Isolation, Resource Management and Sharing in the KaffeOS Java Runtime System

Godmar Back
School of Computing
University of Utah, Salt Lake City, UT 84112

Doctoral Dissertation
May, 2002

Winner of the 2003 ACM SIGPLAN Doctoral Dissertation Award


Single-language runtime systems, in the form of Java virtual machines, are widely deployed platforms for executing untrusted mobile code. These runtimes provide some of the features that operating systems provide: interapplication memory protection and basic system services. They do not, however, provide the ability to isolate applications from each other. Neither do they provide the ability to limit the resource consumption of applications. Consequently, the performance of current systems degrades severely in the presence of malicious or buggy code that exhibits ill-behaved resource usage.

In this dissertation, we show that Java runtime systems can be extended to provide a process model, and that such a process model can provide robust and efficient support for untrusted applications. Processes are an operating system abstraction in which each process executes as if it were run in its own virtual machine. We have designed and prototyped KaffeOS, which is a Java runtime system that provides support for processes. KaffeOS isolates processes and manages the physical resources available to them, in particular: CPU and memory. Each process is given its own heap, which can be separately garbage collected. Unlike existing Java virtual machines, KaffeOS can safely terminate processes without adversely affecting the integrity of the system, and it can fully reclaim a terminated processs resources.

The novel aspects of the KaffeOS architecture include the application of a user/kernel boundary as a structuring principle to runtime systems, the employment of garbage collection techniques for resource management and isolation, and a model for direct sharing of objects between untrusted applications. The difficulty in designing KaffeOS lay in balancing the goals of isolation and resource management against the goal of allowing direct sharing of objects.

We built a prototype of our design and ran the SPEC JVM 98 benchmarks to evaluate its performance for well-behaved applications. We found that for those applications, our KaffeOS prototype is no more than 8% slower than the freely available JVM on which it is based, which is an acceptable penalty for the safety that it provides. At the same time, our KaffeOS prototype can support more applications than a hardware-based approach on the same platform. We demonstrate that in the presence of malicious or buggy code that engages in a denial-of-service attack directed against resources, KaffeOS-based systems can contain the attack, remove resources from the attacked applications, and continue to provide robust service to other clients.

The full thesis is available in PDF format.