This is the landing page for operating systems research at Stanford. This page gives an overview of the faculty and students in the Computer Science Department who currently conduct research and teach in operating systems and distributed systems.
Fixpoint is a "deterministic operating system" that roughly follows the
design of the SICP "Interpreter with Lazy Evaluation". The data model is
similar to a Git repository, one that can also represent computational
relations between content-addressed objects: e.g., "blob x is
the output of computation y given tree z as input."
The intention is to support a range of applications, including pre-existing
posix programs, and for the OS to provide “determinism-safety”: program
execution is referentially transparent, and irreproducibility is considered
an OS bug, even across different computers. We envision cloud-computing
providers offering "computation as a service": the customer provides a
description of a computation, and the provider returns the answer for a fee,
perhaps backed by an insurance policy that guarantees correctness.
We describe a system for serverless computing where users, programs, and the underlying platform share a common representation of a computation: a deterministic procedure, run in an environment of well-specified data or the outputs of other computations. This representation externalizes I/O: data movement over the network is performed exclusively by the platform. Applications can describe the precise data needed at each stage, helping the provider schedule tasks and network transfers to reduce starvation. The design suggests an end-to-end argument for outsourced computing, shifting the service model from "pay-for-effort" to "pay-for-results."
Contact: Yuhan Deng, Akshay Srivatsan, Keith Winstein
This paper presents continuation-centric computing, an operating system design paradigm for "serverless"-style workloads: short-lived tasks that spend a substantial fraction of time waiting on dependencies and other services. Under this paradigm, a running function can capture its current continuation—a lightweight snapshot of its state—as a distinct function that can be paused, migrated, or copied as needed. With this ability, functions can expose finer-grained dependency information to providers, enabling more accurate resource allocation and scheduling. This paper evaluates continuation-centric computing using Arca, a new isolation primitive. Arcae are broadly similar to processes in guarantees and isolation, but provide efficient capture and resumption of serializable, portable continuations. As a result, Arcae can serve an order of magnitude more requests per second than current process-based techniques, and perform comparably to in-process isolation techniques.
Contact: Akshay Srivatsan, Yuhan Deng, Katherine Mohr, Keith Winstein
LFI is a system for sandboxing native code. Like WebAssembly and Native Client, LFI isolates sandboxed code in-process (i.e., in the same address space as a host application). At present, we support Arm64 and x86-64 targets, and have experimental RISC-V support.
LFI is designed from the ground up to sandbox existing code, such as C/C++ libraries (including assembly code) and device drivers.
LFI aims for the following goals:
Non-goals include a stable binary format and platform independence. We will use whatever architecture-specific hardware features and compiler techniques we can to improve performance.
LFI currently imposes around 7% (Arm64) or 8% (x86-64) overhead compared to native code when sandboxing reads and writes, and 1.5% (Arm64) or 6% (x86-64) overhead when only sandboxing writes (geomean on SPEC 2017). LFI context switches (i.e. between sandbox and host application) take only 10s of cycles, and LFI can support thousands of sandboxes in a single address space: ~64K (Arm64) or ~3K (x86-64), with each sandbox given up to 4GiB of memory.
Contact: Zachary Yedidia
Most modern OS distributions have evolved a distinction between package maintainers (with knowledge and computing resources needed to modify software) and users (who interact solely with a precompiled binary). This strict dichotomy makes little sense today, as the popularity of programming education indicates people are acquiring the skills necessary to understand and control software running on their computers. We created a new Debian variant designed around the assumption that casual users (with casual hardware and a second-year undergraduate programming skills) should be able to easily fiddle with (study, modify, and debug) the software on their machine. The distribution augments binary packages with additional information so they can be modified by the user via a software patching tool that allows fast, painless edit-rebuild-rerun cycles. Our tool also allows directly mixing Python code into C and C++ source files, letting users work in a language they might be more familiar with. This system also makes large systems more understandable via tooling for simple, sharable visualizations of system state.
Contact: Matthew Sotoudeh
Literate tracing is a software documentation style that emphasizes interactive visualizations of concrete program traces. Our new tool, TReX, makes writing literate traces easier.
Contact: Matthew Sotoudeh
This project seeks to develop a new, unconventional, introduction to computer science and electrical engineering that emphasizes hands-on interactivity with the real world. We are developing a live structural editor for WebAssembly, a language with minimal syntax and semantics. The editor will provide immediate feedback, both for errors ad execution. Students will use this editor to write programs which process input from the real world—for example, from a toy xylophone.
Course Description: Experimental introduction to computer science and electrical engineering. Students will learn to create interactive programs that understand sounds made by real-world musical instruments and the big ideas behind some of the core discoveries, surprises, and impossibilities at the core of CS and EE.
Contact: Keith Winstein
Differentiated Access Memories (DAM) is a seven-year project at Stanford University, started in 2024, to research the next generation of computer systems that will include and support heterogeneous memories. The project focuses on the fact that memory is evolving from a uniform address space of random access memory to a heterogeneous collection of different memories, optimized for different uses. These Differentiated Access Memory (DAM) systems will require us to revisit and re-examine computing at all levels, from the design of new memory technologies to high-level algorithms, including:
The challenge: old transport protocols (like TCP) benefit from performance-enhancing proxies (PEPs) that transparently split TCP connections in the network. But these proxies have prevented TCP from adding new features. To prevent this, new transport protocols (like QUIC) are fully encrypted—no proxy can transparently meddle with them. This guarantees evolvability at the cost of performance.
Gina"s paper shows a way to get the best of both worlds:
Contact: Gina Yuan, Keith Winstein
In the 1990s, many networks deployed performance-enhancing proxies (PEPs) that transparently split TCP connections to aid performance, especially over lossy, long-delay paths. Two recent developments have cast doubt on their relevance: the BBR congestion-control algorithm, which de-emphasizes loss as a congestion signal, and the QUIC transport protocol, which prevents transparent connection-splitting yet empirically matches or exceeds TCP's performance in wide deployment, using the same congestion control. In light of this, are PEPs obsolete? This paper presents a range of emulation measurements indicating: "probably not." While BBR’s original 2016 version didn't benefit markedly from connection-splitting, more recent versions of BBR do and, in some cases, even more so than earlier "loss-based" congestion-control algorithms.
Contact: Gina Yuan, Thea Rossman, Keith Winstein