MiSFIT: Constructing Safe Extensible Systems | |||||
Abstract | |||||
|
The boundary between application and system is becoming increasingly
permeable. Extensible applications, such as web browsers, database
systems, and operating systems, demonstrate the value of allowing
end-users to extend and modify the behavior of what was formerly
considered to be a static, inviