nested java processes: os structure for mobile code patrick tullmann & jay lepreau september 10,...
TRANSCRIPT
Nested Java Processes: OS Structure for Mobile Code
Patrick Tullmann & Jay Lepreau
September 10, 1998
Flux ProjectUniversity of UtahUniversity of Utah
http://www.cs.utah.edu/projects/flux/
September 10, 1998
Eighth ACM SIGOPS Workshop
2
Problem
Safe languages are a popular base for mobile
code• Language features support mobile code• Rudimentary language support for multiple entities:
“agents”, “applets”, etc.
Weaknesses of such systems• Separation of entities in the system• Protection of one entity from another• Resource management
September 10, 1998
Eighth ACM SIGOPS Workshop
3
Use OS Abstractions
Operating systems have the answer• Manage shared resources among competing,
mutually untrusting applications• Coherent, tested abstractions
Specifically, the Fluke OS [Ford et al., 1996]• Hierarchy — nested process model• Microkernel structure
Alta implements nested process model in a JVM• Utilizes the type-safety of Java in place of an MMU• Adapts the model to encompass Java-isms
September 10, 1998
Eighth ACM SIGOPS Workshop
4
Ex: Network Administration
AT&T
MCI
Victim
Attacker
September 10, 1998
Eighth ACM SIGOPS Workshop
5
A Current Approach
MCI’s Denial of Service Tracker (DoSTrack)• DoSTrack walks “upstream” following the trail to the
attacker
Shortcomings of DoSTrack• Only works in the MCI administrative domain• Requires a Cisco router and Perl5
September 10, 1998
Eighth ACM SIGOPS Workshop
6
Packet Forwarding
MCI Other
AT & T
A Mobile Code Approach
1. Install extensible system on each router• Safe language system
2. Add infrastructure to separate tasks• Who & what is executing
3. Add support for hierarchical resource controls
September 10, 1998
Eighth ACM SIGOPS Workshop
7
Nested Process ModelAlta Virtual Machine
Root TaskUntrusted Container Trusted Container
Admin ComponentAdmin Component
Hierarchical• Environment of process controlled by parents• Parent can manage all, few, or no resources of child• Any process can create sub-processes
September 10, 1998
Eighth ACM SIGOPS Workshop
8
Hardware vs. Software
Similarities to hardware implementation (Fluke)• Core objects (Space, Thread, Port, Port Set, etc.)• IPC Implementation• Kernel structure
Differences• Memory management• Java Class objects• Inter-process sharing
September 10, 1998
Eighth ACM SIGOPS Workshop
9
Parent
Child BChild A Child C
Alta uses opaque allocation limits
Parent
Child BChild A Child C
4M 4M 4M16M
Memory Management
Fluke exposes address-based page mapping
September 10, 1998
Eighth ACM SIGOPS Workshop
10
Java Class Loading
Java code is encapsulated in class files
Alta allows parent to control child’s class
namespace• Control is more flexible than ClassLoader• Each process’s class space is separate
Analogous to page faults in Fluke
September 10, 1998
Eighth ACM SIGOPS Workshop
11
Inter-Process Sharing
Parent allocates -> Child references• Harmless. If parent dies then child
dies• Useful. Standard server behavior
Child allocates -> Parent references• Harmless. If child dies parent already
“owns” object • Useful. Child can pass IPC arguments
Sibling allocates -> Sibling references• Parent trades communication costs for
separation
September 10, 1998
Eighth ACM SIGOPS Workshop
12
Limitations & Weaknesses
Garbage collection• A “system service” in Alta• How to account for GC CPU cycles?• How to account for shared objects?
