Nested Java processes: OS structure for mobile code

The majority of work on protection in single-language mobile code environments focuses on information secu- rity issues and depends on the language environment for solutions to the problems of resource management and process isolation. We believe that what is needed in these environments are not ad-hoc or incremental changes but a coherent approach to security, failure isolation, and re- source management. Protection, separation, and control of the resources used by mutually untrusting components, applets, applications, or agents are exactly the same prob- lems faced by multi-user operating systems. We believe that real solutions will come only if an OS model is uni- formly applied to these environments. We present Alta, our prototype Java-based system patterned on Fluke, a highly structured, hardware-based OS, and report on its features appropriate to mobile code. 1 Operating System Model Required In the last European SIGOPS Workshop, our paper (17) argued that the local operating system is an essential foun- dation for global applications. We described the many de- mands that a reasonably well functioning distributed sys- tem places on the local OS, and particularly emphasized end-system security in the widespread presence of mobile code. The focus of that paper was on making the case for the importance of the local OS, and outlining an appropri- ate OS for that environment: the Fluke (10) operating sys- tem, an OS based on a recursive virtual machine model, analogous to the Cambridge CAP Computer (30), but im- plemented by a microkernel instead of special hardware. In this paper we assume that the importance of the local This research was supported in part by the Defense Advanced Re- search Projects Agency, monitored by the Department of the Army under contract number DABT63-94-C-0058, and the Air Force Re- search Laboratory, Rome Research Site, USAF, under agreement num- ber F30602-96-2-0269. The U.S. Government is authorized to repro- duce and distribute reprints for Governmental purposes notwithstanding any copyright annotation hereon. OS to distributed applications is evident. From that base, we endeavor to make four points concerning platforms for mixed trust components and mobile code: