Nested Java Processes: OS Structure for Mobile Code Patrick Tullmann & Jay Lepreau September 10, 1998 Flux Project University of Utah

Slides:



Advertisements
Similar presentations
Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
Advertisements

Processes and Threads Chapter 3 and 4 Operating Systems: Internals and Design Principles, 6/E William Stallings Patricia Roy Manatee Community College,
Threads, SMP, and Microkernels
Java Applet Security Diana Dong CS 265 Spring 2004.
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
Janos A Java-oriented Active Network Operating System Jay Lepreau, Patrick Tullmann, Kristin Wright Wilson Hsieh, Godmar Back, many more... University.
Threads, SMP, and Microkernels Chapter 4. Process Resource ownership - process is allocated a virtual address space to hold the process image Scheduling/execution-
Computer Systems/Operating Systems - Class 8
Extensible Kernels Edgar Velázquez-Armendáriz September 24 th 2009.
1 Extensible Security Architectures for Java Authors: Dan S.Wallch, Dirk Balfanz Presented by Moonjoo Kim.
The Alta Operating System Patrick Tullmann Masters Thesis Defense University of Utah.
Department of Computer ScienceJanos Project Janos A Java-oriented Active Network Operating System Jay Lepreau, Patrick Tullmann, Kristin Wright Wilson.
G Robert Grimm New York University Extensibility: SPIN and exokernels.
1/28/2004CSCI 315 Operating Systems Design1 Operating System Structures & Processes Notice: The slides for this lecture have been largely based on those.
Multitasking JVMs Isolates and KaffeOS Presentation by James Rose.
New Results in Fluke/Flask Jay Lepreau Flux Group University of Utah July 13, 1998.
1 Janos Patrick Tullmann Flux Research Group University of Utah.
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
Introducing the Common Language Runtime. The Common Language Runtime The Common Language Runtime (CLR) The Common Language Runtime (CLR) –Execution engine.
School of ComputingJanos Project Processes in KaffeOS: Isolation, Resource Management, and Sharing in Java Godmar Back Wilson HsiehJay Lepreau School of.
KaffeOS: Controlling Resources In A Multi-Process Java Virtual Machine Godmar Back.
Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
UNIX System Administration OS Kernal Copyright 2002, Dr. Ken Hoganson All rights reserved. OS Kernel Concept Kernel or MicroKernel Concept: An OS architecture-design.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 2: System Structures.
APPLICATION PERFORMANCE AND FLEXIBILITY ON EXOKERNEL SYSTEMS M. F. Kaashoek, D. R. Engler, G. R. Ganger H. M. Briceño, R. Hunt, D. Mazières, T. Pinckney,
CS533 Concepts of Operating Systems Jonathan Walpole.
1 IEEE LAN/ MAN Banf 1998 Open Java-Based Intelligent Agent Architecture for Adaptive Networking Devices Tal Lavian, Bay Architecture Lab
Eric Keller, Evan Green Princeton University PRESTO /22/08 Virtualizing the Data Plane Through Source Code Merging.
Chapter 2: Operating-System Structures. 2.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Jan 14, 2005 Operating System.
1 22 August 2001 The Security Architecture of the M&M Mobile Agent Framework P. Marques, N. Santos, L. Silva, J. Silva CISUC, University of Coimbra, Portugal.
February 24, 1998Salt Lake Java SIG Processes In Java Patrick Tullmann Flux Research Group University of Utah.
Copyright © George Coulouris, Jean Dollimore, Tim Kindberg This material is made available for private study and for direct.
Threads, SMP, and Microkernels Chapter 4. Process Resource ownership - process is allocated a virtual address space to hold the process image Scheduling/execution-
CE Operating Systems Lecture 3 Overview of OS functions and structure.
Java Security Model For Mobile Code Abdo Achkar. Mobile Code A mobile object is a “self contained piece” of executable code. Definition:  Code that can.
Processes Introduction to Operating Systems: Module 3.
CT1513 Introduction To java © A.AlOsaimi.
1 Choices “Our object-oriented system architecture embodies the notion of customizing operating systems to tailor them to support particular hardware configuration.
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM
CS533 - Concepts of Operating Systems 1 The Mach System Presented by Catherine Vilhauer.
Processes CS 6560: Operating Systems Design. 2 Von Neuman Model Both text (program) and data reside in memory Execution cycle Fetch instruction Decode.
UNIX Unit 1- Architecture of Unix - By Pratima.
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
Concurrency, Processes, and System calls Benefits and issues of concurrency The basic concept of process System calls.
M. Accetta, R. Baron, W. Bolosky, D. Golub, R. Rashid, A. Tevanian, and M. Young MACH: A New Kernel Foundation for UNIX Development Presenter: Wei-Lwun.
The Mach System Silberschatz et al Presented By Anjana Venkat.
Operating-System Structures
Introduction to UNIX CS465. What is UNIX? (1) UNIX is an Operating System (OS). An operating system is a control program that allocates the computer's.
The Execution System1. 2 Introduction Managed code and managed data qualify code or data that executes in cooperation with the execution engine The execution.
Introduction to Programming 1 1 2Introduction to Java.
Threads, SMP, and Microkernels Chapter 4. Processes and Threads Operating systems use processes for two purposes - Resource allocation and resource ownership.
Java & The Android Stack: A Security Analysis Pragati Ogal Rai Mobile Technology Evangelist PayPal, eBay Java.
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
Memory Protection: Kernel and User Address Spaces Andy Wang Operating Systems COP 4610 / CGS 5765.
Computer System Structures
Object Oriented Programming in
Memory Protection: Kernel and User Address Spaces
Operating System Structure
KERNEL ARCHITECTURE.
Memory Protection: Kernel and User Address Spaces
Memory Protection: Kernel and User Address Spaces
Memory Protection: Kernel and User Address Spaces
Threads, SMP, and Microkernels
CS 5204 Operating Systems Lecture 12
Operating Systems : Overview
Operating Systems : Overview
Operating Systems : Overview
Operating Systems : Overview
Memory Protection: Kernel and User Address Spaces
Presentation transcript:

