This paper describes the exported procedure call, a mechanism that pushes computation out of the operating system kernel and into user space. It supports a simple, secure model for system extensions. An exported procedure call incurs overhead crossing of the user-kernel boundary, but once in user space, it has greater security and usability and is significantly simpler than an equivalent kernel operation. This paper demonstrates the capabilities of the exported procedure call by discussing two implementations. One is the Modify-on-access (Mona) file system and the other is the Magi device interface. Mona and Magi use the exported procedure call in order to safely execute untrusted or complex system extensions. This paper shows that in situations where raw kernel performance is not paramount, the exported procedure call is desirable. Copyright © 2001 John Wiley & Sons, Ltd.