See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/228579596

The Design and Implementation of a Fully-Modular, Self-Healing, UNIX-Like

Operating System

Article

CITATION READS

1 56

5 authors, including:

Jorrit N. Herder Herbert Bos

Google Inc. Vrije Universiteit Amsterdam
23 PUBLICATIONS 527 CITATIONS 190 PUBLICATIONS 3,335 CITATIONS

SEE PROFILE SEE PROFILE

Philip Homburg Andrew S. Tanenbaum

Vrije Universiteit Amsterdam Vrije Universiteit Amsterdam
37 PUBLICATIONS 1,241 CITATIONS 408 PUBLICATIONS 15,209 CITATIONS

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Automating Live Update for Generic Server Programs View project

Exploit Mitigation View project

All content following this page was uploaded by Philip Homburg on 20 May 2014.

The user has requested enhancement of the downloaded file.

 The Design and Implementation of a Fully-Modular,
Self-Healing, UNIX-Like Operating System
Technical Report IR-CS-020, February 2006

Jorrit N. Herder, Herbert Bos, Ben Gras, Philip Homburg, and Andrew S. Tanenbaum
Dept. of Computer Science, Vrije Universiteit Amsterdam, The Netherlands
{jnherder, herbertb, bjgras, philip, ast}@cs.vu.nl

Abstract structure, combined with several explicit mechanisms for

In this paper, we discuss the architecture of a fully-
modular, self-healing operating system, which exploits
the principle of least authority to provide reliability be-
yond that of most other operating systems. The system
can be characterized as a minimal kernel with the entire
operating system running as a set of compartmentalized
user-mode servers and drivers.
By moving most of the code to unprivileged user-
mode processes and restricting the powers of each one,
we gain proper fault isolation and limit the damage bugs
can do. Moreover, the system has been designed to sur-
vive and automatically recover from failures in critical
components, such as device drivers, transparent to appli-
cations and without user intervention.
We used this design to develop a highly-reliable, open-
source, POSIX-conformant member of the UNIX family,
which is freely available and has been downloaded over
100,000 times in the past 3 months.
1 INTRODUCTION
Operating systems are expected to function flawlessly,
but, unfortunately, most of today’s operating systems fre-
quently fail. As discussed in Sec. 2, many problems stem
from the monolithic design that underlies most common
systems. All operating system functionality, for exam-
ple, runs in kernel mode without proper fault isolation,
so that any bug can potentially trash the entire system.
Like other groups, we believe that reducing the oper-
ating system kernel is a first important step in the direc-
tion of designing for reliability. In particular, running
drivers and other core components in user mode helps
to minimize the damage that may be caused by bugs in
such code. However, our system explores an extreme in
the design space of UNIX-like operating systems where
the entire operating system is run as a collection of in-
dependent, tightly-restricted, user-mode processes. This
transparent recovery from crashes and other failures, re-
sults in a highly-reliable, completely-multiserver operat-
ing system that still looks and feels like UNIX.
While some of the mechanisms are well-known, and
multiserver operating systems have been first proposed
years ago, to the best of our knowledge, we are the first
to explore such an extreme decomposition of the operat-
ing system that is designed for reliability, while provid-
ing reasonable performance. Quite a few ideas and tech-
nologies have been around for a long time, but were often
abandoned for performance reasons. We believe that the
time has come to reconsider the choices that were made
in common operating system design.
1.1 Contribution
The contribution of this work is the design and imple-
mentation of an operating system that takes the concept
of multiserver to an extreme in order to provide a de-
pendable computing platform. The concrete goal of this
research is to build a UNIX-like operating system that
can transparently survive crashes of critical components,
such as device drivers.
As we mentioned earlier, the answer that we came up
with is to break the system into manageable units and
rigidly control the power of each unit. The ultimate goal
is that a fatal bug in, say, a device driver should not
crash the operating system; instead, the failed compo-
nent should be automatically and transparently replaced
by a fresh copy, and running user processes should not
be affected. No existing system has this property.
To achieve this goal, our system provides: simple,
yet efficient and reliable IPC; disentangling of interrupt
handling from user-mode device drivers; separation of
policies and mechanisms; flexible, run-time operating
system configuration; decoupling of servers and drivers
through a publish-subscribe system; and error detection
and transparent recovery for common drivers failures.

1
 We believe that we are the first to realize a fully-
modular, open-source, POSIX-conformant operating
system with self-healing properties. Although we pri-
marily use a multiserver architecture because of its re-
liability, we will show that the system has many other
benefits as well, for example, for system administration
and programming. The system has been released (with
all the source code) and over 100,000 people have down-
loaded it so far, as discussed later.
85% of all operating system crashes are caused by de-
vice drivers [2, 20], running untrusted, third-party code
in the kernel also diminishes the system’s reliability.
From a high-level reliability perspective, a monolithic
kernel is unstructured. The kernel may be partitioned
into domains but there are no protection barriers en-
forced between the components. Two simplified exam-
ples, Linux and MacOS X, are given in Fig. 1.

User
User User User User User User User User

1.2 Paper Outline

Kernel space
VFS Inet UNIX server
We first introduce how operating system structures have
evolved over time (Sec. 2). Then we proceed with a de- Drivers Paging Microkernel
tailed discussion of the kernel (Sec. 3) and the organiza-
tion of the user-mode servers on top of it (Sec. 4). We Linux Mac OS X
review how our multiserver operating system realizes a (a) (b)
dependable computing platform and highlight some ad-
ditional benefits (Sec. 5), and briefly discuss its perfor- Figure 1: Two typical monolithic systems: (a) Vanilla Linux
mance (Sec. 6). In the end, we survey related work and (b) Mac OS X. Their properties are discussed in Sec. 2.1.
(Sec. 7), and draw conclusions (Sec. 8).

2.2 Single-Server Systems

2 OPERATING SYSTEM DESIGN
This section illustrates the operating system design space
with three typical structures and some variants thereof.
While most structures are probably familiar to the reader,
we introduce them explicitly to show an overview of the
design space that has monolithic systems at one extreme
and ours at the other. Concrete systems are discussed and
compared to our system in Sec. 7.
It is sometimes said that virtual machines and exoker-
nels provide sufficient isolation and modularity for mak-
ing a system safe. However, these technologies provide
an interface to an operating system, but do not represent
a complete system by themselves. The operating system
running on top of a virtual machine or exokernel can have
any of the following structures.
2.1 Monolithic Systems
Monolithic kernels provide rich and powerful abstrac-
A single-server system has a reduced kernel, and runs a
large fraction of the operating system as a single, mono-
lithic user-mode server. In terms of reliability, this setup
adds little over monolithic operating systems, because
there still is a single point of failure. The only gain in
case of an operating system crash is a faster reboot.
An advantage of this setup is that it preserves a UNIX
environment while one may experiment with a micro-
kernel approach. Legacy applications targeted towards
the monolithic operating system server can coexist with
novel applications. The combination of legacy applica-
tions and real-time or secure components allows for a
smooth transition to a new computing environment.
Mach-UX [1] was one of the first systems to run BSD
UNIX in user-mode on top of the Mach 3 microker-
nel, as shown in Fig. 2(a). Another example, shown in
Fig. 2(b), is Perseus [13], running Linux and some spe-
cialized components on top of the L4 microkernel.
User space

tions of the underlying hardware. All operating system User User User User User User User User

services are provided by a single, monolithic program

that runs in kernel mode; applications run in user mode BSD Unix L4 Linux GUI
and can request services directly from the kernel.
Kernel space

Drivers
Monolithic designs have some inherent problems that Sign
Drivers Paging
affect their reliability. All operating system code, for ex-
ample, runs at the highest privilege level without proper Mach 3 L4
fault isolation, so that any bug can potentially trash the (a) (b)
entire system. With millions of lines of code (LoC)
and 1-16 bugs per 1000 LOC [22, 23], monolithic sys- Figure 2: Two typical single-server systems: (a) Mach-UX
tems are likely to contain many bugs. Since 70% to and (b) Perseus. Their properties are discussed in Sec. 2.2.

