Nested Java processes: OS structure for mobile code

The majority of work on protection in single-language mobile code environments focuses on information security issues and depends on the language environment for solutions to the problems of resource management and process isolation. We believe that what is needed in these environments are not ad-hoc or incremental changes but a coherent approach to security, failure isolation, and resource management. Protection, separation, and control of the resources used by mutually untrusting components, applets, applications, or agents are exactly the same problems faced by multi-user operating systems. We believe that real solutions will come only if an OS model is uniformly applied to these environments. We present Alta, our prototype Java-based system patterned on Fluke, a highly structured, hardware-based OS, and report on its features appropriate to mobile code. 1 Operating System Model Required In the last European SIGOPS Workshop, our paper [17] argued that the local operating system is an essential foundation for global applications. We described the many demands that a reasonably well functioning distributed system places on the local OS, and particularly emphasized end-system security in the widespread presence of mobile code. The focus of that paper was on making the case for the importance of the local OS, and outlining an appropriate OS for that environment: the Fluke [10] operating system, an OS based on a recursive virtual machine model, analogous to the Cambridge CAP Computer [30], but implemented by a microkernel instead of special hardware. In this paper we assume that the importance of the local This research was supported in part by the Defense Advanced Research Projects Agency, monitored by the Department of the Army under contract number DABT63–94–C–0058, and the Air Force Research Laboratory, Rome Research Site, USAF, under agreement number F30602–96–2–0269. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright annotation hereon. OS to distributed applications is evident. From that base, we endeavor to make four points concerning platforms for mixed trust components and mobile code: (i) A coherent, structured approach is required, driven by a full-blown OS model; language-level patches are not enough. (ii) Existing security-oriented approaches fall short in resource management. (iii) Applying an OS model is feasible, based upon our initial experiences with Alta. (iv) Alta provides features useful for mobile code, including hierarchical resource management and flexible object sharing. 1.1 Application Scenario In 1997 MCI developed and distributed its Denial of Service Tracker (DoSTracker) [19], after getting their router vendor to add the required interfaces and code to the routers. DoSTracker works as follows. Many denial of service attacks involve generating packets that spoof the IP address of the victim’s host. For example, fabricating broadcast packets will generate a storm of replies to the “sender.” When a customer reports an attack on a particular host, their ISP runs DoSTracker on a machine connected to the victim’s router, giving it the victim’s IP address. DoSTracker hops from router to router, following spoofed broadcast packets “upstream” to the actual source. Problems arise when the path leads into another Internet carrier’s hosts—a different administrative and technical domain—whose routers may well not support the required interfaces. Similar hard to predict problems arise constantly in network management, and solutions are difficult to deploy quickly, and almost impossible to standardize. A first step to providing network administrators with a solution to these problems might let them run mobile programs on the routers. This, of course, is one example of an active network [28]. One need not commit to the aggressive vision of active networks—code in any packet—to appreciate the value of supporting mobile code in routers. Network management is an application domain that could greatly profit from mobile code and dynamic composition of mobile components. However, along with the solutions proffered by mobile code there must be strong security guarantees and flexible, hierarchical resource management. Consider the following realistic Internet-wide scenario of hierarchical trust and proportional share resource management. MCI reserves 80% of the resources in each of its routers for “real work” (i.e., forwarding packets). The other 20% is available on demand for management functions (such as DoSTracker), mobile code, or agents. 50% of that (i.e., 10% of the total) is reserved for MCI’s own management routines, with the rest available to its customers. However, all customers are not equal, so MCI allocates 50% of that 10% to the 20-odd long-haul Internet carriers, such as Digex1 or AT&T, and the other 50% to other customers (e.g., ISPs). The 5% allocated to the long-haul Internet carriers could again be split up equally among the carriers—effectively each internet carrier owns a modest 0:25% of every other carrier’s available bandwidth. Digex manages its portion (on any carrier), allocating half to trusted (to Digex) requests from its own network management, and the other half to Digex customers. See Figure 1. Clearly, a hierarchical, extensible resource management model would provide the ability to recursively refine system allocation. Additionally, a stringent security infrastructure to authenticate and manage the mobile agents in such a system is required. Relative Processor Allocation Forwarding Managment