1. Field of the Invention
The present invention relates generally to the control of process and threads, and more particularly, to the implementation of a virtual machine in a network environment for the efficient control of input/output processes and threads.
2. Discussion of the Related Art
Firewalls are an essential ingredient in a corporate entity""s network security plan. Firewalls represent a security enforcement point that separates a trusted network from an untrusted network. FIG. 1 illustrates a generic example of a network security plan that incorporates a firewall system. In this generic example, firewall system 120 is operative to screen all connections between private network 110 and untrusted system 140. These connections are facilitated by Internet network 130. In the screening process, firewall system 120 determines which traffic should be allowed and which traffic should be disallowed based on a predetermined security policy.
One type of firewall system is an application-level gateway or proxy server, which acts as a relay of application-level traffic. Proxy servers tend to be more secure than packet filters. Rather than trying to deal with the numerous possible combinations that are to be allowed and forbidden at the transmission control protocol (TCP) and Internet protocol (IP) level, the proxy server need only scrutinize a few allowable applications (e.g., Telnet, file transfer protocol (FTP), simple mail transfer protocol (SMTP), hypertext transfer protocol (HTTP), etc.). Generally, if the proxy server does not implement the proxy code for a specific application, the service is not supported and cannot be forwarded across the firewall.
As compared to packet screening, proxies can be flexibly applied to generate a customized network security policy. The performance of process and thread-based proxies, however, is well below that of packet screening. One of the primary sources of inefficiency is the proxy""s inherent operation within a networking environment. As the very essence of a proxy is network input/output (I/O), frequent blocking of a process or thread can occur. For example, if a network read operation is performed and no data is available, the read operation will block. Similarly, if a network write operation is performed and the buffer is full, the write operation will block.
When a process or thread blocks, the proxy server can switch to a different process or thread. This switch is referred to as a context switch. As can be appreciated, frequent blocking of network read/write operations can result in frequent context switches. A high frequency of context switches will ultimately reduce the number of transactions per second that the proxy server can handle. Accordingly, what is needed is a mechanism for increasing the efficiency of a proxy server.
The present invention addresses the aforementioned needs by providing a software virtual machine mechanism that increases the efficiency of context switching. In an application to the networking environment, the software virtual machine is operative to increase the efficiency of handling input/output (I/O) operations through the improved control of switching between contexts. In accordance with the present invention, the overhead expense of switching between contexts is reduced through the software virtual machine support of restartable instructions. With restartable instructions, the resumption of a previously blocked context will continue at the instruction that had previously blocked.