Comparing the Architectures of

Component-based Operating
Systems
by Raimi Rufai

Introduction

Researchers in the field of operating systems have made tremendous

progress recently. Early operating systems came with monolithic
kernels and layered architectures like UNIX and THE. Researchers
soon realized the limitations of such inflexible designs. Today, most
modern operating systems such as Windows NT/2000, Mach, Chorus,
etc., are based on the micro-kernel architecture [25].

In the micro-kernel architecture, the kernel provides only the basic

operating system abstractions like processes, memory management,
and inter-process communication (IPC), and all other system services
that used to reside in the kernel are implemented as external
subsystems running in user space. In other words, operating systems
based this architecture have much smaller kernels. Progress in
operating systems has often been marked with shrinking kernel size.
This kernel shrinking phenomenon inspired researchers to coin
different terms to describe these kernel variants: pico-kernel,
submicro-kernel [19], nano-kernel [13], nucleus, etc.

In a number of extensible operating systems like SPACE and Spring,

the kernel, usually called the nucleus, is reduced merely to a thin
veneer on top of hardware exporting very basic abstractions like
portals and domains. Higher-level abstractions like processes, virtual
memory, etc. are implemented in user space and can be configured,
dynamically adapted, unloaded, and replaced. Multiple versions of
standard abstractions can coexist.

The Exokernel architecture marks an extreme example of this trend.

The Exokernel architecture advocates for a total extermination of all
kernel abstractions. After all, no single set of abstractions can meet
the needs of all applications in advance. The Exokernel nucleus is no
more than a skimpy protection sheet over bare hardware. All
standard operating system abstractions are implemented in user
space by library operating systems. Applications may choose to talk
directly to the nucleus or go through any library operating system of
choice. This is clearly a great milestone in our kernel-shrinking
progress. Is it possible to go any further?

The coming of software components marks a turning point in the

design of operating systems. Components are strongly-typed objects
that can be used as the building blocks for a system [15].
Components have clear interfaces that define the services they
provide. Some researchers have begun to experiment with the notion
of completely doing away with the kernel, in the traditional sense.
They want to have something else at the heart of the operating
system that is not a kernel. Some of them would want to have an
Object Request Broker (ORB) managing component interaction,
creation, and destruction, pretty much a la CORBA. Unlike in
traditional operating systems, all tasks in these systems run in
privileged mode. If all tasks run in privileged mode, we will have
trouble stopping them from trying to overwrite each other's data.
These researchers have devised different ways to ensure tasks are
protected from each other. One of such schemes is code scanning, a
novel technique employed in the Go! component-based operating
system. Another recent component-based operating system that we
are going to be looking into closely is the Pebble operating system.
Pebble comes with a miniscule kernel that one can call a pico-kernel,
to connote that it is an extremely small kernel.

Motivation

Modern operating systems are so large and complex that it is

extremely difficult to customize their kernels for specialized use [8].
These operating systems define a fixed set of core abstractions like
processes, IPC, virtual memory, etc. in a generic way. Genericity
often leads to unfairness to certain classes of applications [4]. The
justification for fixing these core abstractions has come under
challenge recently [6], and a number of research projects [2, 1, 4, 7,
8, 10, 11, 22, 27] have sprung up attempting to explore alternatives
to or variants of the micro-kernel architecture that currently
represents the state-of-the-art in modern operating system design.

For any alternative approach to be viable, the following issues must

be addressed:

 The goal of universal applicability in operating systems will

necessitate building dynamic extensibility and configurability
into them
 The need for performance drives the need for minimalism: why
build what you don't need?
 Reliability calls for an effective safety mechanism
 Simplicity is desirable both in design and in usage

Clarke and Coulson [4] have classified the research efforts in this
area into the following classes, based on the level of extensibility of
the systems:

 Build-time extensible systems are only configurable off-line.

