Update 11/28/2002: The final version of my dissertation can be found here.

Processes in KaffeOS:
Isolation, Resource Management, and Sharing in Java

Godmar Back, Wilson C. Hsieh, Jay Lepreau
{gback,wilson,lepreau}@cs.utah.edu

September 2000

The Flux Research Group
School of Computing
University of Utah
50 S. Central Campus Drive Rm. 3190
Salt Lake City, Utah 84112-9205

Abstract

Single-language runtime systems, in the form of Java virtual machines, are widely deployed platforms for executing untrusted mobile code. These runtimes provide some of the features that operating systems provide: inter-application memory protection and basic system services. They do not, however, provide the ability to isolate applications from each other, or limit their resource consumption. This paper describes KaffeOS, a Java runtime system that provides these features. The KaffeOS architecture takes many lessons from operating system design, such as the use of a user/kernel boundary, and employs garbage collection techniques, such as write barriers.

The KaffeOS architecture supports the OS abstraction of a process in a Java virtual machine. Each process executes as if it were run in its own virtual machine, including separate garbage collection of its own heap. The difficulty in designing KaffeOS lay in balancing the goals of isolation and resource management against the goal of allowing direct sharing of objects. Overall, KaffeOS is no more than 11% slower than the freely available JVM on which it is based, which is an acceptable penalty for the safety that it provides. Because of its implementation base, KaffeOS is substantially slower than commercial JVMs for trusted code, but it clearly outperforms those JVMs in the presence of denial-of-service attacks or misbehaving code.

Full paper appears in
Proceedings of the 4th Symposium on Operating Systems Design & Implementation, October 2000:

The slides from the OSDI talk are available as: