Broad New OS Research: Challenges and Opportunities Galen C. Hunt1, James R. Larus1, David Tarditi1, and Ted Wobber2 1Microsoft Research Redmond, Redmond, WA 98052, USA 2 Microsoft Research Silicon Valley, Mountain View, CA 94043, USA http://research.microsoft.com/os/singularity and programming language runtimes have tried to sup- Abstract plant inadequate OS security with partially redundant Contemporary software systems are beset by prob- and complex security abstractions using stack walking lems that create challenges and opportunities for broad and code signing [12][24]. Others have attempted to new OS research. To illustrate, we describe five areas solve this problem by go so far as to replicate entire where broad OS research could significantly improve operating systems in virtual machine monitors [11]. the current user experience. These areas are depend- While the engineering is admirable, one wonders if the ability, security, system configuration, system exten- OS could provide a more integrated solution. sion, and multi-processor programming. In each area The remainder of this paper has three parts. Section 2 we explore how contemporary systems fall short. suggests example areas in which OS research could Where we have thought of possible solutions, we offer make operating systems work significantly better for directions for future research. most users. We offer these areas as evidence of oppor- Finally, we describe Singularity, a research project at tunity, not as an exhaustive research agenda. Section 3 Microsoft Research that is building a new operating describes work in the Singularity project to address system to explore four of these challenges. Singularity some of these areas. Finally, Section 4 summarizes the incorporates three specific design decisions in order to challenges and opportunities for broad new OS research increase system dependability and improve system se- and draw conclusions. curity, configuration, and extension. These design de- cisions include the adoption of an abstract instruction 2. Opportunities for OS Research set as part of the system binary interface, a unified ex- To suggest the many opportunities for OS research, tension architecture for both the OS and applications, we list five areas in need of new ideas and abstractions: and a first-class application abstraction. dependability, security, system configuration, system extension, and multiple processor programming. This 1. Introduction list is intended to be illustrative, not exhaustive. The products of forty years of OS research are sitting in everyone’s desktop computer, cell phone, car, etc.— 2.1 Dependability and it is not a pretty picture. Modern software systems A system is dependable if it behaves predictably and are—broadly speaking—complex, insecure, unpredict- reliably; in other words, if its behavior consistently con- able, prone to failure, hard to use, and difficult to main- forms to an understandable and useful model. A sys- tain. Part of the difficult is that good software is hard to tem’s perceived dependability is a function of both user write, but in the past decade, this problem and more expectation and actual system behavior. specific shortcomings in systems have been greatly ex- Unfortunately, the perceived dependability of con- acerbated by increased networking and embedded sys- temporary software systems is low, particularly in the tems, which placed new demands that existing architec- eyes of non-technical users [15].i Partially this results tures struggled to meet. These problems will not have from raw software failures. However, it also results simple solutions, but the changes must be pervasive, from unpredictable system behavior. starting at the bottom of the software stack, in the oper- Broadly speaking, the owner of a modern PC encoun- ating system. ters frequent unexpected behaviors. By contrast, most Unfortunately, as the emergence of the Internet exac- modern cars are considered quite dependable by their erbated problems in conventional systems, the research users; this despite the fact that cars can require as much community turned its attention from broad OS research as one hour of maintenance for every one hundred hours to focus on incremental improvements or new areas of usage.ii We claim that modern cars are considered such as distributed systems [17]. dependable because they have an easily understood Without OS solutions, others stepped into the void by operation model consisting of regular fueling, regular devising partial, application-level solutions to these oil changes, regular maintenance, and basically predict- problems. Consider, for example, the problem of isolat- able, uninterrupted usage the rest of the time. ing code for potentially untrusted sources. Applications No open, general purpose software system can make a Consider, for example, the case of applications collid- similar claim. They all must be patched frequently and ing in their usage of shared spaces such as file systems regularly to fix flaws that open the system to malicious or configuration registries. The installation of one ap- attack. They all can fail in ways that are inexplicable plication may corrupt or irreversibly alter the configura- and unpredictable to ordinary users. Many of these us- tion of another via changes to a file or registry. The ers are afraid to change their system in even the slight- “DLL Hell” problem in Windows systems occurs when est way, for fear of breaking them. one application overwrites a common shared library with a version incompatible with an existing applica- 2.2 Security tion. Similar problems can occur when an application Contemporary OS security systems were designed to overwrites configuration information mapping from protect users of a system against each other and to pro- document extensions to applications. To compensate tect the OS from errant programs. These security archi- for the absence of OS managed applications, users re- tectures were developed in the quaint past when code sort to ad-hoc application isolation techniques, such as came from trusted sources and networks connected us jails [14] or virtual machine monitors, such as VMware with our friends and colleagues. In today’s connected [9] and Xen [3]. world, users and computers are surrounded by unscru- pulous advertisers, petty criminals, and increasingly 2.4 System Extension organized crime. In this world in which executable Since no monolithic system can satisfy all users, most code can and does come from anywhere, the OS needs complex software lets users load code to extend func- to protect user and system resources from potentially tionality. Dynamically loaded extensions are found as hostile code that a user runs either intentionally or unin- widely as device drivers in kernels and spelling check- tentionally. This is a very hard problem given that de- ers in word processors. Whether in the OS or an appli- sired code may do useful work! cation, most extensions are loaded directly into a host To bring code into an OS security model, there must address space with no hard interface, protection bound- be a basic OS abstraction that represents the identity of ary, or clear distinction between host and extension code. The abstraction should also capture the prove- code. Extension through in-process code loading ap- nance of the code as well as provide a means for check- pears flexible and attractive, but due to a lack of isola- ing code integrity. Once code is identifiable, we can tion, extensions are a major source of software reliabil- imagine enforcing security policy pertaining to it. ity and security problems. For example, faulty device Code identity alone, however, is not sufficient. Soft- drivers cause a large fraction of Windows and Linux ware components interact in exceedingly complex ways, failures [22]. and many such interactions are security-relevant. We A number of OS research efforts, including Exokernel can expect the next generation of attacks to exploit un- [13], SPIN [5], VINO [21], and Nooks [22] have sought planned and unprotected interactions between software safer OS extension without addressing the more general components. There is fertile ground for research in un- problem of application extension. Pragmatically, each derstanding how to prevent such attacks by design. of these systems provided domain-specific models for The Java [12] and Common Language Infrastructure OS extensions. Software fault isolation (SFI) [23], one (CLI)iii [24] programming environments have explored of the few research efforts to consider application ex- some of these issues. However, the security models in tension, limits an extension to a subset of an applica- these systems are complex and largely separate from OS tion's address space. However, the overhead for SFI is models. quite high and still exposes published data structures to corruption by the extension. 2.3 System Configuration In Section 3.1.2, we will describe research in the Sin- Contemporary operating systems contain abstractions gularity system to create a unified extension architecture for many components of modern applications, such as for both the operation system and applications. processes, threads, and shared libraries, but applications and their dependencies are only informally character- 2.5 Multi-processor Programming ized. Lacking a strong concept of an application’s Thanks to the physical constraints of semiconductor complete configuration, the OS has no mechanisms to device scaling, it has become easier to replicate proces- guarantee