Results 1 - 10
of
22
Multitasking without Compromise: A Virtual Machine Evolution
- In ACM OOPSLA’01
, 2001
"... The Multitasking Virtual Machine (called from now on simply MVM) is a modification of the Java ™ virtual machine. It enables safe, secure, and scalable multitasking. Safety is achieved by strict isolation of applications from one another. Resource control mechanisms augment security by preventing so ..."
Abstract
-
Cited by 67 (10 self)
- Add to MetaCart
(Show Context)
The Multitasking Virtual Machine (called from now on simply MVM) is a modification of the Java ™ virtual machine. It enables safe, secure, and scalable multitasking. Safety is achieved by strict isolation of applications from one another. Resource control mechanisms augment security by preventing some denial-ofservice attacks. Improved scalability results from an aggressive application of the main design principle of MVM: share as much of the runtime as possible among applications and replicate everything else. The system can be described as a ‘no compromise ’ approach – all the known APIs and mechanisms of the Java programming language are available to applications. MVM is implemented as a series of carefully tuned modifications to the Java HotSpot ™ virtual machine, including the dynamic compiler. This paper presents the design of MVM, focusing on several novel and general techniques: an in-runtime design of lightweight isolation, an extension of a copying, generational garbage collector to provide best-effort management of a portion of the heap space, and a transparent and automated mechanism for safe execution of user-level native code. MVM demonstrates that multitasking in a safe language can be accomplished with a high degree of protection, without constraining the language, and with competitive performance characteristics.
Experiences implementing efficient java thread serialization, mobility and persistence
- In Software - Practice and Experience
, 2002
"... Today, mobility and persistence are important aspects of distributed computing. They have many fields of use such as load balancing, fault tolerance and dynamic reconfiguration of applications. In this context, Java provides many useful mechanisms for the mobility of code via dynamic class loading, ..."
Abstract
-
Cited by 25 (0 self)
- Add to MetaCart
(Show Context)
Today, mobility and persistence are important aspects of distributed computing. They have many fields of use such as load balancing, fault tolerance and dynamic reconfiguration of applications. In this context, Java provides many useful mechanisms for the mobility of code via dynamic class loading, and the mobility or persistence of data via object serialization. However, Java does not provide any mechanism for the mobility/persistence of computation (i.e., threads). We designed and implemented a new mechanism, called Java thread serialization, that is used to build thread mobility or thread persistence. Therefore, a running Java thread can, at an arbitrary state of its execution, migrate to a remote machine where it resumes its execution, or be checkpointed on disk for possible subsequent recovery. With our services, migrating a thread is simply performed by the call of our go primitive, and checkpointing/recovering a thread is performed by the call of our store and load primitives. Several projects have recently addressed the issue of Java thread serialization, e.g., Sumatra, Wasp, JavaGo, Brakes, JavaGoX, Merpati. Some of them have attempted
An Approach to Safe Object Sharing
- In ACM Conference on Object-Oriented Programming Systems, Languages and Applications (OOPSLA
, 2000
"... It is essential for security to be able to isolate mistrusting programs from one another, and to protect the host platform from programs. Isolation is difficult in object-oriented systems because objects can easily become aliased. Aliases that cross program boundaries can allow programs to exchange ..."
Abstract
-
Cited by 11 (1 self)
- Add to MetaCart
(Show Context)
It is essential for security to be able to isolate mistrusting programs from one another, and to protect the host platform from programs. Isolation is difficult in object-oriented systems because objects can easily become aliased. Aliases that cross program boundaries can allow programs to exchange information without using a system provided interface that could control information exchange. In Java, mistrusting programs are placed in distinct loader spaces but uncontrolled sharing of system classes can still lead to aliases between programs. This paper presents the object spaces protection model for an object-oriented system. The model decomposes an application into a set of spaces, and each object is assigned to one space. All method calls between objects in different spaces are mediated by a security policy. An implementation of the model in Java is presented. KEYWORDS Protection domains, access control, aliasing, sharing, Java. 1 Introduction In the age of Internet programming,...
Automated and portable native code isolation
- In Proceedings of the 12th International Symposium on Software Reliability Engineering (ISSRE‘01
, 2001
"... The coexistence of programs written in a safe language with user-supplied unsafe (native) code is convenient (it enables direct access to hardware and operating system resources and can improve application performance), but at the same time it is problematic (it leads to undesirable interference wit ..."
