Nested Java Processes: OS Structure for Mobile Code

Patrick Tullmann & Jay Lepreau

September 10, 1998

Flux ProjectUniversity of UtahUniversity of Utah

http://www.cs.utah.edu/projects/flux/

September 10, 1998

Eighth ACM SIGOPS Workshop

2

Problem

Safe languages are a popular base for mobile

code• Language features support mobile code• Rudimentary language support for multiple entities:

“agents”, “applets”, etc.

Weaknesses of such systems• Separation of entities in the system• Protection of one entity from another• Resource management

September 10, 1998

Eighth ACM SIGOPS Workshop

3

Use OS Abstractions

Operating systems have the answer• Manage shared resources among competing,

mutually untrusting applications• Coherent, tested abstractions

Specifically, the Fluke OS [Ford et al., 1996]• Hierarchy — nested process model• Microkernel structure

Alta implements nested process model in a JVM• Utilizes the type-safety of Java in place of an MMU• Adapts the model to encompass Java-isms

September 10, 1998

Eighth ACM SIGOPS Workshop

4

Ex: Network Administration

AT&T

MCI

Victim

Attacker

September 10, 1998

Eighth ACM SIGOPS Workshop

5

A Current Approach

MCI’s Denial of Service Tracker (DoSTrack)• DoSTrack walks “upstream” following the trail to the

attacker

Shortcomings of DoSTrack• Only works in the MCI administrative domain• Requires a Cisco router and Perl5

September 10, 1998

Eighth ACM SIGOPS Workshop

6

Packet Forwarding

MCI Other

AT & T

A Mobile Code Approach

1. Install extensible system on each router• Safe language system

2. Add infrastructure to separate tasks• Who & what is executing

3. Add support for hierarchical resource controls

September 10, 1998

Eighth ACM SIGOPS Workshop

7

Nested Process ModelAlta Virtual Machine

Root TaskUntrusted Container Trusted Container

Admin ComponentAdmin Component

Hierarchical• Environment of process controlled by parents• Parent can manage all, few, or no resources of child• Any process can create sub-processes

September 10, 1998

Eighth ACM SIGOPS Workshop

8

Hardware vs. Software

Similarities to hardware implementation (Fluke)• Core objects (Space, Thread, Port, Port Set, etc.)• IPC Implementation• Kernel structure

Differences• Memory management• Java Class objects• Inter-process sharing

September 10, 1998

Eighth ACM SIGOPS Workshop

9

Parent

Child BChild A Child C

Alta uses opaque allocation limits

Parent

Child BChild A Child C

4M 4M 4M16M

Memory Management

Fluke exposes address-based page mapping

September 10, 1998

Eighth ACM SIGOPS Workshop

10

Java Class Loading

Java code is encapsulated in class files

Alta allows parent to control child’s class

namespace• Control is more flexible than ClassLoader• Each process’s class space is separate

Analogous to page faults in Fluke

September 10, 1998

Eighth ACM SIGOPS Workshop

11

Inter-Process Sharing

Parent allocates -> Child references• Harmless. If parent dies then child

dies• Useful. Standard server behavior

Child allocates -> Parent references• Harmless. If child dies parent already

“owns” object • Useful. Child can pass IPC arguments

Sibling allocates -> Sibling references• Parent trades communication costs for

separation

September 10, 1998

Eighth ACM SIGOPS Workshop

12

Limitations & Weaknesses

Garbage collection• A “system service” in Alta• How to account for GC CPU cycles?• How to account for shared objects?

“Lightweight” boundaries in language-based

systems?• Safety requires barriers between processes• Type-safe, fine-grained sharing mitigates

September 10, 1998

Eighth ACM SIGOPS Workshop

13

Alta Status

Runs existing JDK 1.0 applications• Without AWT• In user mode

Controls resources• Memory, file, network and GC access control

Controls namespace of a child process

Safe inter-process sharing

September 10, 1998

Eighth ACM SIGOPS Workshop

14

Related Work

Other Java-based operating systems• J-Kernel [Hawblitzel et al., 1998] • Conversant [Bernadat et al., 1998]

Hardware-based mobile code systems• Lava [Jaeger et al., 1998]

OS pieces in Java• Capabilities [Hagimont et al., 1997]• Stack Introspection [Wallach et al., 1997]

Non-Java systems: Pilot, Oberon

September 10, 1998

Eighth ACM SIGOPS Workshop

15

Conclusion

Language-based systems need OS abstractions• Application separation• Resource accounting and management

Operating systems provide appropriate models• Comprehensive, coherent solutions• Models are largely independent of protection

mechanism

Alta’s nested Java processes provide• Hierarchical resource management• Safe, fine-grained sharing

End of SIGOPS Presentation

September 10, 1998

Eighth ACM SIGOPS Workshop

17

Future Plans

Migrate to JDK 1.1• Kaffe already supports 1.1• Reflection API

CPU Inheritance Scheduling• Implemented in a different JVM now

Flask security framework integration

Release the software

Port to the OSKit

September 10, 1998

Eighth ACM SIGOPS Workshop

18

Sun's Java-based approaches:

Multiple JVMs• Misses out on safe sharing• Duplicate overhead of starting new JVM

Sun's sandbox [Gong 1997]• Identity is tied to code.

Sun's JavaOS [Sun Microsystems 1997]• Targeted at trusted environments, separate JVMs

September 10, 1998

Eighth ACM SIGOPS Workshop

19

Java-based Operating Systems:

Cornell's JKernel [Hawblitzel 1998]• Clean termination and separation

OpenGroup's Conversant [Bernadat 1998]• Memory page separation, per-process GC.

September 10, 1998

Eighth ACM SIGOPS Workshop

20

Related Research in Java:Balfanz and Gong: Multi-processing in JDK.

[Balfanz 1998]• Explore security in multi-process JVM.

Capabilities [Hagimont 1997]• Use capabilities to control resource access in Java.

Stack introspection [Wallach 1997]• Mechanism to enforce security

September 10, 1998

Eighth ACM SIGOPS Workshop

21

Related Research in Non-Java Software Systems:

Oberon [Wirth 1992]• Not designed for multi-user environment

Juice [Franz 1997]• Provides better verification than Java for Oberon

Cedar/Mesa/Pilot [Swinehart 1986, Lampson

1980, Redell 1980]• Original software-based OS. Not designed for • multiple, mutually untrusting applications.

September 10, 1998

Eighth ACM SIGOPS Workshop

22

Related Work in Hardware-based Systems:

"Java Playground" & "Cage" [AT&T, Digitivity]• Runs untrusted code on untrusted hosts

Lava [Jaeger 1998]• L4-based system, uses JVM and L4-process per-

application.

September 10, 1998

Eighth ACM SIGOPS Workshop

23

Kernel Protection

Stack Space• Fluke uses separate kernel stack• Alta checks stack space at syscall entry

Memory• Fluke allocates in kernel heap• Alta makes allocations outside of kernel

Interruption• Fluke threads can become uninterruptible in kernel• Alta threads postpone interruption while in kernel

September 10, 1998

Eighth ACM SIGOPS Workshop

24

Why OS Process?

Historical unit of resource accounting and control• Traditionally supported by hardware MMU

Task separation and more• Encompasses user + code (who + what)• Resource limits• Access control• Handle on application instance

More than ThreadGroup or Applet or ClassLoader

September 10, 1998

Eighth ACM SIGOPS Workshop

25

Alta

Nested Process Model (NPM) in Java• Borrowed model from existing microkernel: Fluke• Hierarchical processes• Services outside of the “kernel”

Implementation:• Enhance JVM to provide CPU and memory control• Modify Java libraries to use NPM capabilities• Built on Kaffe and Kore