Termination in language-based systems

Language run-time systems are increasingly being embedded insystems to support run-time extensibility via mobile code. Suchsystems raise a number of concerns when the code running in suchsystems is potentially buggy or untrusted. Although sophisticatedaccess controls have been designed for mobile code and are shippingas part of commercial systems such as Java, there is no support forterminating mobile code short of terminating the entire languagerun-time. This article presents a concept called "soft termination"that can be applied to virtually any mobile code system. Softtermination allows mobile code threads to be safely terminatedwhile preserving the stability of the language run-time. Inaddition, function bodies can be permanently disabled, thwartingattacks predicated on system threads eventually calling untrustedfunctions. Soft termination guarantees termination by breaking anypotential infinite loops in mobile code. We present a formal designfor soft termination and an implementation of it for Java, builtusing Java bytecode rewriting, which demonstrates reasonableperformance (3 to 25% slowdowns onbenchmarks).

[1]  Yogen K. Dalal,et al.  Pilot: an operating system for a personal computer , 1980, CACM.

[2]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[3]  Andrew W. Appel,et al.  Formal aspects of mobile code security , 1999 .

[4]  Adele Goldberg,et al.  SmallTalk 80: The Language , 1989 .

[5]  Jim Alves-Foss,et al.  Formal Syntax and Semantics of Java , 2002, Lecture Notes in Computer Science.

[6]  Godmar Back Patrick Tullmann Leigh Stoller Wilson C. Hsie Lepreau Java Operating Systems : Design and Implementation , 1998 .

[7]  Dan S. Wallach,et al.  Extensible security architectures for Java , 1997, SOSP.

[8]  Dan S. Wallach,et al.  Understanding Java stack inspection , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[9]  Geoff A. Cohen,et al.  Automatic Program Transformation with JOIE , 1998, USENIX Annual Technical Conference.

[10]  Alessandro Coglio,et al.  Type safety in the jvm: some problems in jdk 1 , 2000 .

[11]  Emin Gün Sirer,et al.  Design and implementation of a distributed virtual machine for networked computers , 2000, OPSR.

[12]  Tom Saulpaugh,et al.  Inside the JavaOS operating system , 1999 .

[13]  Carl A. Gunter,et al.  PLAN: a packet language for active networks , 1998, ICFP '98.

[14]  Sophia Drossopoulou,et al.  What is Java binary compatibility? , 1998, OOPSLA '98.

[15]  Keith Price LISP Lore: A Guide to Programming the LISP Machine , 1986, Springer US.

[16]  Leendert van Doorn,et al.  A secure java TM virtual machine , 2000 .

[17]  Wilson C. Hsieh,et al.  Techniques for the Design of Java Operating Systems , 2000, USENIX Annual Technical Conference, General Track.

[18]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[19]  Richard J. Beach,et al.  A structural view of the Cedar programming environment , 1986, TOPL.

[20]  Laurent Daynès,et al.  High-performance, space-efficient, automated object locking , 2001, Proceedings 17th International Conference on Data Engineering.

[21]  Sophia Drossopoulou,et al.  Java is Type Safe - Probably , 1997, ECOOP.

[22]  Z E. Jess Friedman-hill,et al.  The Java Expert System Shell , 2000 .

[23]  Jay Lepreau,et al.  Nested Java processes: OS structure for mobile code , 1998, ACM SIGOPS European Workshop.

[24]  Deyu Hu,et al.  Implementing Multiple Protection Domains in Java , 1998, USENIX Annual Technical Conference.

[25]  Gary McGraw,et al.  Securing Java: getting down to business with mobile code , 1999 .

[26]  Walter Binder Design and implementation of the J-SEAL2 mobile agent kernel , 2001, Proceedings 2001 Symposium on Applications and the Internet.

[27]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[28]  Li Gong,et al.  Inside Java 2 Platform Security: Architecture, API Design, and Implementation , 1999 .

[29]  Matthias Felleisen,et al.  Classes and mixins , 1998, POPL '98.

[30]  Martin Wirsing,et al.  Formal Syntax and Semantics of Java , 1999 .

[31]  Matthias Felleisen,et al.  Programming languages as operating systems (or revenge of the son of the lisp machine) , 1999, ICFP '99.

[32]  John H. Hartman,et al.  Toba: Java for Applications - A Way Ahead of Time (WAT) Compiler , 1997, COOTS.

[33]  Niklaus Wirth,et al.  Project Oberon - the design of an operating system and compiler , 1992 .

[34]  Insik Shin,et al.  Mobile code security by Java bytecode instrumentation , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[35]  Drew Dean,et al.  The security of static typing with dynamic linking , 1997, CCS '97.

[36]  Vipin Chaudhary,et al.  History-based access control for mobile code , 1998, CCS '98.

[37]  Andrew W. Appel,et al.  SAFKASI: a security mechanism for language-based systems , 2000, TSEM.

[38]  Dan S. Wallach,et al.  Java security: from HotJava to Netscape and beyond , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[39]  Joyce L. Vedral,et al.  Functional Programming Languages and Computer Architecture , 1989, Lecture Notes in Computer Science.

[40]  Marc Feeley Polling efficiently on stock hardware , 1993, FPCA '93.

[41]  Thorsten von Eicken,et al.  JRes: a resource accounting interface for Java , 1998, OOPSLA '98.

[42]  Dan S. Wallach,et al.  Java security: Web browsers and beyond , 1997 .

[43]  Franco Travostino,et al.  Towards a Resource-safe Java for Service Guarantees in Uncooperative Environments , 1998 .

[44]  V.V.S. Raveendra Inside java 2 platform security: architecture, API design and implementation [Book Review] , 2002, IEEE Software.

[45]  Elliott I. Organick,et al.  Computer System Organization: The B5700/B6700 Series , 1973 .

[46]  Deyu Hu,et al.  Design and Evaluation of an Extensible Web & Telephony Server based on the J-Kernel , 1998 .

[47]  Hank Bromley Lisp Lore: A Guide to Programming the Lisp Machine , 1986, Springer US.

[48]  Leendert van Doorn,et al.  A Secure Java Virtual Machine , 2000, USENIX Security Symposium.

[49]  Martín Abadi,et al.  A type system for Java bytecode subroutines , 1999, TOPL.

[50]  Robert Hieb,et al.  The Revised Report on the Syntactic Theories of Sequential Control and State , 1992, Theor. Comput. Sci..

[51]  Wilson C. Hsieh,et al.  Processes in KaffeOS: isolation, resource management, and sharing in java , 2000, OSDI.

[52]  Wilson C. Hsieh,et al.  Drawing the red line in Java , 1999, Proceedings of the Seventh Workshop on Hot Topics in Operating Systems.

[53]  Emin Gün Sirer,et al.  Distributed virtual machines: a system architecture for network computing , 1998, ACM SIGOPS European Workshop.