1. Field of the Invention
The present invention relates generally to computer software. More particularly, the present invention relates to the efficient isolation of applications executing concurrently in a multi-processing environment.
2. Description of the Relevant Art
The growing popularity of the platform-independent programming language Java(trademark) has brought about an increased need for executing multiple Java(trademark) applications co-located on the same computer. Ideally, such applications should be protected from one another. In other words, an application should not be able to corrupt the data of another, and the application should not be able to prevent another application from performing its activities. At the same time, marginal systems resources needed to start new Java(trademark) applications should be as small as possible so that the number of concurrently executing applications can be as high as possible.
One approach to Java(trademark) multiprocessing is to rely on the operating system (OS) for protection. Typically, this means running multiple copies of the Java(trademark) Virtual Machine (JVM), one per application, starting each application in a separate copy of the JVM, which effectively is spawning a new operating system process for each application. This provides a strong process-level separation in that applications are totally isolated from one another (although they can communicate, for instance, via sockets, RMI, etc), but uses large amounts of resources in terms of virtual memory and startup time, and makes inter-application communication expensive. In addition, this approach tends to scale poorly.
A project at the University of Utah resulted in two variants of Java(trademark) operating systems which demonstrate how a process model can be implemented in Java(trademark) and how an underlying OS protection can be exploited for Java(trademark) multiprocessing. See Back, G., Tullmann, P., Stoller, L., Hsieh, W., and Lepreau, J., Java Operating Systems: Design and Implementation, Technical Report UUCS-98-015, Department of Computer Science, University of Utah, August 1998. The first system, GVM, is structured much like a monolithic kernel and focuses on complete resource isolation between processes and on comprehensive control over resources. A GVM process comprises a class loader-based name space, a heap, and a set of threads in that heap. In addition to their own heaps, all processes have access to a special, shared system heap. For every heap, GVM tracks all references leading to other heaps and all references pointing into it. This information is used to implement a form of distributed garbage collection. The CPU management in GVM combines CPU inheritance scheduling with the hierarchy introduced by Java(trademark) thread groups: thread groups within processes may hierarchically schedule the threads belonging to them.
A second variant of a Java(trademark) operating system developed at the University of Utah, Alta, closely models a micro-kernel model with nested processes, in which a parent process can manage all resources available to child processes. Memory management is supported explicitly, through a simple allocator-pays scheme. The garbage collector credits the owning process when an object is eventually reclaimed. Because Alta allows cross-process references, any existing objects are logically added into the parent memory. This makes the parent process responsible for making sure that cross-process references are not created if full memory reclamation is necessary upon process termination. Both GVM and Alta are implemented as considerable modifications to the JVM. Both systems support strong process models: each can limit the resource consumption of processes, but still permit processes to share data directly when necessary.
Advocates of process-based Java(trademark) application separation point out that a failure of one process terminates only this particular application and may potentially affect other applications only through an absence of service. Common wisdom states that processes are more reliable than implementations of JVMs. This reasoning implies that executing multiple applications in a single copy of the JVM puts them at a risk of being abruptly terminated because another application triggers an action, which will cause the whole JVM to go down. However, it does not necessarily have to be so. Processes still execute on top of an underlying operating system, and no major operating system kernel is guaranteed to be bug-free. Ultimately, one trusts software, whether it is an OS or a runtime of a safe language. The reliability issues of the Java(trademark) platform and of an OS kernel are essentially the same. Moreover, safe language has less potential for crashing because of software problems.
The SPIN extensible operating system, written almost entirely in a safe subset of Modula-3, utilizes both hardware and software protection. See Bershad, B., Savage, S., Pardyak, P., Sirer, E., Fiuczynski, M., Becker, D., Eggers, S., and Chambers, C., Extensibility, Safety and Performance in the SPIN Operating System, 15th ACM Symposium on Operating Systems Principles, Copper Mountain, Colo., December 1995. Hardware protection is used to isolate address spaces; software protection protects the OS kernel from extensions. However, it is the view of the SPIN authors that protection is a software issue, and that with a well-designed inter-application isolation in a safe language, there should be no need for hardware protection. See Bershad, B., Savage, S., Pardyak, P., Becker, D., Fiuczynski, M., Sirer, E., Protection is a Software Issue, 5th Workshop on Hot Topics in Operating Systems, Orcas Island, Wash., May 1995.
An alternative approach is to execute applications in the same instance of the JVM. Typically, each application is loaded by a separate class loader. See Liang S., and Bracha, G., Dynamic Class Loading in the Java Virtual Machine, In Proceedings of ACM OOPSLA""98, Vancouver, BC, Canada, October 1998. This code replication is especially wasteful in the presence of just-in-time compilers (JITs). Currently available class loading mechanisms separately compile and separately store the JITed code of each loaded class, regardless of whether the class has already been loaded by another application or not. This can easily lead to significant memory footprints, since, on the average, a byte of bytecode may translate into about five bytes of native code, where the term bytecode refers to compiled. Java(trademark) code. See Cramer, T., Friedman, R., Miller, T., Seberger, D., Wilson, R., and Wolczko, M., Compiling Java Just in Time, IEEE Micro, May/June 1997. Combined with the safety of the language, this approach leads to systems where applications are mostly isolated from one another. The place where the isolation breaks is the interaction of applications through static fields and static synchronized methods of system classes (as they are not subject to per-application replication).
A simple example of a Java(trademark) multiprocessing utilizing class loaders is the class library Echidna. With a reasonable degree of transparency, it allows multiple applications to run inside a single JVM. Applications can cleanly dispose of important resources when they are killed. For example, when a process is killed all its windows are automatically removed.
A more complex example of a class loader based approach to application protection is the J-Kernel. See Hawblitzel, C., Chang, C-C., Czajkowski, G., Hu, D. and von Eicken, T., Implementing Multiple Protection Domains in Java, In Proceedings of USENIX Annual Conference, New Orleans, La., June 1998. The J-Kernel adds protection domains to Java and makes a strong distinction between objects that can be shared between tasks and objects that are confined to a single task. Each domain has its own class loader. The system, written as a portable Java(trademark) library, provides mechanisms for clean domain termination (e.g., no memory allocated by the task is xe2x80x9cleft overxe2x80x9d after it is terminated) and inter-application communication (performed via deep object copies or methods arguments and return values).
Balfanz and Gong designed a multiprocessing JVM in order to explore the use of the Java(trademark) security architecture to protect applications from each other. See Balfanz, D., and Gong, L., Experience with Secure Multi-Processing in Java, Technical Report 560-97, Department of Computer Science, Princeton University, September, 1997. The proposed extensions enhance the standard JVM so that it can support multiprocessing. An important part of the work is clear identification of several areas of the JDK that assume a single-application model.
Two current trends cast doubt on the future usefulness of these two approaches to Java(trademark) multiprocessing. On one end of the computing power spectrum, high-end high throughput servers have to deal with large volumes of concurrently executing Java(trademark) programs. Increasingly, in addition to traditional, large and self-contained applications, smaller entities (e.g., applets, servlets, and JavaBeans(trademark) components) are part of the computation system. The OS-based approach to Java(trademark) multiprocessing is often unacceptable in these settings since it requires allocating large amounts of system resources for starting many copies of the JVM and thus tends to scale very poorly. Using class loaders has the potential for better scaling performance but it also wastes resources on replicating application code when more than one application executes the same program. Indicated isolation inconsistencies make this approach unsafe in general.
On the other end of the spectrum, small-footprint JVMs are emerging which target small devices. They typically lack many features available in fully blown implementations of the JVM available on general-purpose computers. An example is the K Virtual Machine (KVM) from Sun Microsystems, Inc. Since the KVM specification does not require that its implementations provide class loaders, multiprocessing in a single instance of the KVM is possible only when all applications are trusted and guaranteed not to interfere with one another. Process-based multiprocessing using KVM is also problematic since small devices for which it is meant do not necessarily provide a process model with adequate strong application separation guarantees. Another example of a Java(trademark)-based system without an underlying OS process abstraction is JavaOS(trademark).
As stated above, systems offering Java(trademark) multiprocessing can be classified as either based on an underlying operating system, which typically means running one process for each Java(trademark) application, or as using class loaders. However, using operating system processes is expensive, scales poorly, and does not fully exploit the protection features inherent in a safe language. Class loaders replicate application code, obscure the type system, and non-uniformly treat xe2x80x9ctrustedxe2x80x9d and xe2x80x9cuntrustedxe2x80x9d classes, which leads to subtle but nevertheless potentially harmful forms of undesirable inter-application interaction.
One way to achieve multi-tasking in a single processing space is through the use of threads. Multithreaded applications may be written in languages such as C and C++, but writing multithreaded C and C++ applications may be difficult. Furthermore, there are no assurances that third-party libraries are thread-safe. As used herein, xe2x80x9cthread-safexe2x80x9d means that a given library function is implemented in such a manner that it can be safely executed by multiple concurrent threads of execution. Thread-safe programming often relies on xe2x80x9clocksxe2x80x9d or xe2x80x9cmonitors,xe2x80x9d which are used synonymously herein. One major problem with explicitly programmed thread support is that acquiring and releasing the locks needed at the right time tends to be difficult. For example, if a method returns prematurely, or if an exception is raised, and a related lock has not been released, deadlock usually results.
The Java(trademark) Language provides some built-in support for threads. The Java(trademark) library provides a Thread class that supports a rich collection of methods to start a thread, run a thread, stop a thread, and check on a thread""s status. This built-in support for threads provides Java(trademark) programmers with a powerful tool to improve interactive performance of graphical applications. If an application desires to run animations and play music while scrolling the page and downloading a text file from a server, for example, then multithreading provides fast, lightweight concurrency within a single process space. Threads are sometimes referred to as lightweight processes or execution contexts.
Java(trademark) thread support includes a sophisticated set of synchronization primitives based on the widely used monitor and condition variable paradigm introduced twenty years ago by C. A. R. Hoare and implemented in a production setting in Xerox PARC""s Cedar/Mesa system. Java(trademark) supports multithreading at the language (syntactic) level and via support from its run-time system and thread objects. At the language level, Java(trademark) specifies that methods within a class that are declared xe2x80x9csynchronizedxe2x80x9d do not run concurrently. Such methods run under control of monitors to ensure that variables remain in a consistent state. Every class and instantiated object has its own monitor that comes into play if required. When a synchronized method is entered, it acquires a monitor on the current object. The monitor precludes any other synchronized methods in that object from running. When a synchronized method returns by any means, its monitor is released. Other synchronized methods within the same object are then free to run.
While other systems have provided facilities for multithreading (usually via xe2x80x9clightweight processxe2x80x9d libraries), building multithreading support into the language as Java(trademark) has done provides the programmer with a much more powerful tool for easily creating thread-safe multithreaded classes. Other benefits of multithreading are better interactive responsiveness and real-time behavior.
Nonetheless, the built-in support for multithreading in the Java(trademark) Language has its drawbacks. For example, applications may contend for the execution of a static synchronized method. A synchronized method acquires a monitor lock before it executes, and a static method is invoked without reference to a particular object. For a static synchronized method, the lock associated with the class object for the method""s class is used. One application may acquire a lock on a static synchronized method and refuse to release the lock, thereby preventing other applications from invoking the method.
Therefore, an improved system and method for efficiently isolating applications within a single virtual machine are desired.
The problems outlined above are in large part solved by various embodiments of a system and method for isolating the execution of a plurality of applications as disclosed herein. The applications may include applets, servlets, operating system services, components, JavaBeans(trademark), or other suitable executable units or programs. xe2x80x9cApplicationxe2x80x9d and xe2x80x9cprogramxe2x80x9d are herein used synonymously. In one embodiment, the applications are executable in a platform-independent programming environment such as the Java(trademark) environment. In one embodiment, the applications are executable on a single instance of a virtual machine, such as a Java(trademark) Virtual Machine, which is implemented in accordance with a platform-independent virtual machine specification, such as the Java(trademark) Virtual Machine Specification. The plurality of applications may utilize one or more xe2x80x9coriginalxe2x80x9d classes. In other words, the original classes may be shared by a plurality of applications. The general approach taken by the system and method as disclosed herein is to create new classes to replace the original classes in order to isolate the execution of the applications, such that different applications cannot typically access the same static fields. In one embodiment, only one copy of each original class is maintained, regardless of how many applications utilize it. Classes are transparently and automatically modified, so that each application has a separate copy of its static fields. This provides for a minimal collective footprint, with strong application isolation. In addition, this allows class loaders to be removed from the type system.
In one embodiment, one or more static fields are extracted from one or more original classes utilized by any of the plurality of applications, wherein each of the one or more original classes includes at least one static field. In one embodiment, a separate copy of the one or more static fields is created for each of the plurality of applications, wherein each of the separate copies corresponds to one of the plurality of applications. Creating the separate copy of the one or more static fields may include creating a static field class which includes instance fields corresponding to the one or more static fields, wherein each instance of the static field class corresponds to one of the plurality of applications. In one embodiment, one or more access methods for the one or more static fields may be created. The access methods are operable to access the corresponding separate copy of the one or more static fields based upon the identity of the utilizing or calling application. Creating access methods for the one or more static fields may include creating a single access methods class for each original class which includes the access methods for accessing the extracted fields from the original class.
In one embodiment, the method for isolating the execution of the applications is transparent to the utilizing applications. In various embodiments, the extraction of the static fields, creation of the separate copies of the static fields, and creation of the access methods may be performed at run-time or at compilation, and at the source level or the bytecode level. In a further embodiment, the method may be performed upon structures rather than classes, such as in a programming environment that is not object-oriented.
Further optimizations to the method for isolating the execution of the applications may be performed. A set of static fields may be classified as secure for utilization by the plurality of applications without inter-application interference. The secure set of static fields may include final static fields of primitive types, final static strings, immutable arrays of primitive types, and/or other appropriate fields. The secure set of static fields may then be preserved within the one or more classes. In other words, the set of static fields may be exempted from the one or more static fields which are extracted from the one or more classes.