Single-language runtime systems, in the form of Java virtual machines, are widely deployed platforms for executing untrusted mobile code. These runtimes provide some of the features that operating systems provide: interapplication memory protection and basic system services. They do not, however, provide the ability to isolate applications from each other. Neither do they provide the ability to limit the resource consumption of applications. Consequently, the performance of current systems degrades severely in the presence of malicious or buggy code that exhibits ill-behaved resource usage. We show that Java runtime systems can be extended to support processes, and that processes can provide robust and efficient support for untrusted applications.We have designed and built KaffeOS, a Java runtime system that provides support for processes. KaffeOS isolates processes and manages the physical resources available to them: CPU and memory. Unlike existing Java virtual machines, KaffeOS can safely terminate processes without adversely affecting the integrity of the system, and it can fully reclaim a terminated process's resources. Finally, KaffeOS requires no changes to the Java language. The novel aspects of the KaffeOS architecture include the application of a user/kernel boundary as a structuring principle for runtime systems, the employment of garbage collection techniques for resource management and isolation, and a model for direct sharing of objects between untrusted applications. The difficulty in designing KaffeOS lay in balancing the goals of isolation and resource management against the goal of allowing direct sharing of objects.For the SpecJVM benchmarks, the overhead that our KaffeOS prototype incurs ranges from 0&percent; to 25&percent;, when compared to the open-source JVM on which it is based. We consider this overhead acceptable for the safety that KaffeOS provides. In addition, our KaffeOS prototype can scale to run more applications than running multiple JVMs. Finally, in the presence of malicious or buggy code that engages in a denial-of-service attack, KaffeOS can contain the attack, remove resources from the attacked applications, and continue to provide robust service to other clients.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Godmar Back , Wilson Hsieh, Isolation, resource management and sharing in the kaffeos java runtime system, 2002
	2	David F. Bacon , Ravi Konuru , Chet Murthy , Mauricio Serrano, Thin locks: featherweight synchronization for Java, Proceedings of the ACM SIGPLAN 1998 conference on Programming language design and implementation, p.258-268, June 17-19, 1998, Montreal, Quebec, Canada
	3	Dirk Balfanz , Li Gong, Experience with Secure Multi-Processing in Java, Proceedings of the The 18th International Conference on Distributed Computing Systems, p.398, May 26-29, 1998
	4	Emery D. Berger , Kathryn S. McKinley , Robert D. Blumofe , Paul R. Wilson, Hoard: a scalable memory allocator for multithreaded applications, Proceedings of the ninth international conference on Architectural support for programming languages and operating systems, p.117-128, November 2000, Cambridge, Massachusetts, United States
	5	Hans Bergsten, Javaserver Pages, O'Reilly & Associates, Inc., Sebastopol, CA, 2002
	6	Bernadat, P., Lambright, D., and Travostino, F. 1998. Towards a resource-safe Java for service guarantees in uncooperative environments. In Proceedings of the IEEE Workshop on Programming Languages for Real-Time Industrial Applications (Madrid, Spain). IEEE Computer Society Press, Los Alamitos, Calif., 101--111.
	7	B. N. Bershad , S. Savage , P. Pardyak , D. Becker , M. Fiuczynski , E. G. Sirer, Protection is a software issue, Proceedings of the Fifth Workshop on Hot Topics in Operating Systems (HotOS-V), p.62, May 04-05, 1995
	8	B. N. Bershad , S. Savage , P. Pardyak , E. G. Sirer , M. E. Fiuczynski , D. Becker , C. Chambers , S. Eggers, Extensibility safety and performance in the SPIN operating system, Proceedings of the fifteenth ACM symposium on Operating systems principles, p.267-283, December 03-06, 1995, Copper Mountain, Colorado, United States
	9	Stephen M. Blackburn , Sharad Singhai , Matthew Hertz , Kathryn S. McKinely , J. Eliot B. Moss, Pretenuring for Java, Proceedings of the 16th ACM SIGPLAN conference on Object oriented programming, systems, languages, and applications, p.342-352, October 14-18, 2001, Tampa Bay, FL, USA
	10	James Gosling , Greg Bollella, The Real-Time Specification for Java, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 2000
	11	Patrick Chan , Doug Kramer , Rosanna Lee, The Java Class Libraries Volume 1: java.io, java.lang, java.math, ,java.net, java.text,,java.util, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 1998
