Processes in KaffeOS: isolation, resource management, and sharing in java

Single-language runtime systems, in the form of Java virtual machines, are widely deployed platforms for executing untrusted mobile code. These runtimes provide some of the features that operating systems provide: inter-application memory protection and basic system services. They do not, however, provide the ability to isolate applications from each other, or limit their resource consumption. This paper describes KaffeOS, a Java runtime system that provides these features. The KaffeOS architecture takes many lessons from operating system design, such as the use of a user/kernel boundary, and employs garbage collection techniques, such as write barriers. The KaffeOS architecture supports the OS abstraction of a process in a Java virtual machine. Each process executes as if it were run in its own virtual machine, including separate garbage collection of its own heap. The difficulty in designing KaffeOS lay in balancing the goals of isolation and resource management against the goal of allowing direct sharing of objects. Overall, KaffeOS is no more than 11% slower than the freely available JVM on which it is based, which is an acceptable penalty for the safety that it provides. Because of its implementation base, KaffeOS is substantially slower than commercial JVMs for trusted code, but it clearly outperforms those JVMs in the presence of denial-of-service attacks or misbehaving code.

[1]  Yogen K. Dalal,et al.  Pilot: an operating system for a personal computer , 1980, CACM.

[2]  Deyu Hu,et al.  Resource management for extensible Internet servers , 1998, EW 8.

[3]  James Gosling,et al.  The Real-Time Specification for Java , 2000, Computer.

[4]  Richard J. Beach,et al.  A structural view of the Cedar programming environment , 1986, TOPL.

[5]  Robin Fairbairns,et al.  The Design and Implementation of an Operating System to Support Distributed Multimedia Applications , 1996, IEEE J. Sel. Areas Commun..

[6]  Claude Kaiser,et al.  CHORUS Distributed Operating System , 1988, Comput. Syst..

[7]  Michael Franz Beyond Java: An Infrastructure for High-Performance Mobile Code on the World Wide Web , 1997, WebNet.

[8]  Thorsten von Eicken,et al.  JRes: a resource accounting interface for Java , 1998, OOPSLA '98.

[9]  Wilson C. Hsieh,et al.  Drawing the red line in Java , 1999, Proceedings of the Seventh Workshop on Hot Topics in Operating Systems.

[10]  Trent Jaeger,et al.  Operating System Protection for Fine-Grained Programs , 1998, USENIX Security Symposium.

[11]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[12]  Peter Druschel,et al.  Resource containers: a new facility for resource management in server systems , 1999, OSDI '99.

[13]  Michael K. Reiter,et al.  Secure execution of Java applets using a remote playground , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[14]  Thorsten von Eicken,et al.  Type System Support for Dynamic Revocation , 1999 .

[15]  Marc Shapiro,et al.  A Survey of Distributed Garbage Collection Techniques , 1995, IWMM.

[16]  Andrew P. Black,et al.  Fine-grained mobility in the Emerald system , 1987, TOCS.

[17]  John H. Hartman,et al.  Joust: A Platform for Communication-Oriented Liquid Software , 1997 .

[18]  Paul R. Wilson,et al.  Uniprocessor Garbage Collection Techniques , 1992, IWMM.

[19]  Jason Flinn,et al.  Quantifying the energy consumption of a pocket computer and a Java virtual machine , 2000, SIGMETRICS '00.

[20]  DillenbergerD.,et al.  Building a Java virtual machine for server applications , 2000 .

[21]  Sheng Liang,et al.  Dynamic class loading in the Java virtual machine , 1998, OOPSLA '98.

[22]  Banu Özden,et al.  The Eclipse Operating System: Providing Quality of Service via Reservation Domains , 1998, USENIX ATC.

[23]  Margo I. Seltzer,et al.  Dealing with disaster: surviving misbehaved kernel extensions , 1996, OSDI '96.

[24]  Peter Lee,et al.  Generational stack collection and profile-driven pretenuring , 1998, PLDI.

[25]  Dawson R. Engler,et al.  Exokernel: an operating system architecture for application-level resource management , 1995, SOSP.

[26]  Patrick Chan,et al.  The Java™ Class Libraries, Volume 2: java.applet, java.awt, java.beans , 1997 .

[27]  John V. Guttag,et al.  ANTS: a toolkit for building and dynamically deploying network protocols , 1998, 1998 IEEE Open Architectures and Network Programming.

[28]  L. Gong,et al.  Experience with secure multi-processing in Java , 1998, Proceedings. 18th International Conference on Distributed Computing Systems (Cat. No.98CB36183).

[29]  Jay Lepreau,et al.  Nested Java processes: OS structure for mobile code , 1998, ACM SIGOPS European Workshop.

[30]  BlackAndrew,et al.  Fine-grained mobility in the Emerald system , 1988 .

[31]  Deyu Hu,et al.  Implementing Multiple Protection Domains in Java , 1998, USENIX Annual Technical Conference.

[32]  Rosanna Lee,et al.  The Java Class Libraries, Volume 1: java.io, java.lang, java.math, java.net, java.text, java.util , 1998 .

[33]  Rajesh Bordawekar,et al.  Building a Java virtual machine for server applications: The Jvm on OS/390 , 2000, IBM Syst. J..

[34]  Toshiaki Yasue,et al.  Overview of the IBM Java Just-in-Time Compiler , 2000, IBM Syst. J..

[35]  Larry L. Peterson,et al.  Making paths explicit in the Scout operating system , 1996, OSDI '96.

[36]  Wilson C. Hsieh,et al.  Techniques for the Design of Java Operating Systems , 2000, USENIX Annual Technical Conference, General Track.