Nested Java Processes: OS Structure for Mobile Code Patrick Tullmann & Jay Lepreau September 10, 1998 Flux Project University of Utah

September 10, 1998Eighth ACM SIGOPS Workshop2 Problem Safe languages are a popular base for mobile code Language features support mobile code Rudimentary language support for multiple entities: “agents”, “applets”, etc. Weaknesses of such systems Separation of entities in the system Protection of one entity from another Resource management

September 10, 1998Eighth ACM SIGOPS Workshop3 Use OS Abstractions Operating systems have the answer Manage shared resources among competing, mutually untrusting applications Coherent, tested abstractions Specifically, the Fluke OS [Ford et al., 1996] Hierarchy — nested process model Microkernel structure Alta implements nested process model in a JVM Utilizes the type-safety of Java in place of an MMU Adapts the model to encompass Java-isms

September 10, 1998Eighth ACM SIGOPS Workshop4 Ex: Network Administration AT&T MCI Victim Attacker

September 10, 1998Eighth ACM SIGOPS Workshop5 A Current Approach MCI’s Denial of Service Tracker (DoSTrack) DoSTrack walks “upstream” following the trail to the attacker Shortcomings of DoSTrack Only works in the MCI administrative domain Requires a Cisco router and Perl5

September 10, 1998Eighth ACM SIGOPS Workshop6 Packet Forwarding MCIOther AT & T A Mobile Code Approach 1. Install extensible system on each router Safe language system 2. Add infrastructure to separate tasks Who & what is executing 3. Add support for hierarchical resource controls

September 10, 1998Eighth ACM SIGOPS Workshop7 Nested Process Model Alta Virtual Machine Root Task Untrusted ContainerTrusted Container Admin Component Hierarchical Environment of process controlled by parents Parent can manage all, few, or no resources of child Any process can create sub-processes

September 10, 1998Eighth ACM SIGOPS Workshop8 Hardware vs. Software Similarities to hardware implementation (Fluke) Core objects (Space, Thread, Port, Port Set, etc.) IPC Implementation Kernel structure Differences Memory management Java Class objects Inter-process sharing

September 10, 1998Eighth ACM SIGOPS Workshop9 Parent Child BChild AChild C Alta uses opaque allocation limits Parent Child BChild AChild C 4M 16M Memory Management Fluke exposes address-based page mapping

September 10, 1998Eighth ACM SIGOPS Workshop10 Java Class Loading Java code is encapsulated in class files Alta allows parent to control child’s class namespace Control is more flexible than ClassLoader Each process’s class space is separate Analogous to page faults in Fluke