	12	Jeffrey Scott Chase, An operating system structure for wide-address architectures, University of Washington, Seattle, WA, 1996
	13	Hao Chen , David Wagner, MOPS: an infrastructure for examining security properties of software, Proceedings of the 9th ACM conference on Computer and communications security, November 18-22, 2002, Washington, DC, USA  [doi>10.1145/586110.586142]
	14	Perry Cheng , Robert Harper , Peter Lee, Generational stack collection and profile-driven pretenuring, Proceedings of the ACM SIGPLAN 1998 conference on Programming language design and implementation, p.162-173, June 17-19, 1998, Montreal, Quebec, Canada
	15	Grzegorz Czajkowski, Application isolation in the Java Virtual Machine, Proceedings of the 15th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications, p.354-366, October 2000, Minneapolis, Minnesota, United States
	16	Grzegorz Czajkowski , Chi-Chao Chang , Chris Hawblitzel , Deyu Hu , Thorsten von Eicken, Resource management for extensible Internet servers, Proceedings of the 8th ACM SIGOPS European workshop on Support for composing distributed applications, p.33-39, September 1998, Sintra, Portugal  [doi>10.1145/319195.319201]
	17	Grzegorz Czajkowski , Laurent Daynés, Multitasking without comprimise: a virtual machine evolution, Proceedings of the 16th ACM SIGPLAN conference on Object oriented programming, systems, languages, and applications, p.125-138, October 14-18, 2001, Tampa Bay, FL, USA
	18	Grzegorz Czajkowski , Thorsten von Eicken, JRes: a resource accounting interface for Java, Proceedings of the 13th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications, p.21-35, October 18-22, 1998, Vancouver, British Columbia, Canada
	19	Drew Dean, The security of static typing with dynamic linking, Proceedings of the 4th ACM conference on Computer and communications security, p.18-27, April 01-04, 1997, Zurich, Switzerland  [doi>10.1145/266420.266428]
	20	D. Dillenberger , R. Bordawekar , C. W. Clark, III , D. Durand , D. Emmes , O. Gohda , S. Howard , M. F. Oliver , F. Samuel , R. W. St. John, Building a Java virtual machine for server applications: the Jvm on 0S/390, IBM Systems Journal, v.39 n.1, p.194-210, January 2000
	21	Tamar Domani , Gal Goldshtein , Elliot K. Kolodner , Ethan Lewis , Erez Petrank , Dafna Sheinwald, Thread-local heaps for Java, Proceedings of the 3rd international symposium on Memory management, June 20-21, 2002, Berlin, Germany
	22	Dorward, S., Pike, R., Presotto, D. L., Ritchie, D. M., Trickey, H., and Winterbottom, P. 1997. The Inferno operating system. Bell Labs Tech. J. 2, 1, 5--18.
	23	Engler, D., Chelf, B., Chou, A., and Hallem, S. 2000. Checking system rules using system-specific, programmer-written compiler extensions. In Proceedings of the 4th Symposium on Operating Systems Design and Implementation (San Diego, Calif.). USENIX Association, 1-- 16.
	24	D. R. Engler , M. F. Kaashoek , J. O'Toole, Jr., Exokernel: an operating system architecture for application-level resource management, Proceedings of the fifteenth ACM symposium on Operating systems principles, p.251-266, December 03-06, 1995, Copper Mountain, Colorado, United States
	25	Matthew Flatt , Robert Bruce Findler, Kill-safe synchronization abstractions, Proceedings of the ACM SIGPLAN 2004 conference on Programming language design and implementation, June 09-11, 2004, Washington DC, USA
	26	Bryan Ford , Mike Hibler , Jay Lepreau , Patrick Tullmann , Godmar Back , Stephen Clawson, Microkernels meet recursive virtual machines, Proceedings of the second USENIX symposium on Operating systems design and implementation, p.137-151, October 29-November 01, 1996, Seattle, Washington, United States
	27	Franz, M. 1997. Beyond Java: An infrastructure for high-performance mobile code on the World Wide Web. In Proceedings of WebNet '97, World Conference of the WWW, Internet, and Intranet, S. Lobodzinski and I. Tomek, Eds. Association for the Advancement of Computing in Education, Toronto, Ont., Canada, 33--38.
	28	David Gay , Alex Aiken, Memory management with explicit regions, Proceedings of the ACM SIGPLAN 1998 conference on Programming language design and implementation, p.313-323, June 17-19, 1998, Montreal, Quebec, Canada
	29	Gorrie, L. 1998. Echidna---A free multiprocess system in Java. http://www.javagroup.org/ echidna/.
	30	Hawblitzel, C., Chang, C.-C., Czajkowski, G., Hu, D., and von Eicken, T. 1998. Implementing multiple protection domains in Java. In Proceedings of the 1998 USENIX Annual Technical Conference (New Orleans, La.). USENIX Association, 259--270.
