The VINO kernel [85, , ] is designed as a platform for database management systems. From the outset, VINO is designed to let applications specify the policies the kernel uses to manage resources. A further goal is to make kernel primitives accessible to the user level. For example, synchronization functions the kernel uses, might be useful to applications as well.
Applications establish a resource management policy by inserting a graft into the VINO kernel. Grafts are written in C or C++. The compiler inserts range check instructions for all memory accesses, similar to segment matching in Wahbe et al. [102], and ensures that no privileged instructions, such as the disabling of interrupts, are issued. The generated code is then marked with an encrypted fingerprint (signature) that is verified by the kernel during code insertion.
Since grafts are used to implement policies, access to kernel functions and data, for example locks, is a must. To prevent a graft from holding a lock indefinitely, transaction techniques are used. If a graft has to be aborted because of an error or because it ran too long, its actions can be undone and locks held by the graft can be released.
As in SPIN, some trust is placed into the compiler. To avoid a type-safe language, software based fault isolation is used to protect against illegal memory accesses.