6/12/20011 KaffeOS: Isolation, Resource Management and Sharing in Java Godmar Back School of...

6/12/2001 1

KaffeOS: Isolation, Resource Management and Sharing in Java

Godmar Back

School of Computing

University of Utah

Dissertation Defense

Dissertation Defense 6/12/2001 2

Motivation

Java is widely used– Examples: applets, servlets, Enterprise Java Beans, mobile

agents, active packets, database procedures

– Untrusted code: possibly malicious or buggy

– Multiple applications on behalf of multiple users

Primary motivation Want to provide robust environment for these applications

Secondary motivation– Make efficient use of resources; increase scalability

– Run on “small” systems (handhelds, embedded systems)


Java Applications

Applet / Agent / Servlet / Database Procedure …

JVM

Base OS

This work is about system structure.


Current Options

- Single JVM with ad-hoc layer

- Efficient sharing

App1 App2 App3

Ad hoc layer

Base OS

JVM

App1 App2 App3

JVM JVM JVM

Base OS

- Multiple JVMs- Strong isolation

- Good resource management


Java Operating System

App1 App2 App3 App4

Java OS

Base OS

+ Good isolation

+ Good resource management

+ Efficient sharing

requires process model


Outline

The Case for KaffeOS KaffeOS’s Design

– Isolation and Safe Termination

– Memory Management

– Interprocess Communication

– Flexible Resource Management

Experimental Evaluation Related Work Future Work and Conclusion


KaffeOS Core Ideas

To provide KaffeOS uses

Isolation and Safe Termination

Red Line

Memory Management Separate Heaps

Interprocess Communication

Shared Heaps

Flexible Resource Management

Hierarchical Resource Framework


The Red Line in Hardware-based OS

MMU prevents access to kernel data structures in user mode

System calls enter kernel mode

Cheriton 1994


The Red Line for Safe Termination

Isolation of applications and system: user/kernel boundary

– Kernel classes must not be corrupted

– Termination is deferred while inside kernel code

– All exceptional situations are handled in kernel code

NB: different from built-in synchronize


class Queue {synchronized Object get();synchronized void put(Object);

}Queue producer, consumer;

void run () {while (!done) {

Object obj = producer.get();consumer.put(obj);

}}

Producer/Consumer Example– Invariant: all produced items are consumed

Guaranteeing Consistency

Kernel.enter();

Kernel.leave();


Red Line in KaffeOS

User/kernel dimension is different from trust dimension:

UserGC

SystemGC

User code (untrusted)

Kernel code (trusted)

Runtime Libs (trusted)

Finalization

User

Kernel

User mode Kernel mode

Trusted Runtime code Kernel code

Untrusted User code


Outline








1. Limit memory use of processes

2. Fully reclaim processes’ memory after termination

3. Garbage collect processes individually

Memory Management: Goals


Single Heap (Conventional JVM)

ReferenceObject


Separate Heaps

Kernel Heap

User Heaps

Goal 1: Limit memory use


Reclaiming Memory

References can make objects unreclaimable

Hardware-based OSMMU maps virtual memory

OS manages physical pages

Java runtime systemNo MMU

Garbage Collector frees unreachable objects


Legal and Illegal References

Legal reference

Illegal reference

Goal 2: Full reclamation


Preventing Illegal References

Use GC write barriers– Technique used in incremental and generational collection

Intercept each write, check heaps– Throw SegmentationViolationError if illegal

– Only PUTFIELD, PUTSTATIC, and AASTORE bytecode instructions have to be checked

Small cost on legal write (common case)


Use of Entry and Exit Items

Entry Item

n

n n

x

x

xx

Exit Item

RefCount1

12

Goal 3: Separate Collection


Collecting Cycles

Merge heaps upon termination into kernel heap


Outline








IPC: Direct Sharing

Alternatives:– No sharing (copy between processes)

– Indirect sharing (use proxy objects or surrogates)

Objects contain direct pointers to shared objects– Preserve Java model

Should not compromise accurate accounting or full reclamation!


Shared Heaps

Legal reference

Illegal reference

User Heap

Kernel Heap

Shared Heap

User Heap


Shared Heaps: Model

Accounting of shared objects– Shared heap’s size is fixed after creation

– Sharers are all charged for shared heaps: double charging

Reclamation– As soon as garbage collector detects that nothing on shared heap

is referenced

Restrictions on programming model– Cannot allocate new objects after heap is frozen

– Cannot have references to user heaps


Shared Heaps: Trie Examplepackage shared;

class Trie {

static class TrieNode { final static int WIDTH = 96; TrieNode [] children = new TrieNode[WIDTH]; boolean eow = false; }

private TrieNode root; private int maxlength;

Trie(Reader r) throws IOException { … }

public void dump(PrintStream s) { … }

public boolean lookup(String s) { … }

}

import shared.Trie;

Shared sh = Shared.registerClass("shared.Trie", 1);

Trie trie = (Trie) sh.getObject(0);

… trie.lookup(“aback”);

A

A BC

A

BC

A

R

O

N

K

F

T

A


Outline








Hierarchical Resource Framework

Resource API to allow for different policies

Hierarchical management

Work-conserving


CPU and Memory Allocation

Memory– Must not require partitioning

– Soft limits: Limit overall use, allow temporary use of surplus memory

– Hard limits: Provide memory guarantees if desired

CPU– Stride-scheduling for processes as a whole

– Priority-based scheduler for threads in process


Outline

The Case for KaffeOS KaffeOS’s Design Experimental Evaluation

– Performance for well-behaved code

– Performance for adverse loads

Related Work Future Work and Conclusion


Performance for Well-behaved Code

Baseline performance Write barrier overhead

– Microbenchmarks

– SpecJVM98 benchmarks

Compared against– Base JVM: Kaffe (Kaffe00 from June 2000, www.kaffe.org)

– IBM JDK 1.1.8 – fastest industrial 1.1 JVM

Microbenchmarks– Instruction cost:

» 11 cycles minimum with one word overhead per object, 43 cycles minimum with no memory overhead


SpecJVM Performance of KaffeOS

0

10

20

30

40

50

60

70

compress jess db javac mpegaudio mtrt jack

Ru

nti

me

in S

ec

on

ds

IBM JDK 1.1.8Kaffe 2000KaffeOS (fake heap pointer)KaffeOS (heap pointer)KaffeOS (no heap pointer)KaffeOS (no write barrier)


Write Barrier Counts

Benchmark

Dynamic Count

(millions)

Write BarrierOverhead (Best-case)

for No Heap Pointer

Conservative upper bound for

IBM JDK

compress 0.47 -0.5% (0.0%) 0.7%

jess 7.94 -1.1% (1.0%) 10.5%

db 30.09 2.5% (3.8%) 8.1%

javac 20.78 5.6% (2.5%) 7.3%

mpegaudio 5.51 -1.4% (0.8%) -1.7%

mtrt 3.06 0.3% (0.5%) -0.2%

jack 19.90 3.4% (1.9%) 14.1%


Outline

The Case for KaffeOS KaffeOS’s Design Experimental Evaluation

– Performance for well-behaved code

– Performance for adverse loads

Related Work Future Work and Conclusion


Performance for adverse loads

DOS Scenarios against– Memory

– CPU

– Garbage collector

KaffeOS – is more robust

– delivers more effective service

– improves performance under adverse loads


DoS Scenario

Servlet Engine: Apache 1.3.12, JServ 1.1, JSDK 2.0

Some number of “good” servlets Plus one MemoryHog servlet

– Allocate lots of memory

– Try to crash/tie up JVM

How would we deal with this?– Run 1 servlet per IBM JVM (IBM/1)

– Run all servlets on one IBM JVM (IBM/n)

– Run each servlet in a KaffeOS process


Service Under DoS Attack

0

5000

10000

15000

20000

25000

0 10 20 30 40 50 60 70 80

Number of servlets

Su

cces

sfu

l req

ues

ts in

30

seco

nd

inte

rval

IBM/1

IBM/n

KaffeOS

IBM/1+MemHog

IBM/n+MemHog

KaffeOS+Memhog


MemHog Stresstest

Memory Consumption

0

1

2

3

4

5

6

7

8

9

0 50 100 150 200 250 300 350 400 450 500 550 600 650 700 750 800 850 900 950

# of MemHogs killed

Me

mo

ry U

sa

ge

in M

B

overall bytes allocated

bytes on kernel heap

y = 31.5 x + 7,926,291

y = 31.5 x + 5,623,933


CPU Denial of Service Scenario

Problem: cannot tell a CPU denial-of-service attack from a process doing useful work

Instead: ensure that processes obtain their share when runnable

Allow for manipulation of shares to reflect user priorities

MD5 Servlet computes MD5 hash sum over /usr/dict/word for each request

– Requests/sec is measure of service


CpuHog Scenario

0

2

4

6

8

10

12

14

16

18

20

0 10 20 30 40 50 60 70 80 90 100 110 120 130Time in Seconds

MD

5 C

om

pu

tati

ons

per

Sec

ond

CpuHog

MD5-Servlet A

MD5-Servlet B

MD5-Servlet C

CpuHog starts

CpuHog's share minimized Servlet C's shares increased


GarbageHog Scenario

0

2

4

6

8

10

12

14

16

18

20

0 10 20 30 40 50 60 70 80 90 100 110 120 130Time in Seconds

MD

5 C

om

pu

tati

on

s p

er

Se

co

nd

GarbageHog

MD5-Servlet A

MD5-Servlet B

MD5-Servlet C

GarbageHog starts

GarbageHog's share minimizedServlet C's shares increased


Outline

The Case for KaffeOS KaffeOS’s Design Experimental Evaluation Related Work Future Work and Conclusion


Related Java Work

Java VMs– Multi-processing JVM [Balfanz 98]

– J-Kernel [Hawblitzel et al. 98]

– Alta [Tullmann 99]

– IBM OS/390 JVM [Dillenberger 00]

– MVM [Czajkowski 01]

– JSR 121

Java Language Extensions– Luna [Hawblitzel 99]

Java Realtime Extensions– Realtime Working Group [Sun et al. 00]


Related OS Work

Single-address-space OS– Opal [Chase et al. 94]

Single-language OS– Pilot [Redell et al. 80]

– Cedar [Swineheart et al. 86]

– Inferno [Dorward et al. 97]

Extensible OS– SPIN [Bershad et al. 95]


Outline

The Case for KaffeOS KaffeOS’s Design Experimental Evaluation Related Work Future Work and Conclusion


Future Work

JanosVM (ongoing)– Java operating system for active network node

Integration in higher-performing JVM– More accurate evaluation of costs and benefits

Static analysis using meta-level compilation– Ensure properties about user/kernel mode, shared and reloaded

classes etc. statically

Automatic user-level sharing


Contributions

Operating system principles apply to language runtime systems

– Architectural concept: user/kernel boundary

Software mechanisms can be used to implement full isolation of processes in a Java virtual machine

– GC mechanisms: write barriers, distributed GC techniques

KaffeOS demonstrates how to reconcile isolation, resource management and sharing

– Can stop resource-based denial-of-service attacks with small penalty for well-behaved code


Acknowledgments

Wilson Hsieh

Patrick Tullmann Jason Baker Tim Stack

Jay Lepreau and rest of Flux group for support and feedback on earlier papers


The End

Time for more Questions

Date post:	21-Dec-2015
Category:	Documents
View:	213 times
Download:	0 times

6/12/20011 KaffeOS: Isolation, Resource Management and Sharing in Java Godmar Back School of...

Documents