(The paper titles are links to PDF versions which may be more portable than the postscript reachable via the icons)
While object-relational database servers can be extended with user-defined functions (UDFs), the security of the server may be compromised by these extensions. The use of Java to implement the UDFs is promising because it addresses some security concerns. However, it still permits interference between different users through the uncontrolled consumption of resources. In this paper, we explore the use of a Java resource management mechanism (JRes) to monitor resource consumption and enforce usage constraints. JRes enhances the security of the server in the presence of extensions allowing for (i) detection and neutralization of denial-of-service attacks aimed at resource monopolization, (ii) monitoring resource consumption which enables precise billing of users relying on UDFs, and (iii) obtaining feedback that can be used for adaptive query optimization.
The feedback can be utilized either by the UDFs themselves or by the database system to dynamically modify the query execution plan. Both models have been prototyped in the Cornell Predator database system. We describe the implementation techniques, and present experiments that demonstrate the effects of the adaptive behavior facilitated by JRes. We conclude that, minimally, a database system supporting extensions should have a built-in resource monitoring and controlling mechanism. Moreover, in order to fully exploit information provided by the resource control mechanisms, both the query optimizer and the UDFs themselves should have access to this information.
This paper describes the design and performance of the J-Server, an integrated web and telephony server that allows untrusted Java servlets to be dynamically uploaded to extend the server's functionality. The J-Kernel provides for protection and communication between J-Server servlets and ensures that servlets can be cleanly terminated. A resource monitor called JRes is used to account for servlet resource usage. Two sample applications show that the overhead of J-Kernel task boundary crossings is small compared to the applications' overall running time. Experience developing applications for the J-Server demonstrates the benefits of extensible systems based on safe language protection, and the flexibility of the servlet model.
RPC has established itself as one of the more powerful communication paradigms for distributed computing. In recent years, object-oriented languages have impacted RPC semantics, with a number of variants providing remote method invocation and various forms of distributed object systems. At the same time, performance has changed little with the bottleneck being the network transport, in particular the in-kernel protocol implementations.
This paper describes J-PRC, an RPC architecture that leverages user-level network interfaces (UNI) to circumvent the kernel on the critical path. It describes how the wire format and the RPC system can be engineered to allow zero-copy reception of Java objects and zero-copy transmission of arrays. All objects received are fully type-checked and can be directly used by the receiving program. The design is connection-oriented for performance and leverages the JVM's garbage collector when managing receive buffers. An implementation built from an off-the-shelf JVM and a commercial UNI is used to evaluate the architecture and the tradeoffs of type-safe, zero-copy data marshaling.
With the spread of the Internet the computing model on server systems is undergoing several important changes. Recent research ideas concerning dynamic operating system extensibility are finding their way into the commercial domain, resulting in designs of extensible databases and Web servers. In addition, both ordinary users and service providers must deal with untrusted downloadable executable code of unknown origin and intentions.
Across the board, Java has emerged as the language of choice for Internet-oriented software. We argue that, in order to realize its full potential in applications dealing with untrusted code, Java needs a flexible resource accounting interface. The design and prototype implementation of such an interface --- JRes --- is presented in this paper. The interface allows to account for heap memory, CPU time, and network resources consumed by individual threads or groups of threads. JRes allows limits to be set on resources available to threads and it can invoke callbacks when these limits are exceeded. The JRes prototype described in this paper is implemented on top of standard Java virtual machines and requires only a small amount of native code.
The use of language mechanisms to enforce protection boundaries around software modules has become increasingly attractive. This paper examines the advantages and disadvantages of language-based protection over more traditional protection mechanisms, such as standard virtual memory protection hardware, software fault isolation, and capability systems. Arguably, state-of-the-art language-based protection is more flexible and as safe as these other mechanisms. Two major remaining issues are the performance of language-based protection, and the management of resources. Regarding the latter, techniques to build an operating system kernel capable of managing resources and revoking rights are presented.
Safe language technology allows multiple protection domains to coexist within a single address space. The protection is enforced by the language system, in particular the type system, which provides unforgeable object references. This paper develops a new capability model (called the type-capability model) which relates the protection offered by safe languages to that of traditional capability systems. This model is used to show that the power of capabilities can be obtained in a safe language at low cost through a combination of link-time and run-time protection checks.
The Safe Language Kernel (SLK) leverages the type-capability model to implement multiple protection domains with low-overhead fine-grain sharing in a single address space. A Java-based prototype implementation of SLK is used to describe the mechanisms available for sharing data and code. A set of micro-benchmarks demonstrates the low overhead of crossing protection domain boundaries and three server-based application studies (an extensible web server, a shared annotation system, and Active Networks) illustrate the use of SLK.
Safe language technology can be used for protection within a single address space. This protection is enforced by the languages type system, which ensures that references to objects cannot be forged. A safe language alone, however, lacks many features taken for granted in more traditional operating systems, such as rights revocation, thread protection, resource management, and support for domain termination. This paper describes the J-Kernel, a portable Java-based protection system that addresses these issues. A number of micro-benchmarks are presented to characterize the costs of language-based protection, and an extensible web server based on the J-Kernel demonstrates the use of safe language techniques in a large application.
Last modified: Monday, November 30, 1998