Ribbons

Abstract

The need for programs to execute subcomponents in isolation from each other or with lower privileges is prevalent among today's systems. We introduce ribbons: a shared memory programming model that allows for more implicit sharing of memory than processes but is more restrictive than threads. Ribbons structure the heap into protection domains. Privileges between these protection domains are carefully controlled in order to confine computation. We propose RibbonJ, a backwards-compatible extension of Java, to easily create or port programs to use the ribbons model. We study the progress and isolation properties of a subset of the language. Building on JikesRVM we implement ribbons by leveraging existing memory protection mechanisms in modern hardware and operating systems, avoiding the overhead of inline security checks and read or write barriers. We evaluate efficiency via microbenchmarks and the DaCapo suite, observing minor overhead. Additionally, we refactor Apache Tomcat to use ribbons for application isolation, discuss the refactoring's design and complexity, and evaluate performance using the SPECweb2009 benchmark.