Here’s a fascinating document from Microsoft Research detailing work on Singularity. It’s an OS designed to support languages like Java and C# – so has been designed to support partitioned memory spaces, and to handle dependable code.
SIPs are the OS processes on Singularity. All code outside the kernel executes in a SIP. SIPs differ from conventional operating system processes in a number of ways:
- SIPs are closed object spaces, not address spaces. Two Singularity processes cannot simultaneously access an object. Communications between processes transfers exclusive ownership of data.
- SIPs are closed code spaces. A process cannot dynamically load or generate code.
- SIPs do not rely on memory management hardware for isolation. Multiple SIPs can reside in a physical or virtual address space.
- Communications between SIPs is through bidirectional, strongly typed, higher-order channels. A channel specifies its communications protocol as well as the values transferred, and both aspects are verified.
- SIPs are inexpensive to create and communication between SIPs incurs low overhead. Low cost makes it practical to use SIPs as a fine-grain isolation and extension mechanism.
- SIPs are created and terminated by the operating system, so that on termination, a SIP’s resources can be efficiently reclaimed.
- SIPs executed independently, even to the extent of having different data layouts, run-time systems, and garbage collectors.
SIPs are not just used to encapsulate application extensions. Singularity uses a single mechanism for both protection and extensibility, instead of the conventional dual mechanisms of processes and dynamic code loading. As a consequence, Singularity needs only one error recovery model, one communication mechanism, one security policy, and one programming model, rather than the layers of partially redundant mechanisms and policies in current systems. A key experiment in Singularity is to construct an entire operating system using SIPs and demonstrate that the resulting system is more dependable than a conventional system.
Something to keep an eye on – this could be the type of approach needed to deliver modular OSes that run on hypervisors.
October 29, 2005 at 8:57 pm
Oh, look! They’ve invented the B5500! Or was that USCD Pascal? Or the LISP Machine?
October 31, 2005 at 1:26 pm
None of the above, ssavitzky. If you actually read the paper, you’ll see that Singularity relies heavily on compile-time checking of code that eventually runs native, which is very different than running bytecode. They’ve also extended checking to a semantic level way above what bytecode can do; check out the protocol-specification part of Sing# to understand what that means.
It’s easy to be a smartass about an OS based on a dialect of C#, but it just looks tiresome when the incorrectness of the hasty underlying assumptions is pointed out.