Designing and Implementing a Secure, Portable, and Efficient Mobile Agent Kernel: The J-SEAL2 Approach

Dissertation / Doktorarbeit von Walter Binder

Abstract:

Even though the benefits of mobile agents have been highlighted in numerous research works, mobile agent applications are not in widespread use today.

For the success of mobile agent applications, secure, portable, and efficient execution platforms for mobile agents are crucial. However, available mobile agent systems do not meet the high security requirements of commercial applications, are not portable, or cause high overhead.

Currently, the majority of mobile agent platforms is based on Java. These systems simply rely on the security facilities of Java, although the Java security model is not suited to protect agents and service components from each other.

Above all, Java is lacking a concept of strong protection domains that could be used to isolate agents.

The J-SEAL2 mobile agent system extends the Java environment with a model of strong protection domains.

The core of the system is a micro-kernel fulfilling the same functions as a traditional operating system kernel: Protection, communication, domain termination, and resource control. For portability reasons, J-SEAL2 is implemented in pure Java. J-SEAL2 provides an efficient communication model and offers good scalability and performance for large-scale applications. This thesis explains the key concepts of the J-SEAL2 micro-kernel and how they are implemented in Java.

Table of Contents:

1	Overview	5
1.1	Introduction	5
1.2	Mobile Agent Systems in Java	8
1.3	J-SEAL2 System Structure	10
1.4	J-SEAL2 Security Properties	12
2.	Related Work	14
2.1	Java Operating Systems	14
2.1.1	JavaSeal	14
2.1.2	KaffeOS	16
2.1.3	Alta	16
2.1.4	J-Kernel	17
2.1.5	Luna	17
2.1.6	NOMADS	17
2.2	Resource Control in Java	18
2.2.1	Jres	18
2.2.2	Real-time Extensions for Java	18
2.2.3	Java Profilers	19
2.2.4	Economic Models	19
3.	Protection Domains	21
3.1	Introduction	21
3.2	Kernel Code	21
3.2.1	Requirements	22
3.2.2	Implementation Issues	23
3.3	Protection	24
3.3.1	Requirements	24
3.3.2	Implementation Issues	26
3.3.2.1	Class-loading	26
3.3.2.2	Extended Bytecode Verification	26
3.4	Domain Termination	28
3.4.1	Requirements	28
3.4.2	Implementation Issues	29
4.	Communication	31
4.1	Introduction	31
4.2	Channels	32
4.3	Limitations of Channels	32
4.4	External References	33
4.4.1	Terminology	34
4.4.2	Properties of External References	35
4.4.3	Examples of External References	39
4.5	Implementation Issues	40
4.6	Inter Agent Method Calling (IAMC)	41
4.7	Evaluation	43
5.	Resource Control	45
5.1	Introduction	45
5.2	Objectives and Resulting Model	46
5.2.1	Portability and Transparency	48
5.2.2	Minimal Overhead for Trusted Domains	49
5.2.3	Support for Resource Sharing	49
5.2.4	Managed Resources	49
5.3	API	51
5.3.1	Definitions	51
5.3.2	Class Res	52
5.3.3	Class ResSet	54
5.3.4	Class Seal	55
5.3.5	Example	56
5.4	Implementation Issues	56
5.4.1	No Direct Sharing	57
5.4.2	Bytecode Rewriting	57
5.4.3	Domain Types	58
5.4.4	Accounting Objects	58
5.4.5	Callbacks from Native Code	60
5.4.6	Shared Classes	61
5.4.7	Optimizations	62
5.4.8	Rewriting Abstract Methods	63
5.4.9	Memory Control	64
5.4.9.1	Heap	64
5.4.9.2	Stack	65
5.4.10	CPU Control	66
5.4.10.1	Class CPUAccount	66
5.4.10.2	Scheduler	67
5.4.10.3	Rewriting Algorithm	69
5.4.10.4	Optimizations	71
5.4.11	Accounting for Garbage Collection	73
5.4.12	Compensating for Native Code	74
5.5	Evaluation	75
6.	Conclusion	80
6.1	State of Implementation	80
6.2	Future Work	82
6.3	Summary	83