), or different now, granting us the freedom connect bandwidth be­comes import- to specialized cores on the same die. to change the OS interface. ant in these machines: a skewed hash join in a large relational database can Diversity Rack-scale computing easily saturate 100 gigabits per second Hardware is also becoming more One trend we’re seeing in applica- (Gbps) FDR InfiniBand links inside the diverse. Beyond the complexity of any tions is rack-scale computing, which appliance and significantly impact single product line of machines, the is sometimes deployed as software performance. Distributed coordina- designs of every processor, SoC, and appliances (called tin-wrapped soft- tion of CPU scheduling, combined complete system are different. SoCs ware). Many enterprise applications with careful interconnect manage- were always heterogeneous, but they such as file servers, relational and ment, is essential. were used in special-purpose systems; nonrelational databases, and big data In an effort to optimize perfor- now they’re used in general-purpose analytics now come prepackaged in a mance, rack-scale applications often sys­tems. Engineering a general-purpose rack-scale software appliance (exam- exploit the lowest-latency communi- OS that can be used widely and evolve ples include Oracle’s Exadata and Exa- cation mechanisms available, such as as hardware changes (and with it, the lytics products or the SAP HANA data- remote direct memory access (RDMA) tradeoffs required for scalability, per- base). Such appliances usually consist one-side operations. This means that formance, and energy efficiency) is a of a collection of server machines and memory management and protection formidable challenge. optional custom hardware accelera- in the OS becomes a distributed sys- In a remarkable change from 15 tors, connected by a high-bandwidth tems problem. years ago, hardware adapts and diver- internal network such as InfiniBand. Large-scale persistent main mem- sifies much faster today than system Customers plug in the power and net- ories are likely to be adopted first in software does—faster than the current work cables, configure it, and go. the appliance space because most data OS engineering practice of monolithic Tin-wrapped software is attractive processing in such systems is already kernels can keep up with. Short-term to software vendors for a number of done in main memory (either RAM or solutions include backward-compatible reasons. Because the vendor controls with a large cache of memory-mapped workarounds by hardware vendors the hardware platform that the OS runs flash memory). Being able to support (giving up on the full potential of new on, support costs are greatly reduced— very large, persistent physical memory hardware features), hiding or mitigat- there’s no need to validate the soft- within a given power envelope could ing the problem through vertical inte- ware on every conceivable PC server, greatly increase the capacity of enter- gration, or deploying huge internal network card, or version of Windows prise data-processing appliances. software-engineering efforts for each or Linux. Tin-wrapped software also new product. allows vendors to introduce custom Datacenter challenges hardware that doesn’t have to be com- Beyond the scale of information appli- APPLICATION CHANGES patible with every customer’s existing ances are enterprises and service pro- The ways in which computers are used systems. The market for such enter- viders who operate applications across and the applications that run on them prise software appliances is huge. entire datacenters. are also changing, calling into ques- Because the appliance only runs Datacenter challenges include app­ tion many OS designs of the last 40 one software package, one might lication deployment, upgrades, and years. This is both a challenge and an think OS issues are simplified, but this maintenance. Unlike tin-wrapped soft- opportunity. It’s a challenge because isn’t true in practice. Enterprise soft- ware, datacenter applications can’t be current OSs don’t match up well with ware packages are highly complex ser- coupled to a controlled hardware plat- the applications they’re called on to vices with many different tasks run- form. Instead, code must be upgraded support. It’s an opportunity because ning at the same time and competing across thousands of machines in a the burden of history (backward com- for resources. In addition to the tradi- coordinated manner, often without patibility, long-standardized APIs, and tional application resources an OS has suffering from downtime. Provision- established programming models, for to manage, there’s also the appliance’s ing capacity for such applications is an

JANUARY 2016 45 OUTLOOK

ongoing problem: workloads change up­date issues posed by this new kind shared-­memory program that runs in and new processing nodes must be of environment. kernel mode and handles interrupts acquired, installed, and added to the In the early days of computers, an and system calls. This simply doesn’t running system without adversely OS existed to manage a competing work on a machine with heteroge- affecting computation. set of complete applications sharing neous pro­cessors; different instruction Datacenters run many applications a machine. The basic OS abstractions sets; and memory that’s not completely at a time—sharing single conventional that evolved to represent applications coherent, exists at different addresses OSs, packaged into containers, or run- (for example, processes) have long been as seen by different cores, and might ning on virtual machines (and poten- inadequate: applications grew to in­ not even be shared. All of these are tially over virtual networks). In all clude many processes in the same features of modern machines that are cases, performance isolation is a crit- OS. Today, a single application spans likely to continue in the future. ical concern. Indeed, for many com- potentially thousands of OS instan­ A single large kernel raises other mercial applications, adequate pre- ces on hardware platforms rang- concerns, such as trust. Viewing a sin- dictable performance is a correctness ing from sensors and smartphones to gle monolithic kernel as the trusted issue, albeit in a very different manner high-­performance datacenter server computing base is one thing on a from classical real-time systems. machines. It shouldn’t be surpris- machine with a few gigabytes of mem- Although applications require pro­ ing, then, that existing OSs, whose ory and a handful of cores, but is very per allocation of interconnect band- core abstractions have changed little different on a machine with a peta- width in rack-scale systems, cloud ser- over the last three decades, don’t pro- byte of main memory and thousands vices in datacenters often have much vide a clear match to this application of cores. With hardware at this scale, more complex requirements from structure. transient or persistent failures are the infrastructure, both in their use common (as they are in clusters), and of dynamically instantiated virtual WHAT’S BROKEN? it’s no longer reasonable for one core machines and with the increase in It’s remarkable how many assump- to depend on, let alone trust, code run- software-defined networks (SDNs) and tions about OS design embodied in ning in kernel mode on another core network function virtualization. modern systems like Linux and Win- on the other side of the machine. These applications’ security require- dows are either violated or irrelevant, Recognizing this situation forces an ments have also radically changed— in light of the modern trends in hard- OS designer into a much more distrib- not only do the requirements apply to ware and application models previ- uted design. The interesting question network traffic, but these applications ously mentioned.7 We’re being delib- moving forward is to what extent this can have hundreds of millions of users. erately provocative in this article, but scenario resembles a classical distrib- In many cases, as we’ve seen recently, we’re also serious. uted system and to what extent it will such applications’ security is best We’re certainly not the first to point be something new. At least two features expressed in terms of complex security out the deficiencies of current OS distinguish large, modern computers policies governing information flow to designs. Also note that the following from the distributed systems of yore: prevent leakage of sensitive data, not as issues are not “bugs”—they arise from they have regions of partially shared simple resource access control. the fundamental structures on which memory as well as message chan- Finally, these applications increas- an OS like Unix or Windows is based. nels, and the message latency between ingly span centralized datacenter ser- If you fixed them, you’d have a dif- nodes (or cores) is close to the cost of a vices, individual users’ mobile devices, ferent OS. This naturally begs the last-level cache miss on a single core. and a growing number of embedded question: However it ends up being sensors and actuators in the Inter- branded, what will such an OS look Authorization and security net of Things. A look at recent media like? Unsurprisingly, an authorization and reports and research papers strongly security model designed for a small suggests that no one has a good handle Single monolithic kernel workgroup of trusted interactive users on how to manage the interconnected Modern OS designs share the con- (such as POSIX) or human members of security, reliability, and software cept of a single, multithreaded, a larger organization (such as Kerberos

46 COMPUTER WWW.COMPUTER.ORG/COMPUTER or Windows Active Directory) is inap- than temporal scheduling, becomes hardware (memory managing unit; propriate for online cloud services, the key challenge. MMU) has proven to be incredibly use- application stores, virtual infrastruc- Worse, in rack-scale machines, an ful for a variety of purposes: relocation ture platforms, single-user handheld application is inherently distributed. of code and data, simplified memory devices, and distributed applications. In larger systems, it runs on behalf of allocation, copy-on-write of regions, The security challenges we face millions of individual users. As with detecting reads and writes to certain today concern privacy, information security, we need scheduling entities locations, and so on. flow, untrusted applications running with user privileges, and social net- works with billions of users. At the OS layer, it might not make much sense to talk about traditional users—human THE WAYS IN WHICH COMPUTERS AND users installing and running programs APPLICATIONS ARE USED ARE CHANGING, they don’t understand from third par- CALLING INTO QUESTION MANY OS ties are the wrong security principals. DESIGNS OF THE PAST 40 YEARS. A fine-grained authorization mecha- nism like that afforded by capabilities, perhaps combined with a concept of distributed information flow control at that make sense. Containers are a step However, this has all been achieved scale, could be the way forward. in the right direction, but they don’t yet in spite of, rather than using, the basic make sense in a distributed machine. virtual address space abstraction, Scheduling Building the right CPU scheduler for which hides physical memory charac- Modern OS schedulers manage pro- the future will be challenging: early teristics. Moreover, the physical mem- cesses or threads as a basic unit of CPU experience with cluster-level schedul- ory backing an application increasingly allocation. But for modern multicore ers suggests that a loosely coupled, dis- matters to the application. For example, hardware and typical applications, tributed approach is essential. There’s RDMA reads and writes are stored in this is irrelevant. The recent increase simply too much important, fine- physical memory, data structures are in containers—and virtual machines grained, and time-sensitive schedul- allocated in NUMA-aware ways, and before them—is a response to the fact ing information to be effectively aggre- physical memory exists in different that, astonishingly, no mainstream gated in a single centralized scheduler. forms (DRAM, scratchpad, persistent, OS in the mid-1990s had an abstrac- and so on). This rich functionality is tion corresponding either to a com- Virtual memory accessed by a motley collection of func- plete application installation or to a Virtual memory is another strong tions that punch holes in the clean vir- running application instance. On a candidate for change.8 Page-based tual address space abstraction. single machine, an application spans address translation hardware was multiple processes and threads, and originally designed to allow applica- Network stack calls out to server processes it shares tions to use more memory than was The network stack is also looking a with other programs. Moreover, dyna­ physically present in the machine bit tired. Network bandwidth to an mic migration of threads to balance via demand paging. The OS abstrac- adaptor is still increasing, but the the load across cores (as in Linux, tion corresponding to this hardware speed of individual processing cores for example) makes no sense when was a virtual address space magically is decreasing. The solution is to de-­ cores are radically heterogeneous, backed with (uniform) physical RAM. multiplex network flows between end-­ and where the objective is to optimize Paging almost never happens today, system cores in the network inter- energy usage subject to fixed perfor- and large machines in the future are face controller (NIC) hardware, using mance goals, rather than raw interac- likely to have much more memory direct memory access (DMA) to write tive response time or bulk throughput. than can be represented in the vir- into a large number of different ring Effective spatial scheduling, rather tual address space. The translation buffers (some modern NICs already

JANUARY 2016 47 OUTLOOK

Application trends Perpetual delivery Automated Complex In-network Noise Virtualized computing free What’s broken? OS outlook In-memory Data intensive Power aware Virtual memory NUMA Network Capability Reduction of Containers durability awareness stack extensions API compatibility Process / threads Authorization and Programmable Persistent Off critical path as computing units; Files security model MMUs data structures scheduling Main memory Hardware trends Single monolithic Trust Partially shared memory Distributed OS Multikernel will become kernel model vs. message passing architecture Energy Increasing critical Heterogeneity constrained complexity Large Rack-size Dark address appliances silicon spaces Nonvolatile Photonics SoCs memories switches

FIGURE 1. Impact of application and hardware trends on OSs, what’s broken in current OS design, and the OS outlook. SoCs: systems on chip; NUMA: nonuniform memory access; MMUs: memory managing units. support several thousand of these). systems like the Hadoop Distributed OUTLOOK The kernel is therefore bypassed by File System (HDFS) that expose how We conclude with a few bold—perhaps the data plane because it constitutes data is sharded across storage nodes, reckless—predictions, and some reflec- a serial bottleneck even in modern, or through higher-level record-oriented tions on the process by which OS designs highly optimized network stacks, and distributed object stores. Files also dis- are created and evolve over time. Figure because it avoids expensive kernel appear at the small end of the scale: 1 visually summarizes our predictions. crossings—slower cores relative to the phone applications store their data in For more information, see the “Oppor- network mean that every CPU cycle on isolated containers through an API tunities for a New OS” sidebar. the data path counts. This happened that hides any underlying Linux or first in virtual machine monitors and iOS file systems, and in practice can Architecture spurred the adoption of technologies transparently replicate such data The future OS will be distributed in such as Single-Root I/O Virtualization across crowd services that use the architecture. A single kernel isn’t (SR-IOV), but recent research shows data. The file as a concrete vector of going to work with heterogeneous the benefits of structuring a general-­ bytes on local storage means little to processors, memory that isn’t acces- purpose OS this way as well.9 most application programmers, let sible from all cores, or partial cache The key change in perspective alone users. Its deserialized structure coherence. There will be multiple comes with the realization that the is what’s important. kernels in a single machine, and some NIC is no longer an interface, per se— Recently, it has been recognized kind of message passing is inevitable. it’s a network switch. Specifically, it’s that data durability doesn’t neces- The result will be something between an asymmetric switch with a very high sarily imply writing to stable stor- a single machine and a traditional port count—every send and receive age. Once the necessary availability cluster—the low message latencies queue constitutes a port as well as the mechanisms are in place to replicate of future hardware and performance physical layer—that makes forward- application data structures across requirements of parallel applications ing decisions at all layers of the tradi- active nodes in a large online service will necessitate much more global tional protocol stack. The role of the (including across datacenters), some coordination in scheduling, memory future OS is to implement the control data can even be permanently held in allocation, and bandwidth allocation plane for this switch. main memory. With the rise of per- than is achievable in current clusters. sistent main memory, a great deal of This shouldn’t be confused with tra- Data storage long-lived application data will never ditional embedded system architec- Finally, POSIX-like files don’t make be serialized to disk. Applications ture, which is similar because it runs sense at scale. Large-scale data pro- will deal with persistent state differ- dedicated kernels and applications cessing applications access data- ently, and the OS must support this in compared to general­-purpose OSs sets through distributed parallel file a useful way. and applications.

48 COMPUTER WWW.COMPUTER.ORG/COMPUTER OPPORTUNITIES FOR A NEW OS

igure A represents a bell-curve distribution of the of innovation. However, this also caused a fragmen- Fnumber of deployed instances of Linux versus the tation of customers followed by some consolidation, system size. On the high-end system side (laptops such as that around the Open Software Foundation through supercomputers), the bell curve reaches a and Unix International. Eventually, the open source maximum for the two-socket Intel computer, the most community prevailed and Linux started dominating. commonly deployed Linux machine. The market is Linux—which purely followed the Innovator’s much more fragmented on the low-end system side Dilemma model (C.M. Christensen, The Innovator’s (such as Linux deployed as Android on mobile phones), Dilemma, Harper Business, 2011)—was absorbing so we focus primarily on the high end, acknowledg- innovation from earlier systems (such as Digital Unix, ing that the number of mobile phones has surpassed HP-UX, and IBM AIX) until about 5 years ago, when the number of mobile computers. Sensors in cyber-­ innovation started happening within Linux itself. physical systems connected to the Internet of Things Most recently, innovation has occurred within the (IoT) are shown on the far left side of the curve (small IoT and high-end spectrums of the bell curve. New systems), and the largest Linux deployments (ranging OSs are being created with seemingly opposite yet from high-performance computing systems to exa­ symmetrically similar requirements. This is illus- scale systems) are on the far right. trated in Figure A by the new OSs listed on each side The Linux OS is optimized for a sweet spot— of the curve. the maximum of the bell curve covering the area Power savings is equally needed at the lower end bounded by the extremes. Going outside these zones (such as battery lifetime) and the higher end (such will compromise the optimizations for this sweet as recurrent costs). Real-time requirements and spot. Thus, the Linux community has less interest in synchronicity have similar goals in both domains, as going outside the current zones, where innovation well as low-latency communication, code size, and can happen. minimal APIs. The same minimal kernel can be de- In the 1980s and 1990s, there were many ployed on both ends of the bell curve, meeting similar different OS versions, each bringing a certain degree demands from different types of applications.

IoT High end

Sensors, FreeRTOS Linux Exa (node, Cloud + NFV, industrial, Contiki enclave, exascale, Riot global) etc. etc. Open source TinyOS mOS OpenWSN BSD Catamount Innovation New apps and tools MantisNan Net-BSD CNK New apps and tools ano-RK Kitten/ LiteOS Innovation Palacios nesC Unix International OSF ZeptoOS K42 AbacusOS Unix V Solaris Mach Power Ant Nut/OS AIX LibraOS APIs SOS Digital Unix Hobbes HP-UX Scale (cores, memory, persistency) Real-time RIOT OS NIX APIs Latency ...... Synchronicity (1/noise) Generality ...... SCO Xenix Sequent, etc. Bandwidth Size Responsiveness (1/latency)

New kernels New kernels

Innovation Legacy Innovation

Figure A. Number of deployed OS instances on computers (excluding phones). NFV is network function virtualization.

JANUARY 2016 49 OUTLOOK

An interesting question is whether will be kept on disk. This is already a more advanced form of those being this can be solved by architecting a new a trend in databases and key-value formulated for SDNs. multikernel OS structure or by evolv- stores (such as SAP HANA, Redis, and ing current cluster middleware into Memcached), and memory technology Security a different performance regime. We trends make this likely to continue. Current real-world computer security favor the former. Today’s datacenters Memory and storage will converge. at all stack levels is in a poor state. are coordinated by an ad hoc collection Memory contents will persist across Low-level primitives that will scale of schedulers, resource allocators, SDN reboots, and files will be partially up to very large numbers of princi- controllers, application deployment replaced with persistent in-memory pals seem like a good place to start; tools, configuration management sys- data structures. This doesn’t necessar- for example, capability extensions tems, and so on. In a marketing con- ily make life easier, though: a future to existing machine architectures,10 text, this is sometimes referred to as a OS is going to have to provide some- which have repercussions that propa- “datacenter OS,” but it lacks any coher- thing like a sophisticated transac- gate up the software stack. We believe ent architecture to date. We believe tional facility to make persistent main it’s imperative to completely rethink this ecosystem won’t work well with memory usable. Sometimes remem- the implementation of system secu- tightly coupled clusters. bering all the data isn’t desirable rity, and several research systems look An objection to this view is that across reboot. very promising. the world is moving toward a large Because main memory itself will collection of per-application virtual be heterogeneous and distributed, we Applications machines or containers, which are expect that the OS memory manage- The OS interface will have to change, easy to support on existing OSs. This ment interface will change. Instead of but it’s unreasonable to expect appli- is arguably an issue of perspective: the a virtual address space, applications cation developers to start afresh. We virtual machines or containers still will be given a much more explicit han- believe the differences will start to need a hypervisor underneath, which dle on the regions of physical memory appear in application platforms and is an OS. Moreover, we’ve already allocated to them, and more freedom language runtimes. For example, rela- observed that applications are increas- in safely programming the MMU to tional databases have already recog- ingly parallel and distributed. exploit hardware translation features nized the need to re-architect how Containers are important: they from application runtimes. Demand they’re written for modern hardware make it easy to deploy traditional ap­pli- paging is likely to be an optional without replacing SQL. cations in a virtualized traditional library rather than a fundamental part OS environment. Their low overhead of the OS. FUTURE DIRECTIONS allows applications to be restructured These challenges make for an excit- into much more scalable microservices, Networking ing time in OS research—a lot is up and enables a model of continuous Our third prediction concerns net- for grabs. Changes in hardware and re-engineering, refactoring, and rede- working, both inside a machine and at applications have necessitated a shift ployment. However, they don’t yet ade- the interface between a machine and in thinking not only about resource quately address the challenges of future the wider network. OS software will management in computers, but also hardware and scalable applications. increasingly get off the critical data about many of the constraints that OS path between application threads, designers have worked under. Memory replaced by sophisticated “user-safe” These constraints have included We predict that main memory will hardware multiplexing/de-multiplexing the need to conform to whatever become critical compared to all other and filtering functionality, and library the hardware provides. OS system resources because it’ll be the big- code to interface to it. The OS will func- issues have been mostly ignored by gest influence on application perfor- tion as the control plane of a heteroge- hardware folks—computer scientist mance. In most application scenarios, neous network of smart NICs, queues, and professor Andrew Tanenbaum main memories will be very large and cores, and DMA engines. The internal lamented that “no hardware designer mostly persistent, and only cold data OS abstractions for this will resemble should be allowed to produce any

