Implementing Multiple Protection Domains in Java

Safe language technology can be used for protection within a single address space. This protection is enforced by the language's type system, which ensures that references to objects cannot be forged. A safe language alone, however, lacks many features taken for granted in more traditional operating systems, such as rights revocation, thread protection, resource management, and support for domain termination. This paper describes the J-Kernel, a portable Java-based protection system that addresses these issues. J-Kernel protection domains can communicate through revocable capabilities, but are prevented from directly sharing unrevocable objects references. A number of micro-benchmarks are presented to characterize the costs of language-based protection, and an extensible web server based on the J-Kernel demonstrates the use of safe language techniques in a large application.

[1]  L. Gong,et al.  Experience with secure multi-processing in Java , 1998, Proceedings. 18th International Conference on Distributed Computing Systems (Cat. No.98CB36183).

[2]  Dan S. Wallach,et al.  Extensible security architectures for Java , 1997, SOSP.

[3]  Robert S. Boyer,et al.  Automated proofs of object code for a widely used microprocessor , 1996, JACM.

[4]  William A. Wulf,et al.  Towards the design of secure systems , 1975, Softw. Pract. Exp..

[5]  Li Gong,et al.  Implementing Protection Domains in the JavaTM Development Kit 1.2 , 1998, NDSS.

[6]  William A. Wulf,et al.  HYDRA/C.Mmp, An Experimental Computer System , 1981 .

[7]  Jochen Liedtke,et al.  The performance of μ-kernel-based systems , 1997, SOSP.

[8]  Sophia Drossopoulou,et al.  Java is Type Safe - Probably , 1997, ECOOP.

[9]  Brian N. Bershad,et al.  Safe Dynamic Linking in an Extensible Operating System , 1999 .

[10]  David D. Redell,et al.  NAMING AND PROTECTION IN EXTENDABLE OPERATING SYSTEMS , 1974 .

[11]  Jochen Liedtke,et al.  On micro-kernel construction , 1995, SOSP.

[12]  Douglas M. Pase,et al.  System programming in Modula-2 , 1985, SIGP.

[13]  Gernot Heiser,et al.  Implementation and Performance of the Mungi Single-Address-Space Operating System , 1997 .

[14]  Jonathan M. Smith,et al.  The measured performance of a fast local IPC , 1996, Proceedings of the Fifth International Workshop on Object-Orientation in Operation Systems.

[15]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.

[16]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[17]  Daniel Hagimont,et al.  A protection scheme for mobile agents on Java , 1997, MobiCom '97.

[18]  Brian N. Bershad,et al.  Lightweight remote procedure call , 1989, TOCS.

[19]  Li Gong,et al.  Java security: present and near future , 1997, IEEE Micro.

[20]  Greg Nelson,et al.  Systems programming in modula-3 , 1991 .

[21]  Zhong Shao Typed common intermediate format , 2000, SOEN.

[22]  Jeffrey S. Chase,et al.  Lightweight shared objects in a 64-bit operating system , 1992, OOPSLA '92.

[23]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[24]  S. Savage,et al.  Writing an Operating System with Modula-3 , 1995 .

[25]  Dawson R. Engler,et al.  Exokernel: an operating system architecture for application-level resource management , 1995, SOSP.

[26]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[27]  Trent Jaeger,et al.  Achieved IPC Performance , 1997 .

[28]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[29]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.