In the past decade, mobile phones have emerged as a dom- inant computing platform for end users. These very personal computers depend heavily on graphical user interfaces, always-on connectivity, and long battery life, yet in essence run operating systems originally designed for workstations (Mac OS X/Mach) or time-sharing systems (Linux/Unix).
Historically, operating systems have had poor energy management and accounting. This is not surprising, as their APIs standardized before energy was an issue. For example, the first commodity laptop with performance similar to a desktop, the Compaq SLT/286 [Com 1988], was released just one year before the C API POSIX standard. The resulting energy management limitations of POSIX have prompted a large body of research, ranging from CPU scheduling to accounting to offloading networking. Despite this work, current systems still provide little, if any, application control or feedback: users have some simple high-level sliders or toggles.
This limited control and visibility of energy is especially problematic for mobile phones, where energy and power define system lifetime. In the past decade, phones have evolved from low-function proprietary applications to robust multi- programmed systems with applications from thousands of sources.
Apple announced that as of April 2010 their App Store houses 185,000 apps for the iPhone with more than 4 billion application downloads. This shift away from single-vendor software to complex application plat- forms means that the phone’s software must provide effec- tive mechanisms to manage and control energy as a resource. Such control will be even more important as the danger grows from buggy or poorly designed applications to potentially malicious ones.
In the past year, mobile phone operating systems began providing better support for understanding system energy use. Android, for example, added a UI that estimates application energy consumption with system call and event instrumentation, such as processor scheduling and packet counts. This is a step forward, helping users understand the mysteries of mobile device lifetime.
However, while Android provides improved visibility into system power use, it does not provide control. Outside of manually configuring applications and periodically checking battery use, today’s systems cannot do something as simple as controlling email polling to ensure a full day of device use.
This paper presents Cinder, a new operating system designed for mobile phones and other energy-constrained com- puting devices. Cinder extends the HiStar secure kernel to provide new abstractions for controlling and accounting for energy: reserves and taps.
Reserves are a mechanism for resource delegation, providing fine-grained accounting and acting as an allotment from which applications draw resources. Where reserves describe a quantity of a resource, taps place rate limits on resources flowing between reserves. By connecting reserves to one another, taps allow resources to flow to applications. Taps and reserves compose together to allow applications to express their intentions, en- abling policy enforcement by the operating system.
Cinder estimates energy consumption using standard device-level accounting and modeling. HiStar’s explicit information flow control allows Cinder to track which parties are responsible for resource use, even across interprocess communication calls serviced in other address spaces.
Without needing any additional state or support code, Cinder can accurately amortize costs across principals, such as the energy cost of turning on the radio to multiple applications that simultaneously need Internet access.
While Cinder runs on a variety of hardware platforms (AMD64, i386, ARM), the most notable is the HTC Dream, a.k.a. the Android G1. To the best of our knowledge, other than extensions to Linux, Cinder is the first research operating system that runs on a mobile phone. The reason for such a first is simple: the closed nature of phone platforms makes porting an operating system exceedingly difficult.
In addition to the two new low-level abstractions in the Cinder operating system – reserves and taps for storing and distributing energy for application use, we identify three key properties of control – isolation, delegation, and subdivision – and show how using these abstrac tions can achieve them. We also show how the architecture of the HiStar information-flow control kernel lends itself well to energy control.
We believe that the reserve and tap abstractions may be fruitfully applied to other resource allocation problems beyond energy consumption. For instance, the high cost of mobile data plans makes network bits a precious resource.
Applications should not be able to run up a user’s bill due to expensive data tariffs, just as they should not be able to run down the battery unexpectedly. Since data plans are frequently offered in terms of megabyte quotas, Cinder’s mechanisms could be repurposed to limit application network access by replacing the logical battery with a pool of network bytes. Similarly, reserves could also be used to enforce SMS text message quotas.
Using the HTC Dream’s limited battery level information Cinder could adapt its energy model based on past compo- nent and application usage, dynamically refining its costs. Though Cinder can facilitate this, and we have made some adjustments to test this, evaluating the complex and dynamic system this would yield will require additional research.
To read this external content in full download the complete paper from the open online archives at the Massachusetts Institute of Technology.