September 10, 1998Eighth ACM SIGOPS Workshop11 Inter-Process Sharing Parent allocates -> Child references Harmless. If parent dies then child dies Useful. Standard server behavior Child allocates -> Parent references Harmless. If child dies parent already “owns” object Useful. Child can pass IPC arguments Sibling allocates -> Sibling references Parent trades communication costs for separation

September 10, 1998Eighth ACM SIGOPS Workshop12 Limitations & Weaknesses Garbage collection A “system service” in Alta How to account for GC CPU cycles? How to account for shared objects? “Lightweight” boundaries in language-based systems? Safety requires barriers between processes Type-safe, fine-grained sharing mitigates

September 10, 1998Eighth ACM SIGOPS Workshop13 Alta Status Runs existing JDK 1.0 applications Without AWT In user mode Controls resources Memory, file, network and GC access control Controls namespace of a child process Safe inter-process sharing

September 10, 1998Eighth ACM SIGOPS Workshop14 Related Work Other Java-based operating systems J-Kernel [Hawblitzel et al., 1998] Conversant [Bernadat et al., 1998] Hardware-based mobile code systems Lava [Jaeger et al., 1998] OS pieces in Java Capabilities [Hagimont et al., 1997] Stack Introspection [Wallach et al., 1997] Non-Java systems: Pilot, Oberon

September 10, 1998Eighth ACM SIGOPS Workshop15 Conclusion Language-based systems need OS abstractions Application separation Resource accounting and management Operating systems provide appropriate models Comprehensive, coherent solutions Models are largely independent of protection mechanism Alta’s nested Java processes provide Hierarchical resource management Safe, fine-grained sharing

End of SIGOPS Presentation

September 10, 1998Eighth ACM SIGOPS Workshop17 Future Plans Migrate to JDK 1.1 Kaffe already supports 1.1 Reflection API CPU Inheritance Scheduling Implemented in a different JVM now Flask security framework integration Release the software Port to the OSKit

September 10, 1998Eighth ACM SIGOPS Workshop18 Sun's Java-based approaches: Multiple JVMs Misses out on safe sharing Duplicate overhead of starting new JVM Sun's sandbox [Gong 1997] Identity is tied to code. Sun's JavaOS [Sun Microsystems 1997] Targeted at trusted environments, separate JVMs

September 10, 1998Eighth ACM SIGOPS Workshop19 Java-based Operating Systems: Cornell's JKernel [Hawblitzel 1998] Clean termination and separation OpenGroup's Conversant [Bernadat 1998] Memory page separation, per-process GC.

September 10, 1998Eighth ACM SIGOPS Workshop20 Related Research in Java: Balfanz and Gong: Multi-processing in JDK. [Balfanz 1998] Explore security in multi-process JVM. Capabilities [Hagimont 1997] Use capabilities to control resource access in Java. Stack introspection [Wallach 1997] Mechanism to enforce security

September 10, 1998Eighth ACM SIGOPS Workshop21 Related Research in Non-Java Software Systems: Oberon [Wirth 1992] Not designed for multi-user environment Juice [Franz 1997] Provides better verification than Java for Oberon Cedar/Mesa/Pilot [Swinehart 1986, Lampson 1980, Redell 1980] Original software-based OS. Not designed for multiple, mutually untrusting applications.

September 10, 1998Eighth ACM SIGOPS Workshop22 Related Work in Hardware- based Systems: "Java Playground" & "Cage" [AT&T, Digitivity] Runs untrusted code on untrusted hosts Lava [Jaeger 1998] L4-based system, uses JVM and L4-process per- application.

September 10, 1998Eighth ACM SIGOPS Workshop23 Kernel Protection Stack Space Fluke uses separate kernel stack Alta checks stack space at syscall entry Memory Fluke allocates in kernel heap Alta makes allocations outside of kernel Interruption Fluke threads can become uninterruptible in kernel Alta threads postpone interruption while in kernel

September 10, 1998Eighth ACM SIGOPS Workshop24 Why OS Process? Historical unit of resource accounting and control Traditionally supported by hardware MMU Task separation and more Encompasses user + code (who + what) Resource limits Access control Handle on application instance More than ThreadGroup or Applet or ClassLoader

September 10, 1998Eighth ACM SIGOPS Workshop25 Alta Nested Process Model (NPM) in Java Borrowed model from existing microkernel: Fluke Hierarchical processes Services outside of the “kernel” Implementation: Enhance JVM to provide CPU and memory control Modify Java libraries to use NPM capabilities Built on Kaffe and Kore

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.