Doctoral Dissertation
May, 2002
In this dissertation, we show that Java runtime systems can be extended to provide a process model, and that such a process model can provide robust and efficient support for untrusted applications. Processes are an operating system abstraction in which each process executes as if it were run in its own virtual machine. We have designed and prototyped KaffeOS, which is a Java runtime system that provides support for processes. KaffeOS isolates processes and manages the physical resources available to them, in particular: CPU and memory. Each process is given its own heap, which can be separately garbage collected. Unlike existing Java virtual machines, KaffeOS can safely terminate processes without adversely affecting the integrity of the system, and it can fully reclaim a terminated processs resources.
The novel aspects of the KaffeOS architecture include the application of a user/kernel boundary as a structuring principle to runtime systems, the employment of garbage collection techniques for resource management and isolation, and a model for direct sharing of objects between untrusted applications. The difficulty in designing KaffeOS lay in balancing the goals of isolation and resource management against the goal of allowing direct sharing of objects.
We built a prototype of our design and ran the SPEC JVM 98 benchmarks to evaluate its performance for well-behaved applications. We found that for those applications, our KaffeOS prototype is no more than 8% slower than the freely available JVM on which it is based, which is an acceptable penalty for the safety that it provides. At the same time, our KaffeOS prototype can support more applications than a hardware-based approach on the same platform. We demonstrate that in the presence of malicious or buggy code that engages in a denial-of-service attack directed against resources, KaffeOS-based systems can contain the attack, remove resources from the attacked applications, and continue to provide robust service to other clients.