Kevin J. Hoffman
Harrison Metzger
Abstract
The need for programs to execute subcomponents in isolation from each other or with lower privileges is prevalent among today's systems. We introduce ribbons: a shared memory programming model that allows for more implicit sharing of memory than processes but is more restrictive than threads. Ribbons structure the heap into protection domains. Privileges between these protection domains are carefully controlled in order to confine computation. We propose RibbonJ, a backwards-compatible extension of Java, to easily create or port programs to use the ribbons model. We study the progress and isolation properties of a subset of the language. Building on JikesRVM we implement ribbons by leveraging existing memory protection mechanisms in modern hardware and operating systems, avoiding the overhead of inline security checks and read or write barriers. We evaluate efficiency via microbenchmarks and the DaCapo suite, observing minor overhead. Additionally, we refactor Apache Tomcat to use ribbons for application isolation, discuss the refactoring's design and complexity, and evaluate performance using the SPECweb2009 benchmark.
- M. Aiken, F. Fahndrich, C. Hawblitzel, G. Hunt, and J. Larus. Deconstructing Process Isolation. In MSPC'06, pages 1--10, 2006. Google Scholar
Digital Library
- B. Alpern, S. Augart, S. M. Blackburn, M. Butrico, A. Cocchi, P. Cheng, J. Dolby, S. Fink, D. Grove, M. Hind, K. S. McKinley, M. Mergen, J. E. B. Moss, T. Ngo, and V. Sarkar. The Jikes Research Virtual Machine Project: Building an Open-source Research Community. IBM Systems Journal, 44(2):399--417, 2005. Google ScholarDigital Library
- C. Andreae, Y. Coady, C. Gibbs, J. Noble, J. Vitek, and T. Zhao. Scoped Types and Aspects for Real-Time Java. In ECOOP'06, pages 124--147, 2006. Google ScholarDigital Library
- B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Fiuczynski, D. Becker, C. Chambers, and S. Eggers. Extensibility Safety and Performance in the SPIN Operating System. SIGOPS OSR, 29(5):267--283, 1995. Google ScholarDigital Library
- S. M. Blackburn, R. Garner, C. Hoffmann, A. M. Khang, K. S. McKinley, R. Bentzur, A. Diwan, D. Feinberg, D. Frampton, S. Z. Guyer, M. Hirzel, A. Hosking, M. Jump, H. Lee, J. E. B. Moss, B. Moss, A. Phansalkar, D. Stefanović, T. VanDrunen, D. von Dincklage, and B. Wiedermann. The DaCapo Benchmarks: Java Benchmarking Development and Analysis. In OOPSLA'06, pages 169--190, 2006. Google ScholarDigital Library
- C. Boyapati, R. Lee, and M. C. Rinard. Ownership Types for Safe Programming: Preventing Data Races and Deadlocks. In OOPSLA'02, pages 211--230, 2002. Google ScholarDigital Library
- C. Boyapati, A. Salcianu, W. S. Beebee, and M. C. Rinard. Ownership Types for Safe Region-based Memory Management in Real-time Java. In PLDI'03, pages 324--337, 2003. Google ScholarDigital Library
- J. S. Chase, H. M. Levy, M. J. Feeley, and E. D. Lazowska. Sharing and Protection in a Single-address-space Operating System. ACM TOCS, 12(4):271--307, 1994. Google ScholarDigital Library
- S. Chen, D. Ross, and Y.-M. Wang. An Analysis of Browser Domain-isolation Bugs and a Light-weight Transparent Defense Mechanism. In CCS'07, pages 2--11, 2007. Google ScholarDigital Library
- Y. Chiba. Heap Protection for Java Virtual Machines. In PPPJ'06, pages 103--112, 2006. Google ScholarDigital Library
- T. Chiueh, G. Venkitachalam, and P. Pradhan. Integrating Segmentation and Paging Protection for Safe, Efficient and Transparent Software Extensions. In SOSP'99, pages 140--153, 1999. Google ScholarDigital Library
- D. G. Clarke, J. Potter, and J. Noble. Ownership Types for Flexible Alias Protection. In OOPSLA'98, pages 48--64, 1998. Google ScholarDigital Library
- E. Cohen and D. Jefferson. Protection in the Hydra Operating System. In SOSP'75, pages 141--160, 1975. Google ScholarDigital Library
- G. Czajkowski, L. Daynès, and B. Titzer. A Multi-user Virtual Machine. In USENIX ATC'03, pages 7--7, 2003. Google ScholarDigital Library
- P. Dasgupta, J. Richard J. LeBlanc, M. Ahamad, and U. Ramachandran. The Clouds Distributed Operating System. IEEE Computer, 24(11):34--44, 1991. Google ScholarDigital Library
- D. Dean, E. W. Felten, and D. S. Wallach. Java Security: from HotJava to Netscape and Beyond. In SP'96, pages 190--200, 1996. Google ScholarDigital Library
- A. Dearle and D. Hulse. Operating System Support for Persistent Systems: Past, Present and Future. Software--Practice & Experience, 30(4):295--324, 2000. Google ScholarDigital Library
- J. Devietti, C. Blundell, M. Martin, and S. Zdancewic. Hardbound: Architectural Support for Spatial Safety of the C Programming Language. In ASPLOS'08, pages 103--114, 2008. Google ScholarDigital Library
