Peter Chubb

User-level device drivers: Achieved performance

Running device drivers as unprivileged user-level code, encapsulated into their own process, has often been proposed as a technique for increasing system robustness. However, in the past, systems based on user-level drivers have generally exhibited poor I/O performance. Consequently, user-level device drivers have never caught on to any significant degree. In this paper we demonstrate that it is possible to build systems which employ user-level device drivers, without significant performance degradation, even for high-bandwidth devices such as Gigabit Ethernet.

Pre-virtualization: Soft layering for virtual machines

Despite its current popularity, para-virtualization has an enormous cost. Its deviation from the platform architecture abandons many of the benefits of traditional virtualization: stable and well-defined platform interfaces, hypervisor neutrality, operating system neutrality, and upgrade neutrality - in sum, modularity. Additionally, para-virtualization has a significant engineering cost. These limitations are accepted as inevitable for significantly better performance, and for the ability to provide virtualization-like behavior on non-virtualizable hardware such as times86. Virtualization and its modularity solve many systems problems, and when combined with the performance of para-virtualization become even more compelling. We show how to achieve both together. We still modify the guest operating system, but according to a set of design principles that avoids lock-in, which we call soft layering. Additionally, our approach is highly automated and thus reduces the implementation and maintenance burden of paravirtualization, which is especially useful for enabling obsoleted operating systems. We demonstrate soft layering on times86 and itanium: we can load a single Linux binary on a variety of hypervisors (and thus substitute virtual machine environments and their enhancements), while achieving essentially the same performance as para-virtualization with less effort.

Cogent: Verifying High-Assurance File System Implementations

We present an approach to writing and formally verifying high-assurance file-system code in a restricted language called Cogent, supported by a certifying compiler that produces C code, high-level specification of Cogent, and translation correctness proofs. The language is strongly typed and guarantees absence of a number of common file system implementation errors. We show how verification effort is drastically reduced for proving higher-level properties of the file system implementation by reasoning about the generated formal specification rather than its low-level C code. We use the framework to write two Linux file systems, and compare their performance with their native C implementations.

Automatic verification of active device drivers

We develop a practical solution to the problem of automatic verification of the interface between device drivers and the operating system. Our solution relies on a combination of improved driver architecture and verification tools. Unlike previous proposals for verification-friendly drivers, our methodology supports drivers written in C and can be implemented in any existing OS. Our Linuxbased evaluation shows that this methodology amplifies the power of existing model checking tools in detecting driver bugs, making it possible to verify properties that are beyond the reach of traditional techniques.