Reboot is required before the new configuration can take effect
  Library extensible systems define a minimal nucleus
(sometimes called pico-kernels) and applications can either be
compiled and linked with library operating systems or make
direct use of the minimal kernel facilities
 Reflectively extensible systems rely on the concept of reflection
to dynamically modify system implementation or environment
for application benefit
 Dynamically extensible systems extend kernel functionality by
allowing applications to download extension code into the
kernel address space

All of these categories can profit from component technology

primarily because components are substitutable as long as the
components maintain same interfaces. Components are typically used
to compose systems in building block fashion [15]. One important
feature of components is that they maintain strong interfaces. By
strong interfaces, we mean specifications of what software
components can do rather than how they do them. Thus, the
extensible operating systems research community has turned its
attention towards exploiting component technology in the design of
operating systems. Components can form the building blocks of
operating systems. Moreover, component frameworks such as CORBA
[17], COM [3], and JavaBeans have proven to simplify development,
promote reuse, reduce development time, ease maintenance,
promote scalability, and lead to greater stability and robustness [26,
13].

This article describes recent efforts in this field and compares two
new component based operating systems, namely, Go! [13] and
Pebble [7]. The choice of these two is motivated by their popularity in
current literature, and the fact that they are products of lessons
learned from previously related projects. Thus they could be said to
represent the progress made so far.
Related Work

In Small and Seltzer's paper [24], they have made a comparison of

operating system extension technologies. In what follows, we discuss
a few recent extensible operating system projects. We organize our
discussion along the lines of Clarke and Coulson's classifications [4]
presented earlier.

Build-Time Extensible Systems

Most operating systems we know such as Microsoft Windows

ME/9x/2000, Unix, Linux, etc. fall in this category, since their kernels
can all be extended by anyone by installing some patch or by
modifying the source codes and then rebuilding. In either case, these
systems would almost always require a reboot before these changes
can take effect. However, there are times when rebooting is
unacceptable. In such cases, one of the operating systems discussed
in next three sections might be the way to go.

Library Extensible Systems

Spring [16] is a component-based, multithreaded micro-kernel

distributed operating system that is binary compatible with Unix,
using a Unix emulation subsystem. The main features of Spring
include:

 use of Interface Description Language (IDL) to define strong

interfaces and thus language independence
 micro-kernel architecture wherein most of the system is
implemented as object managers (servers) running in non-
kernel mode often in separate address spaces
 server-based or serverless objects; nucleus supports the
domains (processes), threads, and doors abstractions
  provision of cross protection domain calls (object invocations)
via doors; provisions of security through a combination of
access control lists (ACLs) and software capability mechanisms
 unix emulation provided through an emulation subsystem
implemented as an object manager

The Exokernel [6] project aims at exterminating all operating system

abstractions. The Exokernel architecture defines a minimal nucleus
that merely provides protection over bare hardware. This
demonstrates a very good performance. Common abstractions can be
implemented in user space, and overall the Exokernel design
illustrates the merits of minimalism and simplicity.

Reflectively extensible systems

Apertos [28] is a distributed object-oriented operating system that is

based on a reflective architecture. The reflection follows from an
object/meta-object separation. Each object is associated with a set of
meta-objects that define the object's semantics. This set of meta-
objects is called a meta-space. Each meta-object, being an object
too, is also associated with a meta-space. This way, we have a meta-
hierarchy. The essential thing is that objects can change the
composition of their meta-spaces, and thus modifying their
semantics. This ways new semantics and behavior can replace old
ones in the components of the operating system.

Merlin (now renamed to Self/R) [5] is an object-oriented operating

system developed using the Self programming language. Merlin is
based on a reflective architecture that is very similar to that of the
Apertos operating system. It has the same object/meta-space
association. However, Merlin differs from Apertos in the
implementation of its meta-spaces. We will not go into the details of
this difference here, but interested readers might want to consult De
Assumpção and Kufuji's paper [5] for the details. Merlin achieves
extensibility in the same manner as Apertos.

The CHEOPS operating system [21] is an extensible operating system

that uses reflection for adaptability and extensibility. A Class Object
Manager (COM) manages the loading, removal, and exchange of
components. Components can be dynamically added, removed, and
exchanged thanks to a three level meta-modeling architecture where
each class introduced to the system has a class object and a class-
object-class. The system also maintains meta-level information such
as available classes, the class hierarchy, etc.

Dynamically extensible systems

SPIN [2] supports extensibility by allowing modules to be dynamically

added to the kernel. Protection is based on the use of a type-safe
language (Modula-3), compile-time checks, and dynamic reference
resolution. The core SPIN system services were designed with
extensibility in mind; extensions (written in a type-safe language)
extend the core functionality to specialize system services to
individual applications. Extensions to SPIN are written in Modula-3.
Modula-3 forces extensions to adhere to interfaces, thereby enforcing
modularity. This safety system is implemented through compilation
and run-time checking features. To achieve optimal performance,
extension code is dynamically linked within the kernel address space,
so as to avoid kernel crossings during kernel to extension
communication. The safety of extensions in SPIN depends extensively
on the use of the Modula-3 language. Although a number of
arguments are given as to why this language is appropriate, efficient,
and easy to use, the fact still remains that a great proportion of
existing code is not in Modula-3. Specialization of operating system
code to suit applications is clearly beneficial. Issues relevant to
specialization are efficiency, safety, and flexibility. SPIN demonstrates
that efficiency can be achieved through co-location, and flexibility
through careful design. Safety can also be achieved, but at the cost
of imposing limitations on the language used and/or the extension
code's functionality.

VINO [23] is a downloadable system that uses sand-boxing to

enforce trust and security. Extensions are written in C++ and are
compiled by a trusted compiler that prevents the extension from
accessing text or data outside its own address range, except for
permitted entry points. This trusted code is then downloaded into the
kernel. The major strengths of this method are that performance is
only slightly worse than unprotected C++ and extensions can be
implemented in conventional languages. To facilitate graceful
recovery from an extension failure, VINO runs each extension in the
context of a transaction. If the extension fails or must be aborted
(because it is monopolizing resources), the transaction mechanism
undoes all actions taken by the extension. VINO extensions are bound
with resources, including both applications and files, so extensions
persist across system reboots and kernel upgrades. The VINO kernel
is constructed from a collection of objects. Extensibility is provided by
replacing or overloading specific methods on those objects, resulting
in a limited procedural extensibility model. Moreover, VINO objects
are designed so that all policy decisions are implemented in simple
member functions that can be replaced or overloaded.

MMLite [11] does not define a kernel entity, nor any fixed core
abstractions. Abstractions that are typically designed into an
operating system, such as virtual memory management and inter-
process communication, are loadable components in this system.
MMLite employs a unified programming model that is independent of
the privilege issue (i.e., no user vs. kernel distinction). Mutation
makes possible extensibility down to the granularity of a method call.
Mutation allows methods to be dynamically replaced at clean points.
The Microsoft COM Model is employed and IPC can be LPC or RPC
depending on the location of the caller and the callee (transparent
remote invocation). The focus of the MMLite design is on adaptability,
minimalism, and reusability.

DEIMOS [4] defines no kernel entity. However, the Configuration

Manager (CM) serves the purpose of a micro-kernel guarding access
to shared hardware resources, more or less like the Exokernel
architecture. An abstraction called modules, similar to components, is
the unit of extensibility in DEIMOS. Distinction is made between core
modules, which have privilege status, and application modules. All
modules are loadable and unloadable including the CM module. A
hardware protection mechanism is used to protect the DEIMOS core
modules, but currently application modules are not protected from
each other.

The next two sections describe two recent component-based

operating systems that have recently gained attention of researchers,
e.g. Pebble and Go!.

Pebble

Pebble [7] is a new operating system developed for MIPS-based

processors at the Information Sciences Research Center at Bell-Labs.
Pebble is designed for flexibility, safety, and high performance.
Pebble supports composing an operating system out of fine-grained
components, each running within its own protection domain (PD). A
PD is simply an execution environment, made up of a set of pages
(represented by a page table) and a set of portals stored in the PD's
portal table. The portal is a conceptual generalization of an interrupt
handler, inherited from the SPACE operating system [19]. In Pebble,
PDs may share a portal table as well as pages. The key philosophy
behind the design of Pebble is in making the nucleus as lean as
possible. If anything can be run at the user level, it is removed from
the nucleus and taken to the user level. The nucleus simply switches
between protection domains. User-level operating system
components are the units of extensibility.

Figure 1: Portal traversal in Pebble goes through the nucleus [7].

Pebble implements a safe execution environment by a combination of

hardware memory protection and the portal mechanism. Hardware
memory protection restricts memory access within the PD (i.e., pages
in its page table), while the portal mechanism limits a PD to portals
within its portal table.

Each component running within a PD is made up of one or more

threads. Threads may only transfer control to other PDs by invoking
its PD's portal table.

System services like scheduling, memory management, and virtual

memory are provided by operating system server components (which
run in “user mode” PDs). Unlike application components, server
components are trusted, so they may be granted limited privileges
not afforded to application components.
Pebble can intercept calls made by clients to its servers and then
interpose modifiable code operations of the server, enforce safety
policies and a host of other functions. This is possible because each
portal invocation involves generation of portal-specific code. This
mechanism allows for the optimization of PD traversal codes on a per
portal basis. And this is the basis of Pebble's flexibility and dynamic
extensibility: custom portal traversal codes (Figure 1).

Go!

Go! [13] is a new component-based operating system developed at

the Department of Computing at City University, London. Go! does
away with a dual processor mode address space: All components,
either system components or application components, (together with
an ORB) run in privileged mode. Most components are prevented
from containing instructions that would be illegal in user mode,
through a mechanism called code scanning. When loading a
component, its code section is examined for instructions it is not
sufficiently privileged to execute. Only when a component is free of
such code is it allowed to run.

The ORB only handles component lifetime management and inter-

component method invocation and return (Figure 2). It is
application-level components that manage devices, paging and
handle interrupts, etc.
 Figure 2: Inter-Component Communication is brokered by the ORB
in Go! [8].

The only implementation of Go! available at the time of writing uses a

segmented paged memory scheme on the Intel IA32-based machines
[12]. The orthogonal combination of segmentation with paging has
well known advantages [25]. For example, an address generated by
an instruction (known as a logical address) is converted into a linear
address using the segmentation model. The linear address is then fed
through the paging hardware to generate a physical address [14].

Pebble vs. Go!

In this section, Pebble and Go! are compared based on the following
features:

 protection levels
 protection mechanism
 interrupt handling
 extensibility
 multithreading
 performance
  open-source design

Protection Levels

In Pebble, only the nucleus runs in privilege level 0, while all other
components run in user space. In Go!, however, everything runs in
privilege level 0.

Protection Mechanism

Protection in Pebble is maintained by the hardware paging protection

mechanism. A thread executing within a PD may not access pages
outside the PD's page table. If it must, then it has to go through the
portal mechanism. The portal mechanism will migrate the thread into
the PD that contains the target page. That way it can access the page
table of that PD. This is only possible if the invoking PD has the portal
of the invoked PD listed in its portal table. Normally, when such a
portal traversal happens, the thread loses its access to its source PD
until it returns. There are cases when the portal code would
manipulate the portal table of the invoked PD and/or invoking PD to
give the thread a window into the address space of its source PD.
This window is shut as soon as the thread returns home.

Since all components in Go! run at privilege level 0, they inherently

have access to all memory addresses. This is possible because
hardware memory protection schemes allow a piece of code to access
segments/pages for which its clearance level (privilege level) is lower
than or equal to. Thus, hardware memory protection is not possible
since every piece of code has the most privileged clearance level
(level 0). Go! ensures codes don't access memory locations they are
not authorized to by employing code scanning.

Interrupt Handling
Pebble hides the details of interrupts from higher-level components
and uses only semaphores for synchronization. Any interrupt is
caught in the nucleus by a short trampoline function [7] that merely
invokes the appropriate portal. It obtains this portal from the portal
table of the active thread's PD. Essentially, the nucleus delegates the
interrupt handling to a portal. The invoked portal will then invoke the
interrupt dispatcher server. The interrupt dispatcher determines the
source of the interrupt and performs a V operation on the source's
semaphore. Typically, a thread would already be waiting on that
semaphore. This is an application of the chain-of-control design
pattern.

In Go!, on the other hand, the ORB has no business handling

interrupts. Application level components can handle interrupt since
they also run in the most privileged mode. Typically, an interrupt
handler component will be installed. Here, no mode switching is
required which speeds up interrupt handling tremendously.

Extensibility

The units of extensibility in Pebble are the user-level components.

Extensibility can be achieved either by adding or replacing a user-
level component or via portal interposition. A whole library operating
system may be layered on top of Pebble using this mechanism.

In Go! extensibility is also achieved by installing a new component or

by replacing an existing one. Go!, like Pebble, can also be extended
by installing a library operating system component on top of which
existing binaries that are executable (eg. Exokernel [6]). Multiple
library operating systems may coexist.

Multithreading
Pebble is inherently multithreaded, with the thread abstraction being
part of the system. However, this is not the case for Go!. The Go!
ORB has no notion of threads. However, a server component may
implement a threading model, and application components needing
thread functionality may invoke the services of such a component.
Multiple such thread manager components may coexist, each
implementing the same or different threading model.

Performance

Owing to a number of constraints, the author was unable to compare

the performance levels of both operating systems. Currently, the only
implementation of Pebble we know of runs on a MIPS-base machines,
while Go! runs on Intel IA32-based systems. Ports are, however,
planned for both systems [7, 14]. However, benchmark results,
available at the Go! Homepage [9] suggest that Go! is better in
performance.

Open-source Design

According to information on the Pebble homepage [18], its source

code will soon be made available for non-commercial uses only. On
the other hand, Go! is free and open-source software. It carries the
GPL license. Go! is accessible from its project homepage [9]. What's
more, the Go! project is open to any developer who might want to
contribute.

Concluding Remarks

Whereas the two operating systems adopt the same software

engineering paradigm (component technology), they belong to
different operating system design paradigms and represent markedly
different kernel sizes.
While employing different mechanisms, both Pebble and Go! are
dynamically adaptable systems and have both attempted to
implement minimal systems.

Pebble, on the one hand, takes a well-known and well-tested

paradigm a step further, with fewer risks. Go! is more adventurous
and drastic in its approach. Although the Go! design is appealing in its
simplicity, its protection model is difficult to prove correct.

I expect future component-based systems will take dynamic

extensibility, minimalism, safety, and simplicity to even greater
extremes.

Glossary

ACL - Acronym for Access Control List. A database that lists the valid
users of the system and the level of access they have been granted.

Adaptability - Ability to adapt to change say through graceful

degradation, rather than abruptly crashing.

Address space - The range of memory locations that available to a

computer program.

Admission testing - A mechanism employed in RTOS's where the

scheduler checks whether there is still sufficient resource available to
run a task. It starts executing the task only if there are enough to run
it to completion without missing its deadline.

Application-level - A privilege level for applications that run in user

space, which usually restrict them from dealing directly with the
hardware or encroaching into another application's address space.

COM - Acronym for Component Object Model. A standard developed

by Microsoft Corporation that enables conforming objects to
communicate with each other even if the objects have been created
using different programming languages.

Configurability - The ability to configure an operating system (at

compile, link, or distribution time) to take on different personalities

CORBA - Acronym for Common Object Request Brokerage

Architecture. A middleware standard that enables objects to
communicate with each other in a way that is platform- and
programming language-independent.

Distributed operating system - A common operating system

shared by a network of computers. It will typically provides support
for IPC, process migration, mutual exclusion, and the prevention or
detection of deadlock.

Dynamism - The capability to change the implementation of

components without shutting them down. Also known as 'hot-
swapping'.

Extensibility - Ability to extend the kernel with custom services (or

new abstractions) not built into it out-of-the-box.

Extension code - Code that is loaded into the kernel in an extensible

operating system.

Flexibility - This refers to the ability of a single operating system to

present different views of itself to concurrently executing
applications, and change the operating system's behavior
dynamically.

Garbage-collection - A process by which a program goes through

memory, decides which information stored there is no longer needed,
and frees the memory address they occupy for reuse.
GPL - Acronym for General Public License. An open-source software
license developed by the Free Software Foundation (FSF) that grants
licensees the right to copy, examine, and modify the source code as
long as subsequent distributions extend the same privileges to new
recipients.

Hardware Protection - Hardware mechanisms which ensure that

task cannot access each other's address spaces.

IA32 - The instruction set for Intel Corporation's 32-bit

microprocessors.

Interface - A specification of the set of services that a component

can provide.

Interrupt - A signal to the microprocessor indicating that an event

has occurred that it needs to attend to. When an interrupt is being
occurs, processing is suspended in a way that it can be resumed.

Interrupt handler - A routine, usually part of the operating system,

that executes when an interrupt occurs.

Java bytecode - A compiled Java code with extension .class that can
be executed by the Java interpreter, the JVM.

JavaBeans - A component architecture for Java programs that

enables Java programmers to package Java programs in a container
for increased interoperability with other objects and improved
security.

JVM - Acronym for Java Virtual Machine. A Java interpreter and

runtime environment for Java applications.

Kernel - The crux of an operating system. It is the most heavily used

part of the operating system. The kernel is often permanently
maintained in main memory. The kernel is often the only part of a
system that runs with full access privileges to the underlying
hardware. Core operating system abstractions such as memory
management, IPC, interrupt handling, scheduling, etc. are often
implemented in the kernel, especially in monolithic kernels.

MIPS-based processors - Processors based on 32- and 64-bit RISC

(reduced instruction-set computing) microprocessor designs from
MIPS Technologies, Inc., which does not manufacture processors.
Instead, thet license several vendors to produce MIPS-based
processors.

Mode switching - A hardware operation that occurs that causes the

processor to execute in a different mode (kernel mode or user mode).
When the mode switches from process to kernel, the contents of the
program counter, processor status word, and other registers are
saved. When the mode switches from kernel to process, this
information is restored.

Monolithic kernel - A large kernel containing virtually the whole

operating system.

Multithreading - Ability to have several sequences of control within

a single process. A multithreaded process is capable of several
independent actions at the same time. When multiple processors are
available, those concurrent but independent actions can take place in
parallel.

Nucleus - A small kernel.

Open-source Design - Making source code available for use or

modification as users or other developers see fit, provided the
modified source is also made available. Open source software is
usually developed as a public collaboration and made freely available.
ORB - Acronym for Object Request Broker. A “object bus” connecting
different components by forwarding operation invocations from client
to server components. While doing this, it transparently handles
name resolution, type checking, component instantiation and
destruction, etc.

Paging - Transfer of pages between main memory and secondary

memory.

Privilege levels (PL) - A set of levels that characterizes instructions

and processes in such a way that processes can execute only those
instructions they are authorized to. Privilege Level 0 means that the
program can execute all CPU instructions. This the PL the kernel has.
Other programs have higher PLs. The lower the PL is, the more the
program is allowed to do. Programs are only allowed to call functions
which have the same or lower PL.

Privileged mode - The processor execution mode in which the

kernel runs and privileged instructions (such as altering a control
register) can be executed. Also called the kernel mode.

Process - A program in execution.

Processor mode - Any of a set of execution modes in which the

processor runs. Each mode has a set of instructions that it is allowed
to execute.

Protection domain - A program's execution environment that is

usually protected by hardware protection mechanisms.

Reflection - Ability to discover information at runtime.

RTOS - Acronym for real-time operating system. An operating

system that guarantees a certain capability within a specified time
constraint.
Sand-boxing - A scheme for ensuring safety in an (say in an
extensible operating system) by limiting the range of address the
code can reference, so that it does not get to cause unexpected
harm.

Scheduler - An operating system component that selects tasks or

jobs that are to be executed.

Segmentation - The division of a program or application into

segments as part of a virtual memory scheme.

Semaphores - An integer value used for signaling among processes.

Only three operations may be performed on a semaphore, all of
which are atomic: initialize, decrement, and increment.

Synchronization - Situation in which two or more processes

coordinate their activities based on a condition.

Thread - A sequence of control within a process.

User mode - The processor execution mode in which privileged

instructions (such as altering a control register) cannot be executed.

User space - The range of memory addresses that non-kernel

programs are allowed to use in conventional operating systems.

Virtual memory - Hard disk space that is used as an extension for

the RAM.

