J-Kernel: A Capability-Based Operating System for Java
Safe language technology can be used for protection within a single address space. This protection is enforced by the language’s type system, which ensures that references to objects cannot be forged. A safe language alone, however, lacks many features taken for granted in more traditional operating systems, such as rights revocation, thread protection, resource management, and support for domain termination. This paper describes the J-Kernel, a portable Java-based protection system that addresses these issues. J-Kernel protection domains can communicate through revocable capabilities, but are prevented from directly sharing unrevocable object references. A number of micro-benchmarks characterize the costs of language-based protection, and an extensible web and telephony server based on the J-Kernel demonstrates the use of language-based protection in a large application.
KeywordsVirtual Machine Object Reference Java Virtual Machine Method Invocation Class Loader
Unable to display preview. Download preview PDF.
- 1.G. Back, P. Tullmann, L. Stoller, W. C. Hsieh, J. Lepreau. Java Operating Systems: Design and Implementation. Technical Report UUCS-98-015, Department of Computer Science, University of Utah, August, 1998.Google Scholar
- 2.D. Balfanz, and Gong, L. Experience with Secure Multi-Processing in Java. Technical Report 560-97, Department of Computer Science, Princeton University, September, 1997.Google Scholar
- 3.B. Bershad, S. Savage, P. Pardyak, E. Sirer, M. Fiuczynski, D. Becker, S. Eggers, and C. Chambers. Extensibility, Safety and Performance in the SPIN Operating System. 15th ACM Symposium on Operating Systems Principles, p.267–284, Copper Mountain, CO, December 1995.Google Scholar
- 4.B. Bershad, T. Anderson, E. Lazowska, and H. Levy. Lightweight Remote Procedure Call. 12th ACM Symposium on Operating Systems Principles, p. 102–113, Lichtfield Park, AZ, December 1989.Google Scholar
- 6.J. Chase, H. Levy, E. Lazowska, and M. Baker-Harvey. Lightweight Shared Objects in a 64-Bit Operating System. ACM Object-Oriented Programming Systems, Languages, and Applications (OOPSLA), October 1992.Google Scholar
- 7.G. Czajkowski and T. von Eicken. JRes: A Resource Accounting Interface for Java. To appeax in proceedings of the 1998 Conference on Object-Oriented Programming Languages, Systems, and Applications.Google Scholar
- 8.Electric Communities. The E White Paper. http://www.communities.eom/products/tools/e.
- 9.R. Engler, M. Kaashoek, and J. James O’Toole. Exokernel: An Operating System. Architecture for Application-Level Resource Management. 15th ACM Symposium on Operating Systems Principles, p. 251266, Copper Mountain, CO, December 1995.Google Scholar
- 10.B. Ford, G. Back, G. Benson, J. Lepreau, A. Lin, and O. Shivers. The Fluke OSKit: A substrate for OS and language research. In Proc. Of the 16th SOSP, pp. 38–51, St. Malo, France, October 1997.Google Scholar
- 11.General Magic. Odyssey. http://www.genmagic.com/agents.
- 12.L. Gong, and Schemers, R. Implementing Protection Domains in the Java Development Kit 1.2. Internet Society Symposium on Network and Distributed System Security, San Diego, CA, March 1998.Google Scholar
- 13.J. Gosling, B. Joy, and G. Steele. The Java language specification. Addison-Wesley, 1996.Google Scholar
- 14.D. Hagimont, and L. Ismail. A Protection Scheme for Mobile Agents on Java. 3rd Annual ACM/IEEE Int’l Conference on Mobile Computing and Networking, Budapest, Hungary, September 2630, 1997.Google Scholar
- 15.H. Haertig, et. al. The Performance of μ-Kernel-Based Systems. 16th ACM Symposium on Operating Systems Principles, p. 6677, Saint-Malo, France, October 1997.Google Scholar
- 16.C. Hawblitzel, C. C. Chang, G. Czajkowski, D. Hu, and T. von Eicken. Implementing Multiple Protection Domains in Java. 1998 USENIX Annual Technical Conference, p. 259–270, New Orleans, LA, June 1998.Google Scholar
- 17.G. Heiser, et. al. Implementation and Performance of the Mungi Single-Address-Space Operating System. Technical Report UNSW-CSE-TR-9704, Univeristy of New South Wales, Sydney, Australia, June 1997.Google Scholar
- 18.JavaSoft. Java Telephony API. http://java.sun.com/products/jtapi/index.html.
- 19.JavaSoft. Remote Method Invocation Specification. http://java.sun.com.
- 20.JavaSoft. New Security Model for JDK1.2. http://java.sun.com
- 21.JavaSoft. Java Servlet API. http://java.sun.com.
- 23.H. M. Levy. Capability-Based Computer Systems. Digital Press, Bedford, Massachusetts, 1984.Google Scholar
- 24.J. Liedtke, et. al. Achieved IPC Performance. 6th Workshop on Hot Topics in Operating Systems, Chatham, MA, May.Google Scholar
- 25.Microsoft Corporation. Microsoft Security Management Architecture White Paper. http://www.microsoft.com/ie/ security.
- 26.G. Morrisett, D. Walker, K. Crary, and N. Glew. From System F to Typed Assembly Language. 25th ACM Symposium on Principles of Programming Languages. San Diego, CA, January 1998.Google Scholar
- 27.G. Necula and P. Lee. Safe Kernel Extensions Without Run-Time Checking. 2nd USENIX Symposium on Operating Systems Design and Implementation, p. 229243, Seattle, WA, October 1996.Google Scholar
- 28.G. Necula. Proof-carrying code. 24th ACM Symposium on Principles of Programming Languages, p. 106119, Paris, 1997.Google Scholar
- 29.Netscape Corporation. Java Capabilities API. http://www.netscape.com.
- 30.Rashid, R. Threads of a New System. Unix Review, p. 3749, August 1986.Google Scholar
- 31.D. D. Redell. Naming and Protection in Extendible Operating Systems. Technical Report 140, Project MAC, MIT 1974.Google Scholar
- 32.Z. Shao. Typed Common Intermediate Format. 1997 USENIX Conference on Domain-Specific Languages, Santa Barbara, California, October 1997.Google Scholar
- 33.J. S. Shapiro, D. J. Farber, and J. M. Smith. The Measured Performance of a Fast Local IPC. 5th Int’l Workshop on Object-Orientation in Operating Systems, Seattle, WA. 1996Google Scholar
- 34.R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient Software-Based Fault Isolation. 14th ACM Symposium on Operating Systems Principles, p. 203216, Asheville, NC, December 1993.Google Scholar
- 35.D. S. Wallach, D. Balfanz, D. Dean, and E. W. Felten. Extensible Security Architectures for Java. 16th ACM Symposium on Operating Systems Principles, p. 116128, Saint-Malo, France, October 1997.Google Scholar
- 36.W. A. Wulf, R. Levin, and S.P. Harbison. Hydra/C. mmp: An Experimental Computer System, McGraw-Hill, New York, NY, 1981.Google Scholar