- T. Ekman and G. Hedin. The JastAdd Extensible Java Compiler. In OOPSLA'07, pages 1--18, 2007. Google ScholarDigital Library
- U. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. Necula. XFI: Software Guards for System Address Spaces. In OSDI'06, pages 6--6, 2006. Google ScholarDigital Library
- M. Flatt and R. Findler. Kill-safe Synchronization Abstractions. In PLDI'04, pages 47--58, 2004. Google ScholarDigital Library
- M. Flatt, S. Krishnamurthi, and M. Felleisen. Classes and Mixins. In POPL'98, pages 171--183, 1998. Google ScholarDigital Library
- D. Grossman, J. G. Morrisett, T. Jim, M. W. Hicks, Y. Wang, and J. Cheney. Region-Based Memory Management in Cyclone. In PLDI'02, 2002. Google ScholarDigital Library
- J. J. Heiss. The Multi-Tasking Virtual Machine: Building a Highly Scalable JVM. Java Developers Forum, March 2005.Google Scholar
- K. Hoffman. http://kevinjhoffman.com/ribbons/, 2011.Google Scholar
- A. Igarashi, B. C. Pierce, and P. Wadler. Featherweight Java: a Minimal Core Calculus for Java and GJ. ACM TOPLAS, 23(3):396--450, 2001. Google ScholarDigital Library
- F. Qin, S. Lu, and Y. Zhou. SafeMem: Exploiting ECC-Memory for Detecting Memory Leaks and Memory Corruption During Production Runs. In HPCA'05, pages 291--302, 2005. Google ScholarDigital Library
- S. Rajunas, N. Hardy, A. Bomberger, W. Frantz, and C. Landau. Security In KeyKOS. In SP'86, 0:78, 1986.Google Scholar
- M. Rinard, C. Cadar, D. Dumitran, D. Roy, T. Leu, and W. B. Jr. Enhancing Server Availability and Security Through Failure-Oblivious Computing. In OSDI'04, pages 21--21, 2004. Google ScholarDigital Library
- J. Rosenberg. The MONADS Architecture: A Layered View. In POS'90, pages 215--225, 1990.Google Scholar
- R. Shetty, M. Kharbutli, Y. Solihin, and M. Prvulovic. HeapMon: A Helper-thread Approach to Programmable, Automatic, and Low-overhead Memory Bug Detection. IBM Journal of Research and Development, 50(2/3), 2006. Google ScholarDigital Library
- W. Shi, J. Fryman, G. Gu, H.-H. Lee, Y. Zhang, and J. Yang. InfoShield: a Security Architecture for Protecting Information Usage in Memory. In HPCA'06, pages 222--231, 2006.Google Scholar
- M. Swift, B. Bershad, and H. Levy. Improving the Reliability of Commodity Operating Systems. ACM TOCS, 23(1):77--110, 2005. Google ScholarDigital Library
- M. Takahashi, K. Kono, and T. Masuda. Efficient Kernel Support of Fine-Grained Protection Domains for Mobile Code. In ICDCS'99, page 64, 1999. Google ScholarDigital Library
- M. Tofte and L. Birkedal. A Region Inference Algorithm. ACM TOPLAS, 20(4):724--767, 1998. Google ScholarDigital Library
- G. Venkataramani, B. Roemer, Y. Solihin, and M. Prvulovic. MemTracker: Efficient and Programmable Support for Memory Access Monitoring and Debugging. In HPCA'07, pages 273--284, 2007. Google ScholarDigital Library
- R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient Software-based Fault Isolation. SIGOPS OSR, 27(5):203--216, 1993. Google ScholarDigital Library
- A. Wiggins, S. Winwood, H. Tuch, and G. Heiser. Legba: Fast Hardware Support for Fine-Grained Protection. In ACSAC'03, pages 320--336, 2003.Google Scholar
- E. Witchel, J. Rhee, and K. Asanovic. Mondrix: Memory Isolation for Linux Using Mondriaan Memory Protection. In SOSP'05, pages 31--44, 2005. Google ScholarDigital Library
- K. Zhang, T. Zhang, and S. Pande. Memory Protection through Dynamic Access Control. In MICRO'06, pages 123--134, 2006. Google ScholarDigital Library
Index Terms
- Ribbons: a partially shared memory programming model
Recommendations
Ribbons: a partially shared memory programming model
OOPSLA '11: Proceedings of the 2011 ACM international conference on Object oriented programming systems languages and applicationsThe need for programs to execute subcomponents in isolation from each other or with lower privileges is prevalent among today's systems. We introduce ribbons: a shared memory programming model that allows for more implicit sharing of memory than ...
The Collie: a wait-free compacting collector
ISMM '12We describe the Collie collector, a fully concurrent compacting collector that uses transactional memory techniques to achieve wait-free compaction. The collector uses compaction as the primary means of reclaiming unused memory, and performs "individual ...
The Collie: a wait-free compacting collector
ISMM '12: Proceedings of the 2012 international symposium on Memory ManagementWe describe the Collie collector, a fully concurrent compacting collector that uses transactional memory techniques to achieve wait-free compaction. The collector uses compaction as the primary means of reclaiming unused memory, and performs "individual ...
Comments