J-Kernel: A Capability-Based Operating System for Java

  • Thorsten von Eicken
  • Chi-Chao Chang
  • Grzegorz Czajkowski
  • Chris Hawblitzel
  • Deyu Hu
  • Dan Spoonhower
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1603)


Safe language technology can be used for protection within a single address space. This protection is enforced by the language’s type system, which ensures that references to objects cannot be forged. A safe language alone, however, lacks many features taken for granted in more traditional operating systems, such as rights revocation, thread protection, resource management, and support for domain termination. This paper describes the J-Kernel, a portable Java-based protection system that addresses these issues. J-Kernel protection domains can communicate through revocable capabilities, but are prevented from directly sharing unrevocable object references. A number of micro-benchmarks characterize the costs of language-based protection, and an extensible web and telephony server based on the J-Kernel demonstrates the use of language-based protection in a large application.


Virtual Machine Object Reference Java Virtual Machine Method Invocation Class Loader 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    G. Back, P. Tullmann, L. Stoller, W. C. Hsieh, J. Lepreau. Java Operating Systems: Design and Implementation. Technical Report UUCS-98-015, Department of Computer Science, University of Utah, August, 1998.Google Scholar
  2. 2.
    D. Balfanz, and Gong, L. Experience with Secure Multi-Processing in Java. Technical Report 560-97, Department of Computer Science, Princeton University, September, 1997.Google Scholar
  3. 3.
    B. Bershad, S. Savage, P. Pardyak, E. Sirer, M. Fiuczynski, D. Becker, S. Eggers, and C. Chambers. Extensibility, Safety and Performance in the SPIN Operating System. 15th ACM Symposium on Operating Systems Principles, p.267–284, Copper Mountain, CO, December 1995.Google Scholar
  4. 4.
    B. Bershad, T. Anderson, E. Lazowska, and H. Levy. Lightweight Remote Procedure Call. 12th ACM Symposium on Operating Systems Principles, p. 102–113, Lichtfield Park, AZ, December 1989.Google Scholar
  5. 5.
    R. S. Boyer, and Y. Yu. Automated proofs of object code for a widely used microprocessor. J. ACM 43(1), p. 166–192, January 1996.MATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    J. Chase, H. Levy, E. Lazowska, and M. Baker-Harvey. Lightweight Shared Objects in a 64-Bit Operating System. ACM Object-Oriented Programming Systems, Languages, and Applications (OOPSLA), October 1992.Google Scholar
  7. 7.
    G. Czajkowski and T. von Eicken. JRes: A Resource Accounting Interface for Java. To appeax in proceedings of the 1998 Conference on Object-Oriented Programming Languages, Systems, and Applications.Google Scholar
  8. 8.
    Electric Communities. The E White Paper. http://www.communities.eom/products/tools/e.
  9. 9.
    R. Engler, M. Kaashoek, and J. James O’Toole. Exokernel: An Operating System. Architecture for Application-Level Resource Management. 15th ACM Symposium on Operating Systems Principles, p. 251266, Copper Mountain, CO, December 1995.Google Scholar
  10. 10.
    B. Ford, G. Back, G. Benson, J. Lepreau, A. Lin, and O. Shivers. The Fluke OSKit: A substrate for OS and language research. In Proc. Of the 16th SOSP, pp. 38–51, St. Malo, France, October 1997.Google Scholar
  11. 11.
    General Magic. Odyssey. http://www.genmagic.com/agents.
  12. 12.
    L. Gong, and Schemers, R. Implementing Protection Domains in the Java Development Kit 1.2. Internet Society Symposium on Network and Distributed System Security, San Diego, CA, March 1998.Google Scholar
  13. 13.
    J. Gosling, B. Joy, and G. Steele. The Java language specification. Addison-Wesley, 1996.Google Scholar
  14. 14.
