Single-language runtime systems, in the form of Java virtual machines, are widely deployed platforms for executing untrusted mobile code. These runtimes provide some of the features that operating systems provide: inter-application memory protection and basic system services. They do not, however, provide the ability to isolate applications from each other, or limit their resource consumption. This paper describes KaffeOS, a system that provides these features for a Java runtime. The KaffeOS architecture takes many lessons from operating system design, such as the use of a user/kernel boundary.

For a compiler writer, generating good machine code for a variety of platforms is hard work. One might try to reuse a retargetable code generator, but code generators are complex and difficult to use, and they limit one's choice of implementation language. One might try to use C as a portable assembly language, but C limits the compiler writer's flexibility and the performance of the resulting code. The wide use of C, despite these drawbacks, argues for a portable assembly language. C-- is a new language designed expressly for this purpose. The use

Language-based extensible systems such as Java use type safety to provide memory safety in a single address space. Memory safety alone, however, is not sufficient to protect different applications from each other. Such systems must support a process model that enables the control and management of computational resources. In particular, language-based extensible systems must support resource control mechanisms analogous to those in standard operating systems. They must support the separation of processes and limit their use of resources, but still support safe and efficient interprocess communication. We demonstrate how this challenge can be addressed in Java operating systems. First, we describe the technical issues that arise when implementing a process model in Java. In particular, we lay out the design choices for managing resources. Second, we describe the solutions that we are exploring in two complementary projects, Alta and GVM. GVM is similar to a traditional monolithic kernel, whereas Alta closely models the Fluke operating system. Features of our prototypes include flexible control of processor time using CPU inheritance scheduling, per-process memory controls, fair allocation of network bandwidth, and execution directly on hardware using the OSKit. Finally, we compare our prototypes with other language-based operating systems and explore the tradeoffs between the various designs. 1

Language-basedextensible systems, such as Java Virtual Machines and SPIN, use type safety to provide memory safety in a single address space. By using software to provide safety, they can support more efficient IPC. Memory safety alone, however, is not sufficient to protect different applications from each other. Such systems need to support a process model that enables the control and management of computational resources. In particular, language-based extensible systems should support resource control mechanisms analogous to those in standard operating systems. They need to support the separation of processes and limit their use of resources, but still support safe and efficient IPC. We demonstrate how this challenge is being addressed in several Java-based systems. First, we lay out the design choices when implementing a process model in Java. Second, we compare the solutions that have been explored in several projects: Alta, K0, and the J-Kernel. Alta closely models the Fluke oper...

Single-language runtime systems, in the form of Java virtual machines, are widely deployed platforms for executing untrusted mobile code. These runtimes provide some of the features that operating systems provide: interapplication memory protection and basic system services. They do not, however, provide the ability to isolate applications from each other. Neither do they provide the ability to limit the resource consumption of applications. Consequently, the performance of current systems degrades severely in the presence of malicious or buggy code that exhibits ill-behaved resource usage.

this report, we will focus on the security architectures for pervasive computing environments. We will examine two approaches to the security of "smart home"[ 1, 2]. Although a "smart home" isn't so pervasive, the large scale pervasive environments haven't come into the reality yet and the ideas and models of a small pervasive environments may be extended and generalized to huge ones

API, but in practice this guarantee is only as strong as the implementation of the native libraries, the verifier, and the just-in-time (JIT) compiler. Experience has shown that bugs in the native interface, verifier, or JIT can lead to new system vulnerabilities and can be used by attackers to bypass protection measures. We plan to extend and apply our work on proof-carrying code to build higher-assurance, validated implementations of the JVM or CLR infrastructure. 3. Certified libraries with application-specific properties. We will extend our CLR or JVM implementation to support not only simple type safety but also more advanced properties such as resource bounds on memory and network bandwidth, consistent metadata protocols, generalized access control, and proper coordination of concurrent components. These application-specific properties are crucial for principled interoperation between large-scale systems. We'll build certified libraries and develop new technologies for specifyi