Abstract
-
Cited by 9 (0 self)
- Add to MetaCart
The coexistence of programs written in a safe language with user-supplied unsafe (native) code is convenient (it enables direct access to hardware and operating system resources and can improve application performance), but at the same time it is problematic (it leads to undesirable interference with the language runtime, decreases overall reliability, and lowers debuggability). This work aims at retaining most of the benefits of interfacing a safe language with native code while addressing its problems. It is carried out in the context of the Java ™ Native Interface (JNI). Our approach is to execute the native code in an operating system process different from that of the safe language application. A technique presented in this paper accomplishes this transparently, automatically, and without sacrificing any of the JNI functionality. No changes to the Java virtual machine (JVM™) or its runtime are necessary. The resulting prototype does not depend on a particular implementation of the JVM, and is highly portable across hardware architectures and operating systems. This approach can readily be used to improve reliability of applications consisting of a mix of safe and native code; to enable the execution of user-supplied native code in multitasking systems based on safe languages and in embedded virtual machines; and to facilitate mixed-mode debugging, without the need to re-implement any of the components of the language runtime. The design and implementation of a prototype system, performance implications, and the potential of this architecture are discussed in the paper.
Code Sharing Among Virtual Machines
- In ECOOP 2002
, 2002
"... Abstract. Sharing of code among applications executing in separate virtual machines can lead to memory footprint reductions and to performance improvements. The design of a general and acceptable sharing mechanism is challenging because of several constraints: performance considerations, the possibi ..."
Abstract
-
Cited by 9 (3 self)
- Add to MetaCart
(Show Context)
Abstract. Sharing of code among applications executing in separate virtual machines can lead to memory footprint reductions and to performance improvements. The design of a general and acceptable sharing mechanism is challenging because of several constraints: performance considerations, the possibility of dynamic class loading, dependencies between shared code and the runtime system, and the potential of adverse impact on the runtime’s reliability and on ease of maintenance. This paper analyzes these tradeoffs in the context of two modifications to the Java T M virtual machine (JVM T M). The first allows for sharing of bytecodes and class information across multiple virtual machines, each of which executes in a separate operating system process, using shared memory. The second additionally enables the sharing of dynamically compiled code. Their design and performance are evaluated against two other approaches: running each application in a separate instance of an unmodified virtual machine, and running all applications in a single instance of a multitasking virtual machine. 1
Retaining Sandbox Containment Despite Bugs in Privileged Memory-Safe Code
"... Flaws in the standard libraries of secure sandboxes represent a major security threat to billions of devices worldwide. The standard libraries are hard to secure because they frequently need to perform low-level operations that are forbidden in untrusted application code. Existing designs have a sin ..."
Abstract
-
Cited by 7 (1 self)
- Add to MetaCart
(Show Context)
Flaws in the standard libraries of secure sandboxes represent a major security threat to billions of devices worldwide. The standard libraries are hard to secure because they frequently need to perform low-level operations that are forbidden in untrusted application code. Existing designs have a single, large trusted computing base that contains security checks at the boundaries between trusted and untrusted code. Unfortunately, flaws in the standard library often allow an attacker to escape the security protections of the sandbox. In this work, we construct a Python-based sandbox that has a small, security-isolated kernel. Using a mechanism called a security layer, we migrate privileged functionality into memory-safe code on top of the sandbox kernel while retaining isolation. For example, significant portions of module import, file I/O, serialization, and network communication routines can be provided in security layers. By moving these routines out of the kernel, we prevent attackers from leveraging bugs in these routines to evade sandbox containment. We demonstrate the effectiveness of our approach by studying past bugs in Java’s standard libraries and show that most of these bugs would likely be contained in our sandbox.
System Checkpointing using Reflection and Program Analysis
, 2001
"... This paper describes a technique for checkpointing a running system by a combination of reflective introspection and program analysis. By using an extension to Javas Reflection API which allows activation frames and other aspects of execution state to be reflectively inspected and modified, we can ..."