2
2.3 Multiserver Systems
In a multiserver design, the operating system environ-
ment is formed by a set of cooperating servers. Un-
trusted, third-party code such as device drivers can be run
in separate, user-mode modules to prevent faults from
spreading. High reliability can be achieved by applying
the principle of least authority [15], and tightly control-
ling the powers of each module.
A multiserver design also has other advantages. The
modular structure, for example, makes system admin-
istration easier and provides a convenient programming
environment, as discussed in Sec. 5.
Several multiserver operating systems exist. An early
system is MINIX [21], which distributed operating sys-
tem functionality over two user-mode servers, but still
ran the device drivers in the kernel, as shown in Fig. 3(a).
More recently, IBM Research designed SawMill
Linux [4], a multiserver environment on top of the L4 mi-
crokernel, as illustrated in Fig. 3(b). While the goal was a
full multiserver variant of Linux, the project never passed
the stage of a rudimentary prototype, and was then aban-
doned when the people working on it left IBM.
User space
User User User User User
Mem FS Net
Kernel space
Driver
Driver Driver
MINIX
(a)
Figure 3: Two typical multiserver systems: (a) MINIX and (b)
SawMill Linux. Their properties are discussed in Sec. 2.3.
2.4 Designing for Reliability
Although several multiservers systems exist, either in de-
sign or in prototype implementation, none of them were
designed with the explicit goal of being highly reliable.
In the rest of this paper, we present a new, fully-modular,
highly-reliable, open-source, POSIX-conformant multi-
server operating system that is freely available for down-
load, and has been widely tested.
Some commercial systems like Symbian OS and
QNX [8] are also based on multiserver designs. How-
ever, they are proprietary and distributed without source
code, so it is difficult to verify the claims. Still, the
fact that innovating companies use multiserver designs,
demonstrates the viability of the approach.
We will now discuss our multiserver architecture in
detail, and show why it is a reliable system and how it
can survive crashes of operating system components.
3 THE KERNEL ARCHITECTURE
The kernel is responsible for low-level functionality that
cannot be handled in user space, such as IPC, process
scheduling, and interrupt handling. Ours consists of
fewer than 4000 lines of code (LoC), which makes it
easy to understand. The kernel provides only the most
elementary mechanisms, whereas the user-mode servers
implement the policies that drive the operating system.
3.1 Interprocess Communication
Interprocess communication (IPC) is of crucial impor-
tance in a multiserver system. IPC allows user processes
to request operating system services and enables cooper-
ation between servers and drivers. We compared many
alternatives to find a suitable set of IPC primitives that
is simple, efficient, and reliable. Finding IPC primi-
tives that do not hang the system when message senders
and receivers crash during a request-reply sequence is far
from trivial. Consequently, our primitives have evolved
as the system matured. In this paper we describe the
primitives of the version currently in test; these differ in
User User User minor ways from those in previous versions.
Our IPC communication is characterized by ren-
FS Mem dezvous message passing using small, fixed-length mes-
sages. Rendezvous is a two-way interaction without
Driver Name intermediate buffering. The interaction is fully syn-
chronous, which means that the first process that is ready
L4 to interact blocks and waits for the other. When both pro-
(b) cesses are ready, the message is copied from the sender
to the receiver and both resume execution.
Although rendezvous message passing is easier to im-
plement than a buffered scheme, it is less flexible and
sometimes even inadequate. Some events are inherently
asynchronous or need to be communicated to higher-
level process without risking a deadlock. Therefore, we
complemented the synchronous primitives with a simple
nonblocking event notification mechanism.
IPC Primitives The kernel supports four IPC prim-
itives. The standard primitives to send messages are
IPC REQUEST and IPC REPLY, typical in synchronous
client-server communication. A request will block the
caller until the reply has been received. The message
type and arguments can be freely set by the caller, but the
source is reliably patched into the message by the kernel.
In addition, the nonblocking IPC NOTIFY primitive
can be used to send notification messages. This is used
to pass kernel events, user-configurable events, or call-
back requests. Normally only the event set is passed, but
the kernel also includes the message source for callback
requests, so that the receiver can query the sender.
3
 Finally, the IPC SELECT primitive can be used to re-
ceive a specified message. The caller can pass the mes-
sage source or set of events it is interested in, and will be
blocked until such a message arrives.
Messages are prioritized. Event notifications, such as
hardware interrupts and timeouts, have the highest prior-
ity. Callback notifications have a lower priority, as they
cannot be delivered together with other notifications. Fi-
nally, request messages have the lowest priority.
Design Principles We designed the IPC primitives to
be simple, efficient, and reliable to reduce the amount of
code and increase understandability. Complicated opti-
mizations to improve resource usage often lead to com-
plex, buggy code, so we have tried to keep the code
straightforward. For example, only small, fixed-length
messages are used. Messages are a union of different
message types, and their size is determined at compile
time as the largest of all types in the union.
To ensure messages are reliably delivered to the right
destination, IPC endpoints are under the control of the
kernel. An IPC endpoint is formed by the combination of
a process’ slot number and the slot’s generation number,
which increased with each new process. This ensures
that IPC directed to an exited process cannot end up at a
process that reuses a slot.
Our IPC design eliminates the need for dynamic re-
source allocation, both in the kernel and in user space.
The standard request-reply sequence uses a rendezvous,
so that no message buffering is needed. If the destination
is not waiting, IPC REQUEST blocks the sender. Simi-
larly, a receiver is blocked on IPC SELECT when no IPC
is available. Messages are never buffered in the kernel,
but always directly copied from sender to receiver. No
additional copies are required, speeding up IPC.
The asynchronous IPC NOTIFY mechanism is also not
susceptible to resource exhaustion. Event notifications
are typed and at most one bit per type is saved. All pend-
ing notifications can be stored in a compact bitmap that is
statically declared as part of the process table. Multiple
pending notifications of the same type are merged. Al-
though the amount of information that can be passed this
way is limited, this design was chosen for its simplicity,
reliability and low memory requirements.
Protection Mechanisms Since IPC is a powerful con-
struct, we included several mechanisms to restrict who
can do what. First, we restrict the set of IPC primitives
available to each process. User processes, for example,
are allowed to use only IPC REQUEST.
Second, we restrict who can request services from
whom. A user process doing I/O, for example, cannot
communicate directly with device drivers, but needs to
4
send its requests to the file server instead. These restric-
tions also help to prevent deadlocks.
Third, we restrict the use of event notifications. Only
trusted processes, such as the process manager and file
server, can use them. Callback events, in contrast, are
also available to untrusted processes, such as drivers.
All these protection mechanisms are implemented by
means of bitmaps that are statically declared as part of
the process table. This is space efficient, prevents re-
source exhaustion, and allows for fast permission checks
since only simple bit operations are required.
3.2 Process Scheduling
Scheduling is done using a fixed number of prioritized
queues. The processes on each queue are kept in a linked
list, and are scheduled round robin. The scheduler sim-
ply finds the highest populated queue and selects the first
process on it to run.
Whenever a process becomes ready, it is put on the
head of its queue when it still has some quantum left. A
process goes to the rear of its queue only when it has no
quantum left. While somewhat counterintuitive, it works
because this ensures that processes doing a system call
are not moved to the rear of the queue. It also makes the
system responsive since processes that were blocked for
I/O can immediately run once the I/O is done.
Each time a process consumes a full quantum it de-
grades in priority. Periodically the priority of all pro-
cesses is upgraded to prevent that all processes end up
in the lowest-priority queue. Since I/O bound processes
consume fewer quanta than CPU-bound processes, they
will have a higher average priority, and are likely to be
scheduled when the I/O finishes.
3.3 Interrupt Handling
Another important responsibility of the kernel is inter-
rupt handling. Because this cannot be done in user space,
we disentangled interrupt handlers and device drivers.
User-mode device drivers can only instruct the kernel to
transform specific interrupts into notification messages
and must do all further processing themselves. After reg-
istration, drivers can tell the kernel to enable and disable
hardware interrupts.
The kernel catches all hardware interrupts with a
generic interrupt handler that looks up which drivers are
associated with the IRQ line, and sends a nonblocking
notification message to each of them. As a side-effect,
the generic interrupt handler gathers randomness for the
random number generation device.
The only exception to the above is that the clock driver
(CLOCK) defines its own handler as part of the kernel,
as discussed below. This handler is simple and usually
does only accounting. When more work is needed, such
as scheduling another process, a notification is sent to
CLOCK for further processing.
All the real work is done at the process level, usually in
a user-mode device driver, but sometimes also in a kernel
task. This helps to achieve a low interrupt latency—since
processes can be preempted—and makes the system suit-
able for real-time applications.
interrupt occurs, the currently running kernel task or user
process is preempted, the interrupt is transformed into a
message, and another process is scheduled. If the inter-
rupt is for a high-priority device, the associated driver
is likely to be scheduled soon. Building a complete
real-time operating system would require extending the
scheduler with real-time primitives.

