Download presentation
Presentation is loading. Please wait.
Published byBrook Sutton Modified over 9 years ago
1
Nested Java Processes: OS Structure for Mobile Code Patrick Tullmann & Jay Lepreau September 10, 1998 Flux Project University of Utah http://www.cs.utah.edu/projects/flux/
2
September 10, 1998Eighth ACM SIGOPS Workshop2 Problem Safe languages are a popular base for mobile code Language features support mobile code Rudimentary language support for multiple entities: “agents”, “applets”, etc. Weaknesses of such systems Separation of entities in the system Protection of one entity from another Resource management
3
September 10, 1998Eighth ACM SIGOPS Workshop3 Use OS Abstractions Operating systems have the answer Manage shared resources among competing, mutually untrusting applications Coherent, tested abstractions Specifically, the Fluke OS [Ford et al., 1996] Hierarchy — nested process model Microkernel structure Alta implements nested process model in a JVM Utilizes the type-safety of Java in place of an MMU Adapts the model to encompass Java-isms
4
September 10, 1998Eighth ACM SIGOPS Workshop4 Ex: Network Administration AT&T MCI Victim Attacker
5
September 10, 1998Eighth ACM SIGOPS Workshop5 A Current Approach MCI’s Denial of Service Tracker (DoSTrack) DoSTrack walks “upstream” following the trail to the attacker Shortcomings of DoSTrack Only works in the MCI administrative domain Requires a Cisco router and Perl5
6
September 10, 1998Eighth ACM SIGOPS Workshop6 Packet Forwarding MCIOther AT & T A Mobile Code Approach 1. Install extensible system on each router Safe language system 2. Add infrastructure to separate tasks Who & what is executing 3. Add support for hierarchical resource controls
7
September 10, 1998Eighth ACM SIGOPS Workshop7 Nested Process Model Alta Virtual Machine Root Task Untrusted ContainerTrusted Container Admin Component Hierarchical Environment of process controlled by parents Parent can manage all, few, or no resources of child Any process can create sub-processes
8
September 10, 1998Eighth ACM SIGOPS Workshop8 Hardware vs. Software Similarities to hardware implementation (Fluke) Core objects (Space, Thread, Port, Port Set, etc.) IPC Implementation Kernel structure Differences Memory management Java Class objects Inter-process sharing
9
September 10, 1998Eighth ACM SIGOPS Workshop9 Parent Child BChild AChild C Alta uses opaque allocation limits Parent Child BChild AChild C 4M 16M Memory Management Fluke exposes address-based page mapping
10
September 10, 1998Eighth ACM SIGOPS Workshop10 Java Class Loading Java code is encapsulated in class files Alta allows parent to control child’s class namespace Control is more flexible than ClassLoader Each process’s class space is separate Analogous to page faults in Fluke
11
September 10, 1998Eighth ACM SIGOPS Workshop11 Inter-Process Sharing Parent allocates -> Child references Harmless. If parent dies then child dies Useful. Standard server behavior Child allocates -> Parent references Harmless. If child dies parent already “owns” object Useful. Child can pass IPC arguments Sibling allocates -> Sibling references Parent trades communication costs for separation
12
September 10, 1998Eighth ACM SIGOPS Workshop12 Limitations & Weaknesses Garbage collection A “system service” in Alta How to account for GC CPU cycles? How to account for shared objects? “Lightweight” boundaries in language-based systems? Safety requires barriers between processes Type-safe, fine-grained sharing mitigates
13
September 10, 1998Eighth ACM SIGOPS Workshop13 Alta Status Runs existing JDK 1.0 applications Without AWT In user mode Controls resources Memory, file, network and GC access control Controls namespace of a child process Safe inter-process sharing
14
September 10, 1998Eighth ACM SIGOPS Workshop14 Related Work Other Java-based operating systems J-Kernel [Hawblitzel et al., 1998] Conversant [Bernadat et al., 1998] Hardware-based mobile code systems Lava [Jaeger et al., 1998] OS pieces in Java Capabilities [Hagimont et al., 1997] Stack Introspection [Wallach et al., 1997] Non-Java systems: Pilot, Oberon
15
September 10, 1998Eighth ACM SIGOPS Workshop15 Conclusion Language-based systems need OS abstractions Application separation Resource accounting and management Operating systems provide appropriate models Comprehensive, coherent solutions Models are largely independent of protection mechanism Alta’s nested Java processes provide Hierarchical resource management Safe, fine-grained sharing
16
End of SIGOPS Presentation
17
September 10, 1998Eighth ACM SIGOPS Workshop17 Future Plans Migrate to JDK 1.1 Kaffe already supports 1.1 Reflection API CPU Inheritance Scheduling Implemented in a different JVM now Flask security framework integration Release the software Port to the OSKit
18
September 10, 1998Eighth ACM SIGOPS Workshop18 Sun's Java-based approaches: Multiple JVMs Misses out on safe sharing Duplicate overhead of starting new JVM Sun's sandbox [Gong 1997] Identity is tied to code. Sun's JavaOS [Sun Microsystems 1997] Targeted at trusted environments, separate JVMs
19
September 10, 1998Eighth ACM SIGOPS Workshop19 Java-based Operating Systems: Cornell's JKernel [Hawblitzel 1998] Clean termination and separation OpenGroup's Conversant [Bernadat 1998] Memory page separation, per-process GC.
20
September 10, 1998Eighth ACM SIGOPS Workshop20 Related Research in Java: Balfanz and Gong: Multi-processing in JDK. [Balfanz 1998] Explore security in multi-process JVM. Capabilities [Hagimont 1997] Use capabilities to control resource access in Java. Stack introspection [Wallach 1997] Mechanism to enforce security
21
September 10, 1998Eighth ACM SIGOPS Workshop21 Related Research in Non-Java Software Systems: Oberon [Wirth 1992] Not designed for multi-user environment Juice [Franz 1997] Provides better verification than Java for Oberon Cedar/Mesa/Pilot [Swinehart 1986, Lampson 1980, Redell 1980] Original software-based OS. Not designed for multiple, mutually untrusting applications.
22
September 10, 1998Eighth ACM SIGOPS Workshop22 Related Work in Hardware- based Systems: "Java Playground" & "Cage" [AT&T, Digitivity] Runs untrusted code on untrusted hosts Lava [Jaeger 1998] L4-based system, uses JVM and L4-process per- application.
23
September 10, 1998Eighth ACM SIGOPS Workshop23 Kernel Protection Stack Space Fluke uses separate kernel stack Alta checks stack space at syscall entry Memory Fluke allocates in kernel heap Alta makes allocations outside of kernel Interruption Fluke threads can become uninterruptible in kernel Alta threads postpone interruption while in kernel
24
September 10, 1998Eighth ACM SIGOPS Workshop24 Why OS Process? Historical unit of resource accounting and control Traditionally supported by hardware MMU Task separation and more Encompasses user + code (who + what) Resource limits Access control Handle on application instance More than ThreadGroup or Applet or ClassLoader
25
September 10, 1998Eighth ACM SIGOPS Workshop25 Alta Nested Process Model (NPM) in Java Borrowed model from existing microkernel: Fluke Hierarchical processes Services outside of the “kernel” Implementation: Enhance JVM to provide CPU and memory control Modify Java libraries to use NPM capabilities Built on Kaffe and Kore
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.