“Lightweight” boundaries in language-based
systems?• Safety requires barriers between processes• Type-safe, fine-grained sharing mitigates
September 10, 1998
Eighth ACM SIGOPS Workshop
13
Alta Status
Runs existing JDK 1.0 applications• Without AWT• In user mode
Controls resources• Memory, file, network and GC access control
Controls namespace of a child process
Safe inter-process sharing
September 10, 1998
Eighth ACM SIGOPS Workshop
14
Related Work
Other Java-based operating systems• J-Kernel [Hawblitzel et al., 1998] • Conversant [Bernadat et al., 1998]
Hardware-based mobile code systems• Lava [Jaeger et al., 1998]
OS pieces in Java• Capabilities [Hagimont et al., 1997]• Stack Introspection [Wallach et al., 1997]
Non-Java systems: Pilot, Oberon
September 10, 1998
Eighth ACM SIGOPS Workshop
15
Conclusion
Language-based systems need OS abstractions• Application separation• Resource accounting and management
Operating systems provide appropriate models• Comprehensive, coherent solutions• Models are largely independent of protection
mechanism
Alta’s nested Java processes provide• Hierarchical resource management• Safe, fine-grained sharing
End of SIGOPS Presentation
September 10, 1998
Eighth ACM SIGOPS Workshop
17
Future Plans
Migrate to JDK 1.1• Kaffe already supports 1.1• Reflection API
CPU Inheritance Scheduling• Implemented in a different JVM now
Flask security framework integration
Release the software
Port to the OSKit
September 10, 1998
Eighth ACM SIGOPS Workshop
18
Sun's Java-based approaches:
Multiple JVMs• Misses out on safe sharing• Duplicate overhead of starting new JVM
Sun's sandbox [Gong 1997]• Identity is tied to code.
Sun's JavaOS [Sun Microsystems 1997]• Targeted at trusted environments, separate JVMs
September 10, 1998
Eighth ACM SIGOPS Workshop
19
Java-based Operating Systems:
Cornell's JKernel [Hawblitzel 1998]• Clean termination and separation
OpenGroup's Conversant [Bernadat 1998]• Memory page separation, per-process GC.
September 10, 1998
Eighth ACM SIGOPS Workshop
20
Related Research in Java:Balfanz and Gong: Multi-processing in JDK.
[Balfanz 1998]• Explore security in multi-process JVM.
Capabilities [Hagimont 1997]• Use capabilities to control resource access in Java.
Stack introspection [Wallach 1997]• Mechanism to enforce security
September 10, 1998
Eighth ACM SIGOPS Workshop
21
Related Research in Non-Java Software Systems:
Oberon [Wirth 1992]• Not designed for multi-user environment
Juice [Franz 1997]• Provides better verification than Java for Oberon
Cedar/Mesa/Pilot [Swinehart 1986, Lampson
1980, Redell 1980]• Original software-based OS. Not designed for • multiple, mutually untrusting applications.
September 10, 1998
Eighth ACM SIGOPS Workshop
22
Related Work in Hardware-based Systems:
"Java Playground" & "Cage" [AT&T, Digitivity]• Runs untrusted code on untrusted hosts
Lava [Jaeger 1998]• L4-based system, uses JVM and L4-process per-
application.
September 10, 1998
Eighth ACM SIGOPS Workshop
23
Kernel Protection
Stack Space• Fluke uses separate kernel stack• Alta checks stack space at syscall entry
Memory• Fluke allocates in kernel heap• Alta makes allocations outside of kernel
Interruption• Fluke threads can become uninterruptible in kernel• Alta threads postpone interruption while in kernel
September 10, 1998
Eighth ACM SIGOPS Workshop
24
Why OS Process?
Historical unit of resource accounting and control• Traditionally supported by hardware MMU
Task separation and more• Encompasses user + code (who + what)• Resource limits• Access control• Handle on application instance
More than ThreadGroup or Applet or ClassLoader
September 10, 1998
Eighth ACM SIGOPS Workshop
25
Alta
Nested Process Model (NPM) in Java• Borrowed model from existing microkernel: Fluke• Hierarchical processes• Services outside of the “kernel”
Implementation:• Enhance JVM to provide CPU and memory control• Modify Java libraries to use NPM capabilities• Built on Kaffe and Kore