References

1
Back, G., P. Tullmann, L. Stoller, W. C. Hsieh, and J. Lepreau,
"Java Operating Systems: Design and Implementation,"
Technical Report UUCS-98-015, University of Utah, August
1998.
2
Bershad, B. N., S. Savage, P. Pardyak, E. G. Sirer, M. E.
Fiuczynski, D. Becker, C. Chambers, and S. Eggers.
Extensibility, safety and performance in the SPIN operating
system. In Proceedings of the Fifteenth ACM Symposium on
Operating System Principles, pages 267-284, Copper Mountain,
CO, Dec. 1995.
3
Box, D. Essential COM. Addison-Wesley, 1998.
4
Clarke, M., Coulson, G. "An Architecture for Dynamically
Extensible Operating Systems." In Proceedings of the 4th
International Conference on Configurable Distributed Systems
(ICCDS'98), Annapolis MD, USA, May 1998.
5
De Assumpção Jr., J.M. and S.T. Kufuji. Bootstrapping the
Object-Oriented Operating System Merlin: Just Add reflection.
Technical report, Laboratorio de Sistemas Integraveis,
University of São Paulo, Brazil, 1994
6
Engler, D. R., M. F. Kaashoek, and J. OÕToole. Exokernel: An
Operating System Architecture for Application-Level Resource
Management. In Proceedings of the Fifteenth ACM Symposium
on Operating System Principles, pages 251-266, Copper
Mountain, CO, Dec. 1995.
7
Gabber, Eran, Christopher Small, John Bruno, Jose Brustoloni,
and Avi Silberschatz. The Pebble component-based operating
system. In Proceedings of the 1999 USENIX Technical
Conference, pages 267-282, Monterey, CA, USA, June 1999.
8
Ghormley, D. et al. SLIC: An Extensibility System for
Commodity Operating Systems. In Proceedings of the Unsenix
 Annual Technology Confference, Usenix, Berkeley, CA, 1998,
pp. 39-48.
9
Go! Home Page. http://goos.sourceforge.net/home.php (23
July, 2002).
10
Heiser, G., K Elphinstone, J. Vochteloo, S. Russell, "The Mungi
Single-Address-Space Operating System," Software: Practice &
Experience, 18(9), 25 July 1998.
11
Helander, J and A. Foring. MMLite: A Highly Componentized
System Architecture. In Proceedings of the Eighth ACM SIGOPS
European Workshop, pp. 6-17, ACM Press, New York, 1998.
12
Law, G. and J. McCann, 26 bit Selections on IA32. In EWOOOS
at ECOOP 2000.
13
Law, G. and J. McCann, A New Protection Model for Component-
Based Operating Systems. In Proceedings of the IEEE
Conference on Computing and Communications, Phoenix, AZ,
USA, February 2000.
14
Law, G. and J. McCann, Decomposition of Preemptive
Scheduling in the Go! Component-Based Operating System. In
ACM SIGOPS European Workshop, 2000.
15
Messer, A. and T. Wilkinson, Components for Operating System
Design, In Proceedings of the International Workshop on Object
Orientation in Operating Systems (IWOOOSÕ96), Seattle, WA,
USA, October 1996. IEEE.
16
Mitchell, J. G., J. J. Gibbons, G. Hamilton, P. B. Kessler, Y. A.
Khalidi, P. Kougiouris, P. W. Madany, M.N. Nelson, M. L. Powell,
 and S. R. Radia, "An Overview of the Spring System", In
Proceedings of COMPCON, February 1994.
17
OMG. CORBA/IIOP 2.2 Specification.
http://www.omg.org/corba/corbiiop.htm
18
Pebble Home Page. http://www.bell-
labs.com/project/pebble/ (23 July, 2002).
19
Probert, D., J. L. Bruno, M. Karaorman, "SPACE: A New
Approach to Operating System Abstraction," In Proceedings of
the International Workshop on Object-Orientation in Operating
Systems (IWOOS), pp. 133- 137 (1991).
ftp://ftp.cs.ucsb.edu/pub/papers/space/iwoos91.ps.gz.
20
Rozier, M., A. Abrassimov, F. Armand, I. Boule, M. Gien, M.
Guillemont, F. Hermann, C. Kaiser, S. Langlois, P. Leonard, W.
Neuhauser. CHORUS distributed operating system. In
Computing Systems, pp. 305-370, Vol. 1-4, 1988.
21
Schubert, F.: A Reflective Architecture for an Adaptable Object-
Oriented Operating System Based on C++. ECOOP Workshops
1997, pp. 515-522.
22
Seltzer, M., Endo, Y., Small, C., Smith, K., "An Introduction to
the Architecture of the VINO Kernel". Harvard University
Computer Science Technical Report 34-94, 1994.
23
Seltzer, M., Y. Endo, C. Small, and K. Smith, Dealing with
Disaster: Surviving Misbehaved Kernel Extensions. In
Proceedings of the 2nd OSDI Conference, pp. 213-227 (1996).
24
 Small, C. and M. Seltzer, "A Comparison of OS Extension
Technologies," In Proceedings of the 1996 USENIX Technical
Conference, San Diego, CA, Jan. 1996, pp. 41Ñ54.
25
Stallings, W. Operating Systems: Internals and Design
Principles. 4th Ed. Prentice-Hall. 2001.
26
Stankovic, J. A. VEST: A Toolset of Constructing and Analyzing
Component Based Operating Systems for Embedded and Real-
Time Systems. University of Virginia Technical Report, July
2000.
27
Wilkinson, T. and K. Murray. "Extensible, Flexible and Secure
services in Angel, a single address space-operating system." In
International Conference on Algorithms and Architectures for
Parallel Processing (ICA3PP), pages 755-758, Brisbane,
Australia, April 1995. IEEE.
28
Yokote, Y. The Apertos Reflective Operating System: The
Concept and its Implementation. OOPSLA 1992, pp. 414-434

Biography

Raimi Rufai (rrufai@acm.org) is a Research Assistant at King Fahd

University of Petroleum & Minerals (KFUPM) in Dhahran, Saudi
Arabia. He holds a Bachelors Degree in Computer Science from
University of Ilorin, Nigeria. He is currently pursuing his MS degree in
Computer Science at KFUPM. His interests are in Software Reuse,
Software Metrics, Design Patterns, and Operating Systems.

The author wishes to thank King Fahd University of Petroleum &

Minerals for their support in the studies that produced this work. He
would also want to thank all those who have helped review this
article.