Affiliation:
1. Virginia Polytechnic Institute and State University, Blacksburg, VA
2. Google, Inc., Mountain View, CA
Abstract
Single-language runtime systems, in the form of Java virtual machines, are widely deployed platforms for executing untrusted mobile code. These runtimes provide some of the features that operating systems provide: interapplication memory protection and basic system services. They do not, however, provide the ability to isolate applications from each other. Neither do they provide the ability to limit the resource consumption of applications. Consequently, the performance of current systems degrades severely in the presence of malicious or buggy code that exhibits ill-behaved resource usage. We show that Java runtime systems can be extended to support
processes
, and that processes can provide robust and efficient support for untrusted applications.We have designed and built KaffeOS, a Java runtime system that provides support for processes. KaffeOS isolates processes and manages the physical resources available to them: CPU and memory. Unlike existing Java virtual machines, KaffeOS can safely terminate processes without adversely affecting the integrity of the system, and it can fully reclaim a terminated process's resources. Finally, KaffeOS requires no changes to the Java language. The novel aspects of the KaffeOS architecture include the application of a user/kernel boundary as a structuring principle for runtime systems, the employment of garbage collection techniques for resource management and isolation, and a model for direct sharing of objects between untrusted applications. The difficulty in designing KaffeOS lay in balancing the goals of isolation and resource management against the goal of allowing direct sharing of objects.For the SpecJVM benchmarks, the overhead that our KaffeOS prototype incurs ranges from 0% to 25%, when compared to the open-source JVM on which it is based. We consider this overhead acceptable for the safety that KaffeOS provides. In addition, our KaffeOS prototype can scale to run more applications than running multiple JVMs. Finally, in the presence of malicious or buggy code that engages in a denial-of-service attack, KaffeOS can contain the attack, remove resources from the attacked applications, and continue to provide robust service to other clients.
Publisher
Association for Computing Machinery (ACM)
Cited by
27 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献
1. Enhanced Memory-Safe Linux Security Modules (eLSMs) for Improving Security of Docker Containers for Data Centers;Journal of Software Engineering and Applications;2024
2. Extending Rust with Support for Zero Copy Communication;Proceedings of the 12th Workshop on Programming Languages and Operating Systems;2023-10-23
3. Sfitag: Efficient Software Fault Isolation with Memory Tagging for ARM Kernel Extensions;Proceedings of the ACM Asia Conference on Computer and Communications Security;2023-07-10
4. Evolving Operating System Kernels Towards Secure Kernel-Driver Interfaces;Proceedings of the 19th Workshop on Hot Topics in Operating Systems;2023-06-22
5. Refactoring the FreeBSD Kernel with Checked C;2020 IEEE Secure Development (SecDev);2020-09