50 COMPUTER WWW.COMPUTER.ORG/COMPUTER ABOUT THE AUTHORS

DEJAN MILOJIČIĆ is a senior researcher at Hewlett Packard Labs in Palo Alto, California. His research interests include OSs, distributed systems, and systems management. Milojičić received a PhD in computer science from the University of Kaiserslautern. He was the 2014 IEEE Computer Society president. Contact him at [email protected]. piece of hardware until three software guys have signed off on it”—but the TIMOTHY ROSCOE is a professor of computer science at ETH Zurich. His OS community’s response has been at research interests include networks, OSs, and distributed systems. Roscoe best mildly passive-aggressive. How- received a PhD from the University of Cambridge. Contact him at timothy ever, this is changing: systems soft- [email protected]. ware people are becoming more asser- tive,11 hardware is becoming easier to change, and the boundary between the two is becoming blurred through the increased use of field-programma- moving forward is whether such ideas 7. P. Faraboschi et al., “Beyond Proces- ble gate arrays and complex SoCs. In can catch up with the complexity, het- sor-centric Operating Systems,” Proc. addition, the hardware product cycle erogeneity, and concurrency of mod- 15th USENIX Conf. Hot Topics in Oper- is getting shorter and simulation tools ern hardware. ating Systems (HotOS 15), 2015; http:// are becoming more powerful, giving dl.acm.org/citation.cfm?id=2831107. systems software developers earlier 8. S. Gerber et al., “Not Your Parents’ access to new hardware. ACKNOWLEDGMENTS Physical Address Space,” Proc. 15th The need for API compatibility is We thank Kirk Bresniker, Nigel Edwards, USENIX Conf. Hot Topics in Operating also declining and moving higher Paolo Faraboschi, Alexander Merritt, and Systems (HotOS 15), 2015; www up the stack. To perform well, strict Gerd Zellweger for reviewing this arti- .usenix.org/system/files/conference POSIX compliance in an OS practically cle and providing valuable comments. /hotos15/hotos15-paper-gerber.pdf. forces the implementation to resemble The feedback from anonymous reviewers 9. S. Peter et al., “Arrakis: The Oper- Unix internally, but many applications helped us substantially improve the article. ating System Is the Control Plane,” today are written to a much higher-­ ACM Trans. Computer Systems, vol. 33, level interface, which can be made por- no. 4, 2015, article 11. table across different low-level APIs. REFERENCES 10. R.N.M. Watson et al., “CHERI: A In cases where POSIX (or Windows) 1. D. Milojičić, “Operating Systems— Hybrid Capability-System Architec- compatibility is necessary, virtual Now and in the Future,” IEEE Concur- ture for Scalable Software Compart- machines or library OSs can perform rency, vol. 7, no. 1, 1999, pp. 12–21. mentalization,” Proc. IEEE Symp. well without needing to natively sup- 2. D.M. Ritchie and K. Thompson, “The Security and Privacy (SP 15), 2015, port a legacy API. Unix Time-Sharing System,” Comm. pp. 20–37. ACM, vol. 17, no. 7, 1974, pp. 365–375. 11. J.C. Mogul et al., “Mind the Gap: 3. C.M. Christensen, The Innovator’s Reconnecting Architecture and his article concerns what the Dilemma, Harper Business, 2011. OS Research,” Proc. 13th USENIX new OS should look like and 4. H. Esmaeilzadeh et al., “Dark Silicon Conf. Hot Topics in Operating Systems what it should do, not how to and the End of Multicore Scaling,” (HotOS 13), 2013; http://dl.acm.org Tengineer it. The latter is just as inter- IEEE Micro, vol. 32, no. 3, 2012, /citation.cfm?id=1991596.1991598. esting a topic and broad enough to pp. 122–134. 12. K. Gerwin et al., “seL4: Formal Veri- warrant a separate article. However, 5. K.M. Bresniker, S. Singhal, and R.S. fication of an OS Kernel,” Proc. ACM the challenges facing engineering Williams, “Adapting to Thrive in SIGOPS 22nd Symp. Operating System OSs are similar. For example, formal a New Economy of Memory Abun- Principles (SOSP 09), 2009, pp. 207–220. methods are approaching the point dance,” Computer, vol. 48, no. 12, where they can effectively be used to 2015, pp. 44–53. design and implement a uniproces- 6. D. Vantrease et al., “Corona: System sor microkernel with strong correct- Implications of Emerging Nanopho- Selected CS articles and ness proofs,12 and OS researchers have tonic Technology,” Proc. 35th Int’l columns are also available for enthusiastically embraced such tools Symp. Computer Architecture (ISCA free at http://ComputingNow .computer.org. and techniques. The key question 08), 2008, pp. 153–164.

JANUARY 2016 51