Abstract
-
Cited by 6 (3 self)
- Add to MetaCart
(Show Context)
This paper describes a technique for checkpointing a running system by a combination of reflective introspection and program analysis. By using an extension to Javas Reflection API which allows activation frames and other aspects of execution state to be reflectively inspected and modified, we can halt at and restart from arbitrary points in the execution. We apply this checkpointing technique to an area that is not typically associated with reflection optimization of memory footprint and startup time. We have successfully used this technique in the joeq virtual machine to reduce the heap size and the application startup time significantly.
Cloneable JVM: a new approach to start isolated java applications faster
- In Proceedings of the 3rd international conference on Virtual execution environments (VEE '07). ACM
, 2007
"... Java has been successful particularly for writing applications in the server environment. However, isolation of multiple applications has not been efficiently achieved in Java. Many customers require that their applications are guarded by independent OS processes, but starting a Java application wit ..."
Abstract
-
Cited by 6 (0 self)
- Add to MetaCart
(Show Context)
Java has been successful particularly for writing applications in the server environment. However, isolation of multiple applications has not been efficiently achieved in Java. Many customers require that their applications are guarded by independent OS processes, but starting a Java application with a new process results in a long sequence of initializations being repeated each time. To date, there has been no way to quickly start a new Java application as an isolated OS process. In this paper, we propose a new isolation approach called Clone-able JVM to eliminate this startup overhead in Java. The key idea is to create a new Java application by copying, or cloning, the already-initialized image of the primary JVM process. Since the clone is already initialized, it can begin actual operations immediately as a new isolated process. This cloning abstraction can support new scenarios for Java, such as user isolation and transaction isolation. We implemented a prototype of the Cloneable JVM by modi-fying a production JVM on Linux, which provides a new API for cloning constructed on the Isolate API defined in JSR 121. Using this cloning API, several Java applications, including a large pro-duction J2EE application server, were modified to demonstrate the isolation scenarios. Evaluations using these prototypes showed that new ready-to-serve Java applications can start up as a new process in less than 5 seconds, which is 4 to 170 times faster than starting these applications from scratch.
XMem: Type-Safe, Transparent, Shared Memory for Cross-Runtime Communication and Coordination
"... Developers commonly build contemporary enterprise applications using type-safe, component-based platforms, such as J2EE, and architect them to comprise multiple tiers, such as a web container, application server, and database engine. Administrators increasingly execute each tier in its own managed r ..."
Abstract
-
Cited by 6 (2 self)
- Add to MetaCart
(Show Context)
Developers commonly build contemporary enterprise applications using type-safe, component-based platforms, such as J2EE, and architect them to comprise multiple tiers, such as a web container, application server, and database engine. Administrators increasingly execute each tier in its own managed runtime environment (MRE) to improve reliability and to manage system complexity through the fault containment and modularity offered by isolated MRE instances. Such isolation, however, necessitates expensive cross-tier communication based on protocols such as object serialization and remote procedure calls. Administrators commonly co-locate communicating MREs on a single host to reduce communication overhead and to better exploit increasing numbers of available processing cores. However, state-of-the-art MREs offer no support for more efficient communication between co-located
An OSEK/VDX-based Multi-JVM for Automotive Appliances
- in Embedded System Design: Topics, Techniques and Trends, ser. IFIP International Federation for Information Processing
, 2007
"... Abstract: The automotive industry has recent ambitions to integrate multiple applications from different micro controllers on a single, more powerful micro controller. The outcome of this integration process is the loss of the physical isolation and a more complex monolithic software. Memory protec ..."
Abstract
-
Cited by 5 (3 self)
- Add to MetaCart
(Show Context)
Abstract: The automotive industry has recent ambitions to integrate multiple applications from different micro controllers on a single, more powerful micro controller. The outcome of this integration process is the loss of the physical isolation and a more complex monolithic software. Memory protection mechanisms need to be provided that allow for a safe co-existence of heterogeneous software from different vendors on the same hardware, in order to prevent the spreading of an error to the other applications on the controller and leaving an unclear responsibility situation. With our prototype system KESO, we present a Java-based solution for robust and safe embedded real-time systems that does not require any hardware protection mechanisms. Based on an OSEK/VDX operating system, we offer a familiar system creation process to developers of embedded software and also provide the key benefits of Java to the embedded world. To the best of our knowledge, we present the first Multi-JVM for OSEK/VDX operating systems. We report on our experiences in integrating Java and an embedded operating system with focus on the footprint and the real-time capabilities of the system.