	31	Chris Hawblitzel , Thorsten von Eicken, Luna: a flexible Java protection system, Proceedings of the 5th symposium on Operating systems design and implementation Due to copyright restrictions we are not able to make the PDFs for this conference available for downloading , December 09-11, 2002, Boston, Massachusetts  [doi>10.1145/1060289.1060325]
	32	Thomas A. Henzinger , Ranjit Jhala , Rupak Majumdar , George C. Necula , Grégoire Sutre , Westley Weimer, Temporal-Safety Proofs for Systems Code, Proceedings of the 14th International Conference on Computer Aided Verification, p.526-538, July 27-31, 2002
	33	Jaeger, T., Liedtke, J., and Islam, N. 1998. Operating system protection for fine-grained programs. In Proceedings of the 7th USENIX Security Symposium (San Antonio, Tex.). USENIX Association, 143--157.
	34	Java Apache Project. 2000. The Apache JServ project. http://java.apache.org/jserv.
	35	Java Community Process. 2003. Jsr 121. http://www.jcp.org/en/jsr/detail?id=121.
	36	James Gosling , Bill Joy , Guy Steele , Gilad Bracha, Java Language Specification, Second Edition: The Java Series, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 2000
	37	Eric Jul , Henry Levy , Norman Hutchinson , Andrew Black, Fine-grained mobility in the Emerald system, ACM Transactions on Computer Systems (TOCS), v.6 n.1, p.109-133, Feb. 1988  [doi>10.1145/35037.42182]
	38	Jay Lepreau , Mike Hibler , Bryan Ford , Jeffrey Law , Douglas B. Orr, In-Kernel Servers on Mach 3.0: Implementation and Performance, USENIX MACH III Symposium, p.39-56, April 19-21, 1993
	39	Sheng Liang, Java Native Interface: Programmer's Guide and Reference, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 1999
	40	Sheng Liang , Gilad Bracha, Dynamic class loading in the Java virtual machine, Proceedings of the 13th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications, p.36-44, October 18-22, 1998, Vancouver, British Columbia, Canada
	41	Lizt, J. 1999. Oracle JServer Scalability and Performance. http://www.oracle.com/ java/scalability/index.html?testresults_twp.html. Java Products Team, Oracle Server Technologies.
	42	Malkhi, D., Reiter, M. K., and Rubin, A. D. 1998. Secure execution of Java applets using a remote playground. In Proceedings of the 1998 IEEE Symposium on Security and Privacy (Oakland, Calif.). IEEE Computer Society Press, Los Alamitos, Calif., 40--51.
	43	Simon Marlow , Simon Peyton Jones , Andrew Moran , John Reppy, Asynchronous exceptions in Haskell, Proceedings of the ACM SIGPLAN 2001 conference on Programming language design and implementation, p.274-285, June 2001, Snowbird, Utah, United States
	44	Gary McGraw , Edward W. Felten, Java security: hostile applets, holes&antidotes, John Wiley & Sons, Inc., New York, NY, 1997
	45	Microsoft Corporation. 2003. NET web pages. http://msdn.microsoft.com/netframework/.
	46	David Plainfossé , Marc Shapiro, A Survey of Distributed Garbage Collection Techniques, Proceedings of the International Workshop on Memory Management, p.211-249, September 27-29, 1995
	47	David W. Price , Algis Rudys , Dan S. Wallach, Garbage Collector Memory Accounting in Language-Based Systems, Proceedings of the 2003 IEEE Symposium on Security and Privacy, p.263, May 11-14, 2003
	48	David D. Redell , Yogen K. Dalal , Thomas R. Horsley , Hugh C. Lauer , William C. Lynch , Paul R. McJones , Hal G. Murray , Stephen C. Purcell, Pilot: an operating system for a personal computer, Communications of the ACM, v.23 n.2, p.81-92, Feb. 1980  [doi>10.1145/358818.358822]
	49	Ritchie, D. M. and Thompson, K. 1978. The UNIX time-sharing system. The Bell Syst. Tech. J. 57, 6 (July/Aug.), 1905--1930.
	50	Rivest, R. 1992. The MD5 message-digest algorithm. Internet Request for Comments RFC 1321, Internet Network Working Group. April.
	51	Roscoe, T. 1995. The structure of a multi-service operating system. Ph.D. dissertation. Queen's College, University of Cambridge, Cambridge, U.K.
	52	Algis Rudys , Dan S. Wallach, Termination in language-based systems, ACM Transactions on Information and System Security (TISSEC), v.5 n.2, p.138-168, May 2002  [doi>10.1145/505586.505589]
	53	Saraswat, V. 1997. Java is not type-safe. http://matrix.research.att.com/vj/bug.html.
	54	Saulpaugh, T. and Mirho, C. A. 1999. Inside the JavaOS Operating System. The Java Series. Addison-Wesley, Reading, Mass.
