With the spread of the Internet the computing model on server systems is undergoing several important changes. Recent research ideas concerning dynamic operating system extensibility are finding their way into the commercial domain, resulting in designs of extensible databases and Web servers. In addition, both ordinary users and service providers must deal with untrusted downloadable executable code of unknown origin and intentions. Across the board, Java has emerged as the language of choice for Internet-oriented software. We argue that, in order to realize its full potential in applications dealing with untrusted code, Java needs a flexible resource accounting interface. The design and prototype implementation of such an interface --- JRes --- is presented in this paper. The interface allows to account for heap memory, CPU time, and network resources consumed by individual threads or groups of threads. JRes allows limits to be set on resources available to threads and it can invoke...

Software-based protection has become a viable alternative to hardware-based protection in systems based on languages such as Java, but the absence of hardware mechanisms for protection has been coupled with an absence of a user/kernel boundary. We show why such a "red line" must be present in order for a Java virtual machine to be as effective and as reliable as an operating system. We discuss how the red line can be implemented using software mechanisms, and explain the ones we use in the Java system that we are building. 1. Introduction A paper that appeared at a previous HotOS [4] stated that "protection is a software issue." This statement is incomplete; we would reword it as "Protection is a software issue, but it is not the only software issue." In particular, issues such as resource control, communication, and termination need to be dealt with in software if hardware protection mechanisms are not present. To date, systems that replace hardware mechanisms with software mechanism...

We have identified three areas where language support for operating system extensibility is important: performance, safety, and expressive power. First, an extension language should support pointer-safe casting to avoid unnecessary copying of data. Second, an extension language must allow a caller to isolate untrusted code. Finally, an extension language should provide a vocabulary for describing interfaces, modules, and procedures in a first-class fashion. We present specific examples of these needs, and describe the changes to Modula-3 that we have made for our work in the SPIN operating system. 1 Introduction SPIN is an extensible operating system that allows untrusted applications to extend system services by dynamically linking extension code into its kernel [2]. These extensions directly access system services with procedure calls, and system resources via loads and stores. As a result, extensions do not incur costly address space switches when they interact with the kerne...

Device drivers typically execute in supervisor mode and thus must be fully trusted. This paper describes how to move them out of the trusted computing base, by running them without supervisor privileges and constraining their interactions with hardware devices. An implementation of this approach in the Nexus operating system executes drivers in user space, leveraging hardware isolation and checking their behavior against a safety specification. These Nexus drivers have performance comparable to inkernel, trusted drivers, with a level of CPU overhead acceptable for most applications. For example, the monitored driver for an Intel e1000 Ethernet card has throughput comparable to a trusted driver for the same hardware under Linux. And a monitored driver for the Intel i810 sound card provides continuous playback. Drivers for a disk and a USB mouse have also been moved successfully to operate in user space with safety specifications. 1

Providing efficient device driver support in the Fluke operating system presents novel challenges, which stem from two conflicting factors: (i) a design and maintenance requirement to reuse unmodified legacy device drivers, and (ii) the mismatch between the Fluke kernel's internal execution environment and the execution environment expected by these legacy device drivers. This thesis presents a solution to this conflict: a framework whose design is based on running device drivers as usermode servers, which resolves the fundamental execution environment mismatch. This approach

Safe language technology allows multiple protection domains to coexist within a single address space. The protection is enforced by the language system, in particular the type system, which provides unforgeable object references. This paper develops a new capability model (called the type-capability model) which relates the protection offered by safe languages to that of traditional capability systems. This model is used to show that the power of capabilities can be obtained in a safe language at low cost through a combination of link-time and run-time protection checks. The Safe Language Kernel (SLK) leverages the type-capability model to implement multiple protection domains with low-overhead fine-grain sharing in a single address space. A Java-based prototype implementation of SLK is used to describe the mechanisms available for sharing data and code. A set of micro-benchmarks demonstrates the low overhead of crossing protection domain boundaries and three server-based application s...

In this paper, we explain mechanisms for providing embedded network processors and other low-level programming environments with light-weight support for safe resource sharing. The solution consists of a host part, known as HOKES, and a network processor part, known as POKES. As common operating system concepts are considered to be too heavy-weight for this environment, we developed a system that pushes resource control all the way to the compiler. The HOKES/POKES architecture is described in detail and its implementation evaluated.

Single-language runtime systems, in the form of Java virtual machines, are widely deployed platforms for executing untrusted mobile code. These runtimes provide some of the features that operating systems provide: interapplication memory protection and basic system services. They do not, however, provide the ability to isolate applications from each other. Neither do they provide the ability to limit the resource consumption of applications. Consequently, the performance of current systems degrades severely in the presence of malicious or buggy code that exhibits ill-behaved resource usage.

This paper defines this model.

For decades, secure operating systems have incorporated mandatory access control (MAC) techniques. Surprisingly, mobile-code platforms such as the Java Virtual Machine (JVM) and the.NET Common Language Runtime (CLR) have largely ignored these advances and have implemented a far weaker security that does not reliably track ownership and access permissions for individual data items. We have implemented a system that adds MAC to an existing JVM at the granularity of objects. Our system maintains a strict separation between mechanism and policy, thereby allowing a wide range of policies to be enforced. Moreover, our implementation is independent of any specific JVM, and will work with any JVM that supports the JVM Tools Interface. 1.