Safe Language Kernel  & J-Kernel papers

(The paper titles are links to PDF versions which may be more portable than the postscript reachable via the icons)

This paper describes the design and performance of the J-Server, an integrated web and telephony server that allows untrusted Java servlets to be dynamically uploaded to extend the server's functionality.  The J-Kernel provides for protection and communication between J-Server servlets and ensures that servlets can be cleanly terminated.  A resource monitor called JRes is used to account for servlet resource usage.  Two sample applications show that the overhead of J-Kernel task boundary crossings is small compared to the applications' overall running time.  Experience developing applications for the J-Server demonstrates the benefits of extensible systems based on safe language protection, and the flexibility of the servlet model.  

With the spread of the Internet the computing model on server systems is undergoing several important changes.  Recent research ideas concerning dynamic operating system extensibility are finding their way into the commercial domain, resulting in designs of extensible databases and Web servers.  In addition, both ordinary users and service providers must deal with untrusted downloadable executable code of unknown origin and intentions.

Across the board, Java has emerged as the language of choice for Internet-oriented software.  We argue that, in order to realize its full potential in applications dealing with untrusted code, Java needs a flexible resource accounting interface.  The design and prototype implementation of such an interface  --- JRes --- is presented in this paper.  The interface allows to account for heap memory, CPU time, and network resources consumed by individual threads or groups of threads.  JRes allows limits to be set on resources available to threads and it can invoke callbacks when these limits are exceeded.  The JRes prototype described in this paper is implemented on top of standard Java virtual machines and requires only a small amount of native code. 

The use of language mechanisms to enforce protection boundaries around software modules has become increasingly attractive. This paper examines the advantages and disadvantages of language-based protection over more traditional protection mechanisms, such as standard virtual memory protection hardware, software fault isolation, and capability systems. Arguably, state-of-the-art language-based protection is more flexible and as safe as these other mechanisms. Two major remaining issues are the performance of language-based protection, and the management of resources. Regarding the latter, techniques to build an operating system kernel capable of managing resources and revoking rights are presented.

Safe language technology allows multiple protection domains to coexist within a single address space. The protection is enforced by the language system, in particular the type system, which provides unforgeable object references. This paper develops a new capability model (called the type-capability model) which relates the protection offered by safe languages to that of traditional capability systems. This model is used to show that the power of capabilities can be obtained in a safe language at low cost through a combination of link-time and run-time protection checks.

The Safe Language Kernel (SLK) leverages the type-capability model to implement multiple protection domains with low-overhead fine-grain sharing in a single address space. A Java-based prototype implementation of SLK is used to describe the mechanisms available for sharing data and code. A set of micro-benchmarks demonstrates the low overhead of crossing protection domain boundaries and three server-based application studies (an extensible web server, a shared annotation system, and Active Networks) illustrate the use of SLK.


Last modified: Monday, November 30, 1998