Single-language runtime systems, in the form of Java virtual machines, are widely deployed platforms for executing untrusted mobile code. These runtimes provide some of the features that operating systems provide: inter-application memory protection and basic system services. They do not, however, provide the ability to isolate applications from each other, or limit their resource consumption. This paper describes KaffeOS, a system that provides these features for a Java runtime. The KaffeOS architecture takes many lessons from operating system design, such as the use of a user/kernel boundary.

This paper describes the motivation, architecture and performance of a distributed virtual machine (DVM) for networked computers. DVMs rely on a distributed service architecture to meet the manageability, security and uniformity requirements of large, heterogeneous clusters of networked computers. In a DVM, system services, such as verification, security enforcement, compilation and optimization, are factored out of clients and located on powerful network servers. This partitioning of system functionality reduces resource requirements on network clients, improves site security through physical isolation and increases the manageability of a large and heterogeneous network without sacrificing performance. Our DVM implements the Java virtual machine, runs on x86 and DEC Alpha processors and supports existing Java-enabled clients.

The Multitasking Virtual Machine (called from now on simply MVM) is a modification of the Java ™ virtual machine. It enables safe, secure, and scalable multitasking. Safety is achieved by strict isolation of applications from one another. Resource control mechanisms augment security by preventing some denial-ofservice attacks. Improved scalability results from an aggressive application of the main design principle of MVM: share as much of the runtime as possible among applications and replicate everything else. The system can be described as a ‘no compromise ’ approach – all the known APIs and mechanisms of the Java programming language are available to applications. MVM is implemented as a series of carefully tuned modifications to the Java HotSpot ™ virtual machine, including the dynamic compiler. This paper presents the design of MVM, focusing on several novel and general techniques: an in-runtime design of lightweight isolation, an extension of a copying, generational garbage collector to provide best-effort management of a portion of the heap space, and a transparent and automated mechanism for safe execution of user-level native code. MVM demonstrates that multitasking in a safe language can be accomplished with a high degree of protection, without constraining the language, and with competitive performance characteristics.

Abstract not found

Pervasive computing provides an attractive vision for the future of computing. Computational power will be available everywhere. Mobile and stationary devices will dynamically connect and coordinate to seamlessly help users in accomplishing their tasks. However, for this vision to become a reality, developers must build applications that constantly adapt to a highly dynamic computing environment. To make the developers' task feasible, we introduce a system architecture for pervasive computing, called one.world . Our architecture provides an integrated and comprehensive framework for building pervasive applications. It includes a set of services, such as service discovery, checkpointing, migration, and replication, that help to structure applications and directly simplify the task of coping with constant change. We describe the design and implementation of our architecture and present the results of an evaluation, which includes two case studies.

Abstract. NOMADS is a Java-based agent system that supports strong mobility (i.e., the ability to capture and transfer the full execution state of migrating agents) and safe agent execution (i.e., the ability to control resources consumed by agents, facilitating guarantees of quality of service while protecting against denial of service attacks). The NOMADS environment is composed of two parts: an agent execution environment called Oasis and a new Java-compatible Virtual Machine (VM) called Aroma. The combination of Oasis and the Aroma VM provides key enhancements over today’s Java agent environments. 1.

Software-based protection has become a viable alternative to hardware-based protection in systems based on languages such as Java, but the absence of hardware mechanisms for protection has been coupled with an absence of a user/kernel boundary. We show why such a "red line" must be present in order for a Java virtual machine to be as effective and as reliable as an operating system. We discuss how the red line can be implemented using software mechanisms, and explain the ones we use in the Java system that we are building. 1. Introduction A paper that appeared at a previous HotOS [4] stated that "protection is a software issue." This statement is incomplete; we would reword it as "Protection is a software issue, but it is not the only software issue." In particular, issues such as resource control, communication, and termination need to be dealt with in software if hardware protection mechanisms are not present. To date, systems that replace hardware mechanisms with software mechanism...

Many networked applications could benefit from executing closer to the data or services with which they interact. By doing this they may be able to circumvent long communication latencies or avoid transferring data over congested or expensive network links. However, no public infrastructure currently exists that enables this. We propose a system that can execute code supplied by an untrusted user, yet can charge this user for all resources consumed by the computation. Such servers could be deployed at strategic locations throughout the Internet, enabling network users such as content providers to distribute components of their applications in a manner that is both efficient and economical. We call such a server a Xenoserver 1 . This paper discusses the construction of such a system, examining how accounting, billing, and quality of service provision can be achieved. 1. Introduction It is increasingly recognised that the prevailing model of computation for networked applications is ...

This paper presents a sound type system for a large subset of the Java bytecode language including classes, interfaces, constructors, methods, exceptions, and bytecode subroutines. This work serves as the foundation for developing a formal specification of the bytecode language and the Java Virtual Machine's bytecode verifier. We also describe a prototype implementation of a type checker for our system and discuss some of the other applications of this work. For example, we show how to extend our work to examine other program properties, such as the correct use of object locks. 1 Introduction The bytecode language, which we refer to as JVML, is the platform independent representation of compiled Java programs. In order to prevent devious applets from causing security problems stemming from type errors, the Java Virtual Machine bytecode verifier performs a number of consistency checks on bytecode before it is executed [LY96]. This paper presents a type system that may serve as the fou...

. Existing research into active networking has addressed the design and evaluation of programming environments. Testbeds have been implemented on traditional operating systems, deferring issues regarding resource control. This paper describes the architecture, resource models and prototype implementation of the Resource Controlled Active Network Environment (Rcane). Rcane supports an active network programming model over the Nemesis Operating System, providing robust control and accounting of system resources, including CPU and I/O scheduling, and garbage collection overhead. It is thus resistant to many classes of denial of service (DoS) attack. 1 Introduction Adding programmability to a network greatly increases its flexibility. However, with this flexibility comes greater complexity in the ways that network resources, including CPU, memory and bandwidth, may be consumed by end-users. In a traditional network, the resources consumed by an end-user at a network node are rou...