    D. Hagimont, and L. Ismail. A Protection Scheme for Mobile Agents on Java. 3rd Annual ACM/IEEE Int’l Conference on Mobile Computing and Networking, Budapest, Hungary, September 2630, 1997.Google Scholar
  15. 15.
    H. Haertig, et. al. The Performance of μ-Kernel-Based Systems. 16th ACM Symposium on Operating Systems Principles, p. 6677, Saint-Malo, France, October 1997.Google Scholar
  16. 16.
    C. Hawblitzel, C. C. Chang, G. Czajkowski, D. Hu, and T. von Eicken. Implementing Multiple Protection Domains in Java. 1998 USENIX Annual Technical Conference, p. 259–270, New Orleans, LA, June 1998.Google Scholar
  17. 17.
    G. Heiser, et. al. Implementation and Performance of the Mungi Single-Address-Space Operating System. Technical Report UNSW-CSE-TR-9704, Univeristy of New South Wales, Sydney, Australia, June 1997.Google Scholar
  18. 18.
    JavaSoft. Java Telephony API. http://java.sun.com/products/jtapi/index.html.
  19. 19.
    JavaSoft. Remote Method Invocation Specification. http://java.sun.com.
  20. 20.
    JavaSoft. New Security Model for JDK1.2. http://java.sun.com
  21. 21.
    JavaSoft. Java Servlet API. http://java.sun.com.
  22. 22.
    A. K. Jones and W. A. Wulf. Towards the Design of Secure Systems. Software Practice and Experience, Volume 5, Number 4, p. 321336, 1975.CrossRefGoogle Scholar
  23. 23.
    H. M. Levy. Capability-Based Computer Systems. Digital Press, Bedford, Massachusetts, 1984.Google Scholar
  24. 24.
    J. Liedtke, et. al. Achieved IPC Performance. 6th Workshop on Hot Topics in Operating Systems, Chatham, MA, May.Google Scholar
  25. 25.
    Microsoft Corporation. Microsoft Security Management Architecture White Paper. http://www.microsoft.com/ie/ security.
  26. 26.
    G. Morrisett, D. Walker, K. Crary, and N. Glew. From System F to Typed Assembly Language. 25th ACM Symposium on Principles of Programming Languages. San Diego, CA, January 1998.Google Scholar
  27. 27.
    G. Necula and P. Lee. Safe Kernel Extensions Without Run-Time Checking. 2nd USENIX Symposium on Operating Systems Design and Implementation, p. 229243, Seattle, WA, October 1996.Google Scholar
  28. 28.
    G. Necula. Proof-carrying code. 24th ACM Symposium on Principles of Programming Languages, p. 106119, Paris, 1997.Google Scholar
  29. 29.
    Netscape Corporation. Java Capabilities API. http://www.netscape.com.
  30. 30.
    Rashid, R. Threads of a New System. Unix Review, p. 3749, August 1986.Google Scholar
  31. 31.
    D. D. Redell. Naming and Protection in Extendible Operating Systems. Technical Report 140, Project MAC, MIT 1974.Google Scholar
  32. 32.
    Z. Shao. Typed Common Intermediate Format. 1997 USENIX Conference on Domain-Specific Languages, Santa Barbara, California, October 1997.Google Scholar
  33. 33.
    J. S. Shapiro, D. J. Farber, and J. M. Smith. The Measured Performance of a Fast Local IPC. 5th Int’l Workshop on Object-Orientation in Operating Systems, Seattle, WA. 1996Google Scholar
  34. 34.
    R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient Software-Based Fault Isolation. 14th ACM Symposium on Operating Systems Principles, p. 203216, Asheville, NC, December 1993.Google Scholar
  35. 35.
    D. S. Wallach, D. Balfanz, D. Dean, and E. W. Felten. Extensible Security Architectures for Java. 16th ACM Symposium on Operating Systems Principles, p. 116128, Saint-Malo, France, October 1997.Google Scholar
  36. 36.
    W. A. Wulf, R. Levin, and S.P. Harbison. Hydra/C. mmp: An Experimental Computer System, McGraw-Hill, New York, NY, 1981.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1999

Authors and Affiliations

  • Thorsten von Eicken
    • 1
  • Chi-Chao Chang
    • 1
  • Grzegorz Czajkowski
    • 1
  • Chris Hawblitzel
    • 1
  • Deyu Hu
    • 1
  • Dan Spoonhower
    • 1
  1. 1.Department of Computer ScienceCornell UniversityIthacaUSA

Personalised recommendations