3.5 The Kernel Tasks

3.4 Kernel Model
Our kernel design is different from most UNIX-like sys-
tems. In contrast to ordinary UNIX kernels, ours cleanly
follows the process-oriented multiserver design, as illus-
trated in Fig. 4. It provides two kernel-mode servers,
SYS and CLOCK, also known as kernel tasks, with spe-
cial privileges to support the user-mode operating system
servers. Although tasks share the kernel’s address space
and run in kernel mode, they are treated like normal pro-
cesses.
User space
The kernel contains two independently-scheduled pro-
cesses called tasks (to distinguish them from the user-
mode OS components). They are in kernel address space
and run in kernel mode because they perform privileged
operations that cannot be done in user space in a portable
way, such as device I/O.
3.5.1 System Task (SYS)
SYS is the interface to the kernel for all user-mode
servers and drivers. All kernel calls in the system li-

Proc Proc
Proc
brary are transformed into request messages that are sent
to SYS, which processes the requests, and sends reply
messages. SYS never takes initiative by itself, but it is
Kernel space

always blocked waiting for a new request message.

KERNEL

SYS CLK The kernel calls handled by SYS can be grouped into
several categories, including process management, mem-
ory management, copying data between processes, de-
Figure 4: The kernel closely follows the process-oriented mul- vice I/O and interrupt management, access to kernel data
tiserver design. Services can be requested with ordinary, syn- structures, and clock services. An overview of common
chronous request messages. Kernel events are transformed into
kernel calls is given in Fig. 5.
asynchronous notification messages.
Kernel Call Purpose
Apart from the actual service requested, a kernel call SYS FORK Fork a process; copy parent slot
from a user-mode server to a kernel task is similar to a SYS EXEC Execute a process; initialize slot
system call from a user process to an operating system SYS EXIT Exit a process; clear process slot
server. Both calls use the IPC primitives discussed in SYS NEWMAP Assign memory segment to process
Sec. 3.1 and result in a synchronous request message be- SYS VIRCOPY Copy data using virtual addressing
ing sent from one process to another. The services pro- SYS DEVIO Read or write a single I/O port
vided by the kernel tasks are discussed below. SYS IRQCTL Set or reset an interrupt policy
Only a tiny fraction of the kernel is responsible for SYS PRIVCTL Assign system process’ privileges
SYS GETINFO Get a copy of kernel information
handling hardware interrupts, IPC traps, and exceptions.
SYS TIMES Get process times or kernel uptime
Whenever such an event happens the CPU saves the state
SYS SETALARM Set or reset a synchronous alarm
of the currently-running process, and invokes the associ-
ated service routine that has been registered by the ker-
nel. When the event has been processed the kernel picks Figure 5: A selection of common kernel calls. All calls require
a (possibly different) process to run, restores the process’ privileged operations and are handled by SYS.
state, and tells the CPU to resume normal execution. To
keep the kernel simple, kernel reentries are forbidden.
3.5.2 Clock Task (CLOCK)
Real-Time Properties Because the kernel is process
oriented, it forms a suitable base for real-time systems. CLOCK is responsible for accounting of CPU usage,
The kernel is locked only when this is absolutely re- scheduling another process when a process’ quantum
quired to prevent race conditions. Whenever a hardware expires, managing watchdog timers, and interacting

