Garbage collector memory accounting in language-based systems

Language run-time systems are often called upon to safely execute mutually distrustful tasks within the same run-time, protecting them from other tasks' bugs or otherwise hostile behavior Well-studied access controls exist in systems such as Java to prevent unauthorized reading or writing of data, but techniques to measure and control resource usage are less prevalent. In particular, most language run-time systems include no facility to account for and regulate heap memory usage on a per-task basis. This oversight can be exploited by a misbehaving task, which might allocate and hold live enough memory to cause a denial-of-service attack, crashing or slowing down other tasks. In addition, tasks can legitimately share references to the same objects, and traditional approaches that charge memory to its allocator fail to properly account for this sharing. We present a method for modifying the garbage collector, already present in most modern language run-time systems, to measure the amount of live memory reachable from each task as it performs its regular duties. Our system naturally distinguishes memory shared across tasks from memory reachable from only a single task without requiring incompatible changes to the semantics of the programming language. Our prototype implementation imposes negligible performance overheads in a variety of benchmarks, yet provides enough information for the expression of rich policies to express the limits on a task's memory usage.

[1]  David J. DeWitt,et al.  The oo7 Benchmark , 1993, SIGMOD Conference.

[2]  Wilson C. Hsieh,et al.  Drawing the red line in Java , 1999, Proceedings of the Seventh Workshop on Hot Topics in Operating Systems.

[3]  Walter Binder Design and implementation of the J-SEAL2 mobile agent kernel , 2001, Proceedings 2001 Symposium on Applications and the Internet.

[4]  Li Gong,et al.  Inside Java 2 Platform Security: Architecture, API Design, and Implementation , 1999 .

[5]  C. Hawblitzel,et al.  Luna: a flexible Java protection system , 2002, OSDI '02.

[6]  Martin Wirsing,et al.  Formal Syntax and Semantics of Java , 1999 .

[7]  Peter J. Denning,et al.  Internet Besieged: Countering Cyberspace Scofflaws , 1997 .

[8]  Bowen Alpern,et al.  Defining Liveness , 1984, Inf. Process. Lett..

[9]  C. S. Wallace,et al.  A Password-Capability System , 1986, Comput. J..

[10]  Paul R. Wilson,et al.  Uniprocessor Garbage Collection Techniques , 1992, IWMM.

[11]  Stephen J. Fink,et al.  The Jalapeño virtual machine , 2000, IBM Syst. J..

[12]  Richard J. Beach,et al.  A structural view of the Cedar programming environment , 1986, TOPL.

[13]  Yogen K. Dalal,et al.  Pilot: an operating system for a personal computer , 1980, CACM.

[14]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[15]  Adele Goldberg,et al.  SmallTalk 80: The Language , 1989 .

[16]  Jim Alves-Foss,et al.  Formal Syntax and Semantics of Java , 2002, Lecture Notes in Computer Science.

[17]  Vipin Chaudhary,et al.  History-based access control for mobile code , 1998, CCS '98.

[18]  David M. Ungar,et al.  Generation Scavenging: A non-disruptive high performance storage reclamation algorithm , 1984, SDE 1.

[19]  Niklaus Wirth,et al.  Project Oberon - the design of an operating system and compiler , 1992 .

[20]  Andrew W. Appel,et al.  SAFKASI: a security mechanism for language-based systems , 2000, TSEM.

[21]  Alessandro Coglio,et al.  Type safety in the jvm: some problems in jdk 1 , 2000 .

[22]  Wilson C. Hsieh,et al.  Processes in KaffeOS: isolation, resource management, and sharing in java , 2000, OSDI.

[23]  Deyu Hu,et al.  Implementing Multiple Protection Domains in Java , 1998, USENIX Annual Technical Conference.

[24]  Insik Shin,et al.  Mobile code security by Java bytecode instrumentation , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[25]  Emin Gün Sirer,et al.  Design and implementation of a distributed virtual machine for networked computers , 2000, OPSR.

[26]  Gernot Heiser,et al.  The Mungi Single-Address-Space Operating System , 1994, Softw. Pract. Exp..

[27]  Alessandro Coglio,et al.  Type safety in the JVM: some problems in Java 2 SDK 1.2 and proposed solutions , 2001, Concurr. Comput. Pract. Exp..

[28]  Paul A. Karger,et al.  Improving security and performance for capability systems , 1988 .

[29]  Sophia Drossopoulou,et al.  What is Java binary compatibility? , 1998, OOPSLA '98.

[30]  Carl A. Gunter,et al.  PLAN: a packet language for active networks , 1998, ICFP '98.

[31]  Matthew Flatt,et al.  Reachability-Based Memory Accounting , 2002 .

[32]  John McCarthy,et al.  History of LISP , 1978, SIGP.

[33]  Sophia Drossopoulou,et al.  Java is Type Safe - Probably , 1997, ECOOP.

[34]  James Cheney,et al.  Region-based memory management in cyclone , 2002, PLDI '02.

[35]  Hank Bromley Lisp Lore: A Guide to Programming the Lisp Machine , 1986, Springer US.

[36]  Leendert van Doorn,et al.  A Secure Java Virtual Machine , 2000, USENIX Security Symposium.

[37]  Martín Abadi,et al.  A type system for Java bytecode subroutines , 1999, TOPL.

[38]  David Ungar Generation scavenging: a nondisruptive high performance storage reclamation algorithm , 1984 .

[39]  Mirza Beg,et al.  A Memory Accounting Interface for The Java Programming Language , 2001 .

[40]  Gary McGraw,et al.  Securing Java: getting down to business with mobile code , 1999 .

[41]  Michael K. Reiter,et al.  Secure execution of Java applets using a remote playground , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[42]  Leendert van Doorn,et al.  A secure java TM virtual machine , 2000 .

[43]  Elisa Bertino,et al.  Mark-and-Sweep Garbage Collection in Multilevel Secure Object-Oriented Database Systems , 1994, ESORICS.

[44]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[45]  John McCarthy,et al.  Recursive functions of symbolic expressions and their computation by machine, Part I , 1960, Commun. ACM.

[46]  David J. DeWitt,et al.  The 007 Benchmark , 1993, SIGMOD '93.

[47]  Drew Dean,et al.  The security of static typing with dynamic linking , 1997, CCS '97.

[48]  Hans-Juergen Boehm,et al.  Garbage collection in an uncooperative environment , 1988, Softw. Pract. Exp..

[49]  Thorsten von Eicken,et al.  JRes: a resource accounting interface for Java , 1998, OOPSLA '98.

[50]  Dan S. Wallach,et al.  Java security: Web browsers and beyond , 1997 .

[51]  Franco Travostino,et al.  Towards a Resource-safe Java for Service Guarantees in Uncooperative Environments , 1998 .

[52]  Dan S. Wallach,et al.  Termination in language-based systems , 2002, TSEC.

[53]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[54]  Matthias Felleisen,et al.  Programming languages as operating systems (or revenge of the son of the lisp machine) , 1999, ICFP '99.

[55]  Paul H. J. Kelly,et al.  Design and Implementation of an Object-Oriented 64-bit Single Address Space Microkernel , 1993, USENIX Microkernels and Other Kernel Architectures Symposium.

[56]  Peter Druschel,et al.  Resource containers: a new facility for resource management in server systems , 1999, OSDI '99.

[57]  C. J. Ci-Ieney A Nonrecursive List Compacting Algorithm , 1970 .

[58]  Elisa Bertino,et al.  Collecting garbage in multilevel secure object stores , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.