	55	Margo I. Seltzer , Yasuhiro Endo , Christopher Small , Keith A. Smith, Dealing with disaster: surviving misbehaved kernel extensions, Proceedings of the second USENIX symposium on Operating systems design and implementation, p.213-227, October 29-November 01, 1996, Seattle, Washington, United States
	56	Jonathan S. Shapiro, Vulnerabilities in Synchronous IPC Designs, Proceedings of the 2003 IEEE Symposium on Security and Privacy, p.251, May 11-14, 2003
	57	Sirer, E., Fiuczynski, M., Pardyak, P., and Bershad, B. 1996. Safe dynamic linking in an extensible operating system. In Proceedings of the 1st Workshop on Compiler Support for System Software (Tucson, Az.). 141--148.
	58	SPEC. 1998. SPEC JVM98 benchmarks. http://www.spec.org/osg/jvm98/.
	59	Bjarne Steensgaard, Thread-specific heaps for multi-threaded programs, Proceedings of the 2nd international symposium on Memory management, p.18-24, October 15-16, 2000, Minneapolis, Minnesota, United States
	60	Darko Stefanović , Kathryn S. McKinley , J. Eliot B. Moss, Age-based garbage collection, Proceedings of the 14th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications, p.370-381, November 01-05, 1999, Denver, Colorado, United States
	61	T. Suganuma , T. Ogasawara , M. Takeuchi , T. Yasue , M. Kawahito , K. Ishizaki , H. Komatsu , T. Nakatani, Overview of the IBM Java just-in-time compiler, IBM Systems Journal, v.39 n.1, p.175-193, January 2000
	62	Daniel C. Swinehart , Polle T. Zellweger , Richard J. Beach , Robert B. Hagmann, A structural view of the Cedar programming environment, ACM Transactions on Programming Languages and Systems (TOPLAS), v.8 n.4, p.419-490, Oct. 1986  [doi>10.1145/6465.6466]
	63	Tullmann, P. A. 1999. The Alta operating system. M.S. dissertation, Department of Computer Science, University of Utah.
	64	Tullmann, P., Hibler, M., and Lepreau, J. 2001. Janos: A Java-oriented OS for active network nodes. IEEE J. Sel. Areas Commun. 19, 3 (Mar.), 501--510.
	65	Patrick Tullman , Jay Lepreau, Nested Java processes: OS structure for mobile code, Proceedings of the 8th ACM SIGOPS European workshop on Support for composing distributed applications, p.111-117, September 1998, Sintra, Portugal  [doi>10.1145/319195.319212]
	66	van Doorn, L. 2000. A secure Java virtual machine. In Proceedings of the 9th USENIX Security Symposium (Denver, Col.). USENIX Association, 19--34.
	67	L. Van Doorn , P. Homburg , A. S. Tanenbaum, Paramecium: an extensible object-based kernel, Proceedings of the Fifth Workshop on Hot Topics in Operating Systems (HotOS-V), p.86, May 04-05, 1995
	68	Robert Wahbe , Steven Lucco , Thomas E. Anderson , Susan L. Graham, Efficient software-based fault isolation, Proceedings of the fourteenth ACM symposium on Operating systems principles, p.203-216, December 05-08, 1993, Asheville, North Carolina, United States
	69	Carl A. Waldspurger , William E. Weihl, Lottery and stride scheduling: flexible proportional-share resource management, 1995
	70	Wick, A., Flatt, M., and Hsieh, W. 2002. Reachability-based memory accounting. In Proceedings of the 2002 Scheme Workshop (Pittsburgh, Pa.).
	71	Wilkinson, T. 1996. Kaffe---A Java virtual machine. http://www.kaffe.org/.
	72	Wilkinson, T., Stiemerling, T., Gull, A., Whitcroft, A., Osmon, P., Saulsbury, A., and Kelly, P. 1992. Angel: A proposed multiprocessor operating system kernel. In Proceedings of the European Workshop on Parallel Computing (Barcelona, Spain). 316--319.
	73	Paul R. Wilson, Uniprocessor Garbage Collection Techniques, Proceedings of the International Workshop on Memory Management, p.1-42, September 17-19, 1992
	74	Wind River Systems, Inc. 1995. VxWorks Programmer's Guide. Wind River Systems, Inc., Alameda, Calif.
	75	Wirth, N. and Gutknecht, J. 1992. Project Oberon. ACM, New York.
	76	Karen Zee , Martin Rinard, Write barrier removal by static analysis, Proceedings of the 17th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications, November 04-08, 2002, Seattle, Washington, USA