5
with the hardware clock. It does not have a publicly-
accessible user interface like SYS.
When the system starts up, CLOCK programs the hard-
ware clock’s frequency and registers an interrupt handler
that is run on every clock tick. The handler does only
basic integer operations, that is, it increments a process’
user or system time and decrements the scheduling quan-
tum. If the a new process must be scheduled or an alarm
is due, a notification is sent to CLOCK to do the real work
at the task level. This minimizes the hardware interrupt
latency, because kernel tasks can be preempted.
Although CLOCK has no direct interface from user
space, its services can be accessed through the ker-
nel calls handled by SYS. The most important call is
SYS ALARM that allows system processes to schedule
a synchronous alarm that causes a ‘timeout’ notifica-
tion upon expiration. The alarm is synchronous because
CLOCK the notification message is only delivered when
the client indicates it is ready to receive it.
As an aside, the POSIX alarm that is available to or-
dinary user applications is handled by the user-mode
process manager server, and causes an asynchronous
SIGALRM signal.
4 THE USER-MODE SERVERS
On top of the kernel we have implemented a multiserver
operating system. The core components of this sys-
tem are shown in Fig. 6. Apart from the device drivers
and user processes this constitutes the trusted computing
base. Most of the servers are relatively small and sim-
ple. The sizes approximately range from 1000 to 3000
LoC per server, which makes them easy to understand
and maintain. The components are discussed below.
We first give some examples to illustrate how our mul-
tiserver operating system actually works. Fig. 6 also
shows some typical IPC interactions initiated by user
processes. Although the POSIX operating system inter-
face is implemented by multiple servers, system calls are
transparently targeted to the right server by the system
libraries. Four examples are given below:
(1) The user process that wants to create a child pro-
cess calls the fork() library function, which sends a re-
quest message to the process manager (PM). PM verifies
that a process slot is available, asks the memory man-
ager (MM) to allocate memory, and instructs the kernel
to create a copy of the process.
(2) A read() or write() call, in contrast, is sent to FS.
If the requested block is available in the buffer cache,
FS asks the kernel to copy it to the user. Otherwise it first
sends a message to the disk driver asking it to retrieve the
block from disk. The driver sets an alarm, commands the
disk controller through a device I/O request to the kernel,
and awaits the hardware interrupt or timeout notification.
6
User User User
OS
User space
Interface
FS PM RS
driver MM DS
Kernel space
KERNEL
SYS CLK
Figure 6: The core components of the full multiserver operat-
ing system, and some typical IPC paths. Top-down IPC uses
synchronous requests, whereas bottom-up IPC is done with
asynchronous notifications.
For character devices the user process may be suspended
until the driver notifies FS that the data is ready.
(3) Additional servers and drivers can be started on the
fly by requesting the reincarnation server (RS). RS then
forks a new process, assigns all needed privileges, and,
finally, executes the given path in the child process (not
shown in the figure). Information about the new system
process is published in the data store (DS), which allows
parts of the operating system to subscribe to updates in
the operating system configuration.
(4) Although not a system call, it is interesting to
see what happens if a user or operating system pro-
cess causes an exception, for example, due to an invalid
pointer. In this event, the kernel’s exception handler no-
tifies PM, which transforms the exception into a signal or
kills the process when no handler is registered. Recovery
in case of operating system failures is discussed below.
Design Principle The general design principle that led
to the above set of servers is that each process should be
limited to its core business. Having small, well-defined
services helps to keep the implementation simple and
understandable. As in the original UNIX philosophy,
each server has limited responsibility and power, as is
reflected in its name.
For example, FS must interact with drivers, but should
not be checking for weird driver failures like non-
responsiveness. Although FS could manage driver time-
outs itself, this would complicate its design and imple-
mentation. Therefore, it relies on a separate component,
RS, which is responsible for the system’s well-being. If
FS hangs on a driver, RS will detect that the driver is
not responding, and will kill the driver and revive FS.
Although killing a nonresponsive driver seems harsh, a
properly designed driver must adhere to the protocol and
return an error code to FS if it cannot fulfill the request.
Multiserver Protocol Although our IPC facilities are
fairly reliable by design, as discussed in Sec. 3.1, they
cannot prevent deadlocks. Therefore, we devised a mul-
tiserver protocol that ensures that synchronous messages
are sent in one only direction. There is a loose layering
based on who can make requests to whom. User pro-
cesses can call the servers, servers can call each other
and drivers, and servers and drivers can call the kernel.
IPC in the opposite direction is done using the nonblock-
ing notification mechanism.
Another aspect of the multiserver protocol is that we
try to minimize copying to prevent loss of performance.
The number of copies required for I/O is precisely the
same as in a monolithic system. Although there are more
context switches because a user process, the file server,
and a driver must interact, no intermediate copies are
required. For example, I/O for character devices is no
buffered. All data is directly copied between the user
process and the device driver.
4.1 Core Components
This section discusses the core components shown in
Fig. 6. We will focus on design decisions that are spe-
cific to the multiserver aspects of the system.
4.1.1 Process Manager (PM)
PM is responsible for process management such as cre-
ating and removing processes, assigning process identi-
fiers and priorities, and controlling the flow of execution.
Furthermore, PM maintains relations between processes,
such as process groups and parent-child blood lines. The
latter, for example, has consequences for exiting pro-
cesses and accounting of CPU time.
Although the kernel provides mechanisms, for exam-
ple, to set up the CPU registers, PM implements the pro-
cess management policies. As far as the kernel is con-
cerned all processes are similar; all it does is schedule
the highest-priority ready process.
Signal Handling PM is also responsible for POSIX
signal handling. When a signal is to be delivered, by
default, PM either ignores it or kills the process. Ordi-
nary user processes can register a signal handler to catch
signals. In this case, PM interrupts pending system calls,
and puts a signal frame on the stack of the process to run
the handler. This approach is not suitable for system pro-
cesses, however, as it interferes with IPC. Therefore, we
implemented an extension to the POSIX sigaction() call
so that system processes can request PM to transform sig-
nals into notification messages. Since event notification
messages have the highest priority of all message types,
signals are delivered promptly.
7
4.1.2 File Server (FS)
FS manages the file system. It is an ordinary file server
that handles standard POSIX calls such as open(), read(),
and write(). More advanced functionality includes sup-
port for symbolic links and the select() system call. FS is
also the interface to the network server.
For performance reasons, file system blocks are
buffered in FS’ buffer cache. To maintain file system
consistency, however, crucial file system data structures
use write-through semantics, and the cache is periodi-
cally written to disk.
Since the file server runs as an isolated process that
is fully IPC driven, it can be replaced with a different
one to serve other file systems, such as FAT. Moreover, it
should be relatively straightforward to transform FS into
a network file server that runs on a remote host.
Device Driver Handling Because device drivers can
be dynamically configured, FS maintains a table with
the mapping of major numbers onto specific drivers. As
discussed below, FS is automatically notified of changes
in the operating system configuration through a publish-
subscribe system. This decouples the file server and the
drivers it depends on.
A goal of our research is to automatically recover
from common driver failures without human interven-
tion. When a disk driver failure is detected, the sys-
tem can recover transparently by replacing the driver and
rewriting the blocks from FS’ buffer cache. For character
devices, transparent recovery sometimes is also possible.
Such failures are pushed to user space, but may be dealt
with by the application if the I/O request can be reissued.
A print job, for example, can be reissued by the print
spooler system.
4.1.3 Memory Manager (MM)
To facilitate ports to different architectures, we use
a hardware-independent, segmented memory model.
Memory segments are contiguous, physical memory ar-
eas. Each process has a text, stack, and data segment.
System processes can be granted access to additional
memory segments, such as the video memory or the
RAM disk memory. Although the kernel is responsible
for hiding the hardware-dependent details, MM does the
actual memory management.
MM maintains a list of free memory regions, and can
allocate or release memory segments for other system
services. Currently MM is integrated into PM and pro-
vides support for Intel’s segmented memory model, but
work is in progress to split it out and offer limited virtual
memory capabilities, for example, shared libraries.
 We will not support demand paging, however, because
we believe physical memory is no longer a limited re-
source in most domains. We strive to keep the code sim-
ple and eliminate complexity whenever possible. Swap-
ping segments to disk would be easy to add, but in the
interest of simplicity we have not done so.
4.1.4 Reincarnation Server (RS)
RS is the central component responsible for managing
all operating system servers and drivers. While PM is
responsible for process management in general, RS deals
with only privileged processes. It acts as a guardian and
ensures liveness of the operating system.
Administration of system processes also goes through
RS. A utility program, service, provides the user with a
convenient interface to RS. It allows the system adminis-
trator to start and stop system services, (re)set their poli-
cies, or gather statistics. For optimal flexibility in spec-
ifying policies a shell script can be set to run on certain
events, including device driver crashes.
Fault Set The fault set that RS deals with are protocol
errors, transient failures, and aging bugs. Protocol errors
mean that a system process does not adhere to the mul-
tiserver protocol, for example, by failing to respond to a
request. Transient failures are problems caused by spe-
cific configuration or timing issues that are unlikely to
happen. Aging bugs are implementation problems that
cause a component to fail over time, for example, when
it runs out of buffers due to memory leaks.
Logical errors where a server or driver perfectly ad-
heres to the specified system behavior but fails to per-
form the actual request are excluded. An example of a
logical error is a printer driver that accepts a print job and
confirms that the printout was successfully done, but, in
fact, prints garbage. Such bugs are virtually impossible
to catch in any system.
Fault Detection and Recovery During system initial-
ization RS adopts all processes in the boot image as its
children. System processes that are started later, also be-
come children of RS. This ensures immediate crash de-
tection, because PM raises a SIGCHLD signal that is de-
livered at RS when a system process exits.
In addition, RS can check the liveness of the system.
If the policy says so, RS does a periodic status check,
and expects a reply in the next period. Failure to respond
will cause the process to be killed. The status requests
and the consequent replies are sent using a nonblocking
event notification.
Whenever a problem is detected, RS can replace the
malfunctioning component with a fresh copy. The asso-
ciated policy script, however, might not restart the com-
8
ponent, which is useful, for example, for development
purposes. Another policy might use a binary exponen-
tial backoff protocol when restarting components to pre-
vent clogging the system due to repeated failures. In any
event, the problems are logged so that the system admin-
istrator can always find out what happened. Optionally,
an e-mail can be sent to a remote administrator.
Failed components can be restarted from a fresh copy
on disk except for the disk driver, which is restarted from
a copy kept in RAM.
4.1.5 Data Store (DS)
DS is a small database server with publish-subscribe
functionality. It serves two purposes. First, system pro-
cesses can use it to store some data privately. This redun-
dancy is useful in the light of fault tolerance. A restarting
system service, for example, can request state that it lost
when it crashed. Such data is not publicly accessible.
Second, the publish-subscribe mechanism is the glue
between operating system components. It provides a
flexible interaction mechanism and elegantly reduces de-
pendencies by decoupling producers and consumers. A
producer can publish data with an associated identifier.
A consumer can subscribe to selected events by specify-
ing the identifiers or regular expressions it is interested
in. Whenever a piece of data is updated DS automat-
ically broadcasts notifications to all dependent compo-
nents. Although we currently do not do this, in future,
drivers could announce every request message and I/O
completion to DS. In this manner, if a driver crashes, its
replacement could find out what work was pending, sim-
ilar to the shadow drivers in Nooks [19].
Naming Service IPC endpoints are formed by the pro-
cess and generation numbers, which are controlled and
managed by the kernel. Because every process has a
unique IPC endpoint, system processes cannot easily find
each other. Therefore, we introduced stable identifiers
that consist of a natural language name plus an optional
number. The identifiers are globally known. Whenever
a system process is (re)started RS publishes its identifier
and the associated IPC endpoint at DS for future lookup
by other system services.
In contrast to earlier systems, such as Mach, our nam-
ing service is a higher-level construction that is realized
in user space. Mach provided stable IPC endpoints in the
kernel, namely the ‘port’ mechanism, to which a client
and server could attach. This required bookkeeping in
the kernel and did not solve the problems introduced by
exiting and reappearing system services. We have inten-
tionally pushed all this complexity to user space.
Error Handling Since fault tolerance is an explicit de-
sign goal, the naming service is an integral part of the de-
sign. The publish-subscribe mechanism of DS makes it
very suitable to inform other processes of changes in the
operating system. Moreover, recovery of, say, a driver is
made explicit to the services that depend on it.
For example, FS subscribes to the identifier for the disk
drivers. When the system configuration changes, DS no-
tifies FS about the event. FS then calls back to find out
what happened. If FS discovers that a driver has been
restarted, it tries to recover transparently to the user.
4.1.6 Device Drivers
All operating systems hide the raw hardware under a
layer of device drivers. Consequently, we have imple-
mented drivers for ATA, S-ATA, floppy, and RAM disks,
keyboards, displays, audio, printers, serial line, various
Ethernet cards, etc.
Although device drivers can be very challenging, tech-
nically, they are not very interesting in the operating sys-
tem design space. What is important, though, is each of
ours runs as an independent user-mode process to prevent
faults from spreading outside its address space and make
it easy to replace a crashed or looping driver without a
reboot. This is the self-healing property referred to in the
title. While other people have measured the performance
of user-mode drivers [10], no currently-available system
is self-healing like this.
We are obviously aware that not all bugs can be elim-
inated by restarting a failed driver, but since the bugs
that make it past driver testing tend to be timing bugs
or memory leaks rather than algorithmic bugs, a restart
often does the job.
4.2 Optional Components
In addition to the core components discussed above, sev-
eral operating system services are started on the fly with
help of RS. The most important ones are discussed here.
4.2.1 Information Server (IS)
Debugging dumps are centrally managed by IS. Instead
of polluting each server with a mechanism to make debug
dumps, servers only have to implement a method to allow
IS to retrieve a copy of their data structures, and IS han-
dles all user interaction. If a function key is pressed, the
associated data structure is copied to IS’ memory space, a
formatted dump is displayed on the primary console, and
the data are automatically logged for later inspection.
Although IS is an optional component, it is auto-
matically started by the startup scripts for convenience.
To encourage development and experimentation, IS pro-
vides screendumps of the system’s most crucial data
9
structures at any time. Examples include the process ta-
ble of the kernel or PM, the device driver mappings at FS,
and the status of privileged processes at RS.
4.2.2 Network Server (INET)
The network server, INET, implements TCP/IP in user
space. The interface offered to the application program-
mer are BSD sockets. As with other I/O handles, sockets
are managed by the file server, but FS transparently for-
wards networking requests to INET, which manages both
TCP streams and UDP datagrams.
Like FS, INET requests DS to be notified about con-
figuration of Ethernet drivers, and can handle driver
crashes. Since the TCP protocol prescribes retransmis-
sions of lost packets (and lost datagram are explicitly al-
lowed by the UDP protocol), INET can fully recover from
Ethernet driver failures transparent to the user.
4.2.3 X Window System (X)
To demonstrate that our ideas are practical in real UNIX-
like systems, we have ported a recent version of the X
Window System. X provides a client-server interface
between display hardware and the desktop environment.
We have successfully run large GUI applications, includ-
ing the Firefox browser, over a network. A downside of
X is that it is a large, monolithic window system, but it
clearly shows that our system can run real-world soft-
ware. Future work might include porting a small, modu-
lar window system.
5 BENEFITS OF THIS DESIGN
Although the main reason for using a multiserver archi-
tecture is achieving extremely high reliability, there are
other advantages of this approach. In this section, we will
highlight some benefits of our system for programmers,
system administrators, and end users.
5.1 Programming Environment
With the multiserver design in place, development of
new components is much easier due to a shortened de-
velopment cycle. With help of RS, drivers can be started
and tested just like other user programs, lengthy builds of
the entire operating system are not needed, and no reboot
of the system is required to test a new driver. This may
increase programmer productivity, and lead to a shorter
time-to-market.
Since drivers run as isolated user-mode processes, the
consequences of a bad driver are limited and debugging
becomes easier. After a driver crash, RS simply logs the
problem, and the developer can continue immediately.
No need for a reboot and a check of the file system.
Crashes result in core dumps that can be inspected and
debugged using normal tools.
The programming model is more convenient, because
the user-mode programming model is much closer to
the POSIX standard than the restricted kernel API. This
lowers the barrier for experimentation by new users and
might improve driver quality. Furthermore, user-mode
drivers enforce a proper design respecting interfaces,
which leads to cleaner code.
Finally, there is good accountability. RS logs all com-
ponent crashes so that it is clear where the error occurred.
This might have legal liability implications for the devel-
oper, and lead to more carefully crafted drivers.
5.2 System Administration
The multiserver approach also makes system administra-
tion much easier due to the presence of many small, well-
understood, self-contained modules instead of a massive
kernel. As mentioned above, the kernel consists of less
than 4000 LoC and the core servers are even smaller.
This improves the system’s maintainability, because the
components are easy to understand and can be main-
tained independently from each other, as long as the in-
terfaces between them are respected.
Because the operating system can be dynamically con-
figured, a system administrator can quickly respond to
security breaches. Instead of applying a patch and re-
booting the system, a malfunctioning device driver can
be replaced with a new one on the fly. This allows up-
dates without loss of service or downtime.
Configurability The multiserver model makes it easy
to configure a system. The core components are always
present to provide the basic operating system services,
but optional components can be installed and loaded at a
later time, without having to reboot the system.
Small consumer appliances, such as mobile phones
and PDAs, and embedded systems need a small, con-
figurable operating system. Trying to squeeze a large
monolithic system like Linux into a small device requires
much more effort than mixing and matching parts from a
modular system that started small.
5.3 End-User Reliability
In the previous sections we already discussed how multi-
ple, independent servers and drivers help to improve the
end-user reliability of an operating system. Our system’s
major reliability features are briefly summarized below.
Structural Measures The system is designed to pre-
vent problems from occurring in the first place. For ex-
10
ample, in the design of our device drivers we use shared
library code. This helps to improve reliability since the
code is thoroughly tested by the many drivers that use it.
We also postpone initialization of drivers until their first
use so that they cannot hang the system at boot time.
The use of separate memory segments protects against
many types of buffer overruns. Code injection is no
longer possible because the text segment is read-only and
the stack and data segment are not executable. Conse-
quently, even if a buffer overrun injects a worm or virus
onto the stack, this code cannot be executed. While other
types of attacks exist, for example, the return-to-libc at-
tack, they are harder to exploit.
Problem Detection Since all operating system ser-
vices run as separate user-mode process, we can de-
tect many problems, just like we can for ordinary appli-
cations. Invalid pointers or illegal access attempts are
caught by MMU and will cause a signal from PM. The
scheduler’s feedback mechanism tames infinite loops by
lowering a process’ priority. Furthermore, a process’ se-
curity policy is checked whenever it makes a system call.
Security Policies Each user, server, and driver process
has an associated policy that specifies what it can do.
Only the minimal privileges needed to perform the task
are given, according to the principle of least authority. In
contrast, in a monolithic operating system it usually is
not possible to precisely restrict individual components.
Driver access to I/O ports can be limited by a range
stored in the kernel’s process table. In this way, if, say,
the printer driver tries to write to the disk’s I/O ports, the
kernel can prevent the access. Stopping rogue DMA is
not possible with current hardware, but as soon as an I/O
MMU is added, we can prevent that, too.
Furthermore, we can tightly restrict the IPC capabili-
ties of each process, as discussed in Sec. 3.1. User appli-
cations, for example, can use only IPC REQUEST and to
only a subset of the operating system servers.
Fault Detection and Recovery Sec. 4.1 discussed how
RS deals with crashes at the operating system level. RS
provides immediate crash detection and does periodic
status checks if the policy says so. Depending on the
policy, failing components are automatically restarted.
If a block device driver fails FS can provide transparent
recovery to the application level by flushing its buffer
cache. For character device drivers the error is pushed to
the user level, where transparent recovery is sometimes
possible. Typically, daemons need to be rewritten to retry
instead of giving up on the first failure.
6 PERFORMANCE
Multiserver systems based on microkernels have been
criticized for decades because of alleged performance
problems. We argue that a modular system need not
be slow due to additional copying and context-switching
overhead introduced when multiple servers cooperate to
perform a task. While this was the case for some early
microkernel systems, current multiserver systems have
competitive performance.
To illustrate the case, BSD UNIX on top of the early
Mach microkernel was well over 50% slower than the
normal version of BSD UNIX, and led to the impres-
sion of microkernels being slow. Modern microkernels,
however, have proven that high performance actually can
be realized. L4 Linux on top of L4, for example, has
a performance loss of about 5% [6]. Another project
recently demonstrated that a user-mode gigabit Ether-
net can achieve the same performance as a kernel-mode
driver up to 750 Mbps. Above that throughput for the
user-mode driver dropped by 7% [10].
We have done extensive measurements of our system
and presented the results in a technical report [7]. We can
summarize these results (done on a 2.2 GHz Athlon) as
follows. The simplest system call, getpid, takes 1.011 mi-
croseconds, which includes two messages and four con-
text switches. Rebuilding the full system, which is heav-
ily disk bound, has an overhead of 7%. Jobs with mixed
computing and I/O, such as sorting, sedding, grepping,
prepping, and uuencoding a 64-MB file have overheads
of 4%, 6%, 1%, 9%, and 8%, respectively. The system
can do a build of the kernel and all user-mode servers and
drivers in the boot image within 6 sec. In that time it per-
forms 112 compilations and 11 links (about 50 msec per
compilation). Fast Ethernet easily runs at full speed, and
initial tests show that we can also drive gigabit Ethernet
at full speed. Finally, the time from exiting the multiboot
monitor to the login prompt is under 5 sec.
It has to be noted that the prototype incorporates many
new security checks that cause some overhead. Further-
more, we did not yet do any performance optimizations.
Careful analysis and removal of bottlenecks may boost
the performance. We believe a performance penalty of
less than 5% is realistic.
7 RELATED WORK
In this section we review some related operating systems.
Note that we survey complete operating systems and not
individual kernels to make the comparison fair. In other
words, we compare our complete POSIX-conformant
operating system to other systems that provide a com-
parable full system call interface.
11
7.1 Virtual Machines and Exokernels
Virtual machines [16] and exokernels [3] do not provide
a hardware abstraction layer like (other) operating sys-
tems. Instead, they respectively duplicate or partition
available hardware resources so that multiple operating
systems can run next to each other with the illusion of
having a private machine. A virtual machine monitor
or exokernel runs in kernel mode and is responsible for
the protection of resources and multiplexing hardware re-
quests, whereas each operating system runs in user mode,
fully isolated from each other. These technologies pro-
vide an interface to an operating system, but do not repre-
sent a complete system by themselves. Neither approach
solves the problem we try to tackle: how to build a reli-
able operating system that can heal itself after a fatal bug
has been triggered in a device driver or server.
7.2 Monolithic Systems
A monolithic system runs the entire operating system in
kernel mode without proper fault isolation. Although
these properties negatively affect the system’s reliability,
as discussed in Sec. 2.1, many operating systems have a
monolithic design.
Windows XP and Vista Microsoft Windows XP is an
example of a monolithic system that runs the entire op-
erating system in kernel mode. Although Microsoft once
tried to put some components to user space, the perfor-
mance penalty was deemed too high.
Faster hardware and consumer demands for reliabil-
ity made Microsoft revisit this design decision. In Vista,
Microsoft has plans to run many device drivers and the
graphics subsystem in user mode, thus demonstrating
that Microsoft has come to the same insight that we have:
user-mode drivers are the way to go.
Linux and Isolated Drivers Linux has basically the
same monolithic style as Windows. One major differ-
ence with Windows is that the graphics subsystem in
Linux—like other UNIX system—has always been in
user space. As the system ages, it acquires more and
more functionality that ends up in the kernel, with all
consequences for maintainability and reliability.
An important project to improve the reliability of com-
modity systems such as Linux is Nooks [19, 20]. Nooks
keeps device drivers in the kernel but transparently en-
closes them in a kind of lightweight protective wrapper
so that driver bugs cannot propagate to other parts of the
operating system. All traffic between the driver and the
rest of the kernel is inspected by the reliability layer.
Another project uses virtual machines to isolate de-
vice drivers from the rest of the system [11, 12]. When
a driver is called, it is run on a different virtual machine
than the main system so that a crash or other fault does
not pollute the main system. In addition to isolation,
this technique enables unmodified reuse of device drivers
when experimenting with new operating systems.
A recent project ran Linux device drivers in user mode
with small changes to the Linux kernel [10]. This work
shows that drivers can be isolated in separate user-mode
processes without significant performance degradation.
While isolating device drivers helps to improve the
reliability of legacy operating systems, we believe a
proper, modular design from scratch gives better results.
This includes encapsulating all operating system com-
ponents (e.g., file system, memory manager) in indepen-
dent, user-mode processes.
Mac OS X Apple MacOS X is yet another example
of a monolithic kernel, but it has a layered kernel struc-
ture. The lowest layer is a microkernel based on Mach.
The BSD UNIX personality is part of the kernel, as
are various other components. This makes it simply a
differently-structured monolithic kernel, but does not add
many reliability features.
VxWorks VxWorks is a POSIX-compliant, real-time
operating system, generally used in embedded systems.
The core of VxWorks is indicated as the ‘Wind’ micro-
kernel, but, in fact, the kernel contains the operating sys-
tem, including device drivers, and thus has a monolithic
structure. VxWorks has historically provided only ker-
nel mode, requiring users to develop exclusively in this
mode. Only recently, VxWorks AE provided a real-time
process model that enables memory protection between
processes. While this allows to run isolated user-mode
applications, it is up to the developer to enable the pro-
tection; ours is mandatory.
CapROS and Coyotos CapROS is a persistent,
capability-based system designed to be highly reliable,
and is based on EROS [17]. The kernel includes crit-
ical drivers and the persistence manager. The fact that
device drivers are tolerated in the kernel means that a
driver bug might bring down the entire system. Although
persistence allows processes to be resumed as of the last
checkpoint, we believe it is better to prevent a full oper-
ating system crash in the first place.
Coyotos is also based on EROS, but will be exploring
the limits of software verification in operating systems.
It uses a new programming language, BitC, with a well-
defined semantics to formally verify security and correct-
ness properties. Coyotos has not been released and little
has been published about it.
12
7.3 Single-Server Systems
While these systems are more modular than the previ-
ous examples, the operating system still runs as a huge,
monolithic server. Several systems follow this design.
L4 Linux-based Systems A typical example of a
single-server system is L4 Linux, in which Linux is run
on top of the L4 microkernel. User processes obtain
operating system services by making remote procedure
calls to the Linux server using L4’s IPC mechanism.
Measurements show the performance penalty over native
Linux to be about 5% [6].
A real-time system built with help of L4 Linux is
DROPS [5]. It is targeted toward multimedia applica-
tions. However, most of the device drivers still run as
part of a big L4 Linux server, with only the multimedia
subsystem running separately.
Perseus [13] is another L4 Linux-based system. It
was designed to provide secure digital signatures while
still supporting legacy applications for Linux. L4 Linux
is used for most operations, but whenever a document
needs to be signed control is given to a trusted subsys-
tem that includes a signature server.
The problem with all these systems is that a single bug
in, say, a device driver can still crash the entire operat-
ing system server. The only gain of this design from a
reliability point of view is a faster reboot.
7.4 Multiserver Systems
Multiserver operating systems distribute functionality
over multiple, isolated components. Although several
multiserver systems exists, to the best of our knowledge,
nobody has yet built and released a working, fully mod-
ular, open-source, multiserver operating system.
SawMill Linux SawMill Linux [4] is a sophisticated
approach is to split the operating system into pieces
and run each one in its own protection domain. While
the system was designed to be fully modular, the fo-
cus was on efficiency instead of reliability. As discussed
in Sec. 2.3, the project was abruptly terminated in 2001
when many of the principals left IBM, and the only out-
come was a rudimentary, unfinished prototype.
Mach-US In Sec. 2.2, Mach-UX was mentioned as ex-
ample of a single-server system. A later project known
as Mach-US [18] tried to split to operating system into a
set of servers, each of which supports orthogonal system
services, much like our system. However, like SawMill
Linux, this system never left the development stage.
Singularity A recent multiserver system developed by
Microsoft Research is Singularity [9]. In contrast to
other systems, Singularity is based on language safety
and bypasses hardware protection offered by the MMU.
The trusted base consists of parts of the kernel and run-
time system that are not verifiably safe. The operating
system is run on top of the kernel as a set of verifiably-
safe, software-isolated servers, each running under the
control of its own run-time system. A contract speci-
fies allowable interactions via state machine-driven IPC
declarations. These contracts can be statically verified,
but are complex and hard to get correct without knowl-
edge of formal specifications. Building applications for
Singularity means a paradigm shift for the programmer,
making it less suitable for large-scale adoption.
Symbian OS This operating system is designed for
small, handheld devices, especially mobile phones.
Symbian shares many characteristics with monolithic
systems. For example, process management, memory
management, device drivers, and dynamically loadable
modules all are implemented in the kernel. Only the
file server, and the networking and telephony stacks are
hosted in user-mode servers.
QNX This is a closed-source, commercial UNIX-like
real-time operating systems [8]. Although QNX has a
multiserver design, from recent information sheets we
conclude that the QNX kernel, Neutrino, contains pro-
cess management and other functions which could have
been removed. Furthermore, QNX does not have a
POSIX-conformant API.
Nemisis Yet another multiserver operating system con-
taining user-mode device drivers [14]. This system had
a single address space shared by all processes, but with
hardware protection between processes. Like DROPS,
it was aimed at multimedia applications, but it was not
POSIX conformant, or even UNIX like.
8 CONCLUSIONS
We have demonstrated that it is feasible to build a highly-
reliable, multiserver operating system with a perfor-
mance loss of only 5% to 10%. We have discussed the
design and implementation of a serious, stable, prototype
that currently runs hundreds of standard UNIX applica-
tions, including two C compilers, language processors
(e.g., awk, bison, flex, perl, python, yacc), many editors
(e.g., emacs, nvi, vim, elvis, elle), networking (e.g., tel-
net, ftp, kermit, talk, wget), and all the standard shell, file,
text manipulation, and other UNIX (and GNU) utilities.
13
Our system represents a new data point in the spec-
trum from monolithic to fully modular structure. The
design of consists of a small kernel running the entire
operating system as a collection of independent, isolated,
user-mode processes. While people have tried to produce
a fully modular microkernel-based UNIX clone with de-
cent performance for years (such as GNU Hurd), we have
actually done it, tested it heavily, and released it.
The kernel implements only the minimal mechanisms
required to build an operating system upon. It provides
IPC, scheduling, interrupt handling, and contains two
kernel tasks (SYS and CLOCK) to support the user-mode
operating system parts. The core servers are the process
manager (PM), memory manager (MM), file server (FS),
reincarnation server (RS), and data store (DS). Since the
size of these components ranges from about 1000 to 4000
lines of code, they are easy to understand and maintain.
Additional operating system services, such as device
drivers, the information server (IS), window system (X),
and network server (INET), can be started on the fly and
are guarded by RS. The system is robust and self heal-
ing, so that it can withstand and automatically recover
from common failures in these components, transparent
to applications and without user intervention.
9 ACKNOWLEDGMENTS
We thank Chandana Gamage, Kemal Bicakci, and Bruno
Crispo for critically reviewing the paper.
This work was supported by the Dutch Organization
for Scientific Research (NWO) under grant 612-060-420.
10 AVAILABILITY
The system is called MINIX 3 because we started with
MINIX 2 and then modified it very heavily. Starting from
a known base, we were spared the task of writing boring
pieces of code, such as device drivers, interrupt handlers,
and part of a file system. The resulting system has only a
passing resemblance to MINIX 2; it is really a completely
new system, but for historical reasons, we settled on the
name MINIX 3.
MINIX 3 is free, open-source software, available via
the Internet. You can download MINIX 3 from the offi-
cial homepage at: http://www.minix3.org/, which also con-
tains the source code, documentation, news, contributed
software packages, and more. Over 100,000 people have
downloaded the CD-ROM image in the first 3 months, re-
sulting in a large and growing user community that com-
municates using the USENET newgroup comp.os.minix.
MINIX 3 is actively being developed, and your help and
feedback are much appreciated.
 View publication stats

References [13] P FITZMANN , B., AND S T ÜBLE , C. Perseus: A Quick

[1] ACCETTA , M., BARON , R., B OLOSKY, W., G OLUB , D.,
R ASHID , R., T EVANIAN , A., AND YOUNG , M. Mach:
A New Kernel Foundation for UNIX Development. In
Proc. of USENIX’86 (1986), pp. 93–113.
[2] C HOU , A., YANG , J., C HELF, B., H ALLEM , S., AND
E NGLER , D. An Empirical Study of Operating System
Errors. In Proc. 18th ACM Symp. on Oper. Syst. Prin.
(2001), pp. 73–88.
[3] E NGLER , D., K AASHOEK , M., AND J. O’T OOLE ,
J. Exokernel: an operating system architecture for
application-level resource management. In Proc. 15th
ACM Symp. on Oper. Syst. Prin. (1995), pp. 251–266.
[4] G EFFLAUT, A., JAEGER , T., PARK , Y., L IEDTKE ,
J., E LPHINSTONE , K., U HLIG , V., T IDSWELL , J.,
D ELLER , L., AND R EUTHER , L. The SawMill Multi-
server Approach. In ACM SIGOPS European Workshop
(Sept. 2000), pp. 109–114.
[5] H ÄRTIG , H., BAUMGARTL , R., B ORRISS , M.,
H AMANN , C.-J., H OHMUTH , M., M EHNERT, F.,
R EUTHER , L., S CHONBERG , S., AND W OLTER , J.
DROPS OS Support for Distributed Multimedia Appli-
cations. In Proc. 8th ACM SIGOPS European Workshop
(Sept. 1998), pp. 203–209.
[6] H ÄRTIG , H., H OHMUTH , M., L IEDTKE , J.,
S CH ÖNBERG , S., AND W OLTER , J. The Perfor-
mance of -Kernel-Based Systems. In Proc. 6th Symp. on
Oper. Syst. Design and Impl. (Oct. 1997), pp. 66–77.
[7] H ERDER , J. N., B OS , H., AND TANENBAUM , A. S.
A Lightweight Method for Building Reliable Operating
Systems Despite Unreliable Device Drivers. In Technical
Report (Jan. 2006).
[8] H ILDEBRAND , D. An Architectural Overview of QNX.
In Proc. USENIX Workshop in Microkernels and Other
Kernel Architectures (Apr. 1992), pp. 113–126.
Open-source Path to Secure Signatures. In 2nd Workshop
on Microkernel-based Systems (2001).
[14] ROSCOE , T. The Structure of a MultiService Operating
System. Ph.D. Dissertation, Cambridge University.
[15] S ALTZER , J., AND S CHROEDER , M. The Protection of
Information in Computer Systems. Proceedings of the
IEEE 63, 9 (Sept. 1975).
[16] S EAWRIGHT, L., AND M AC K INNON , R. VM/370—A
Study of Multiplicity and Usefulness. IBM Systems Jour-
nal 18, 1 (1979), 4–17.
[17] S HAPIRO , J. S., S MITH , J. M., AND FARBER , D. J.
EROS: A fast capability system. In Proc. 17th Symp. on
Oper. Syst. Design and Impl. (Dec. 1999), pp. 170–185.
[18] S TEVENSON , J. M., AND J ULIN , D. P. Mach-US: UNIX
On Generic OS Object Servers. In Proc. USENIX’95 (Jan.
1995), pp. 119–130.
[19] S WIFT, M., A NNAMALAI , M., B ERSHAD , B., AND
L EVY, H. Recovering Device Drivers. In Proc. 6th Symp.
on Oper. Syst. Design and Impl. (2004), pp. 1–15.
[20] S WIFT, M., B ERSHAD , B., AND L EVY, H. Improving
the Reliability of Commodity Operating Systems. ACM
Trans. on Comp. Syst. 23, 1 (2005), 77–110.
[21] TANENBAUM , A. S., AND W OODHULL , A. S. Operat-
ing Systems Design and Implementation, 1st ed. Prentice-
Hall, 1987.
[22] T.J. O STRAND AND E.J. W EYUKER. The Distribution of
Faults in a Large Industrial Software System. In Proc. of
the 2002 ACM SIGSOFT Int’l Symp. on Software Testing
and Analysis (2002), ACM, pp. 55–64.
[23] T.J. O STRAND AND E.J. W EYUKER AND AND R.M.
B ELL. Where the Bugs Are. In Proc. of the 2004 ACM
SIGSOFT Int’l Symp. on Software Testing and Analysis
(2004), ACM, pp. 86–96.

[9] H UNT, G. C., L ARUS , J. R., A BADI , M., A IKEN ,

M., BARHAM , P., FAHNDRICH , M., H AWBLITZEL , C.,
H ODSON , O., L EVI , S., M URPHY, N., S TEENSGAARD ,
B., TARDITI , D., W OBBER , T., AND Z ILL , B. An
Overview of the Singularity Project. Tech. Rep. MSR-
TR-2005-135, Microsoft Research, Redmond, WA, USA,
Oct. 2005.
[10] L ESLIE , B., C HUBB , P., F ITZROY-DALE , N., G OTZ ,
S., G RAY, C., M ACPHERSON , L., DANIEL P OTTS , Y.-
T. S., E LPHINSTONE , K., AND H EISER , G. User-Level
Device Drivers: Achieved Performance. Journal of Com-
puter Science and Technology 20, 5 (Sept. 2005).
[11] L E VASSEUR , J., AND U HLIG , V. A Sledgehammer Ap-
proach to Reuse of Legacy Device Drivers. In Proc. 11th
ACM SIGOPS European Workshop (Sept. 2004), pp. 131–
136.
[12] L E VASSEUR , J., U HLIG , V., S TOESS , J., AND G OTZ , S.
Unmodified Device Driver Reuse and Improved System
Dependability via Virtual Machines. In Proc. 6th Symp.
on Oper. Syst. Design and Impl. (Dec. 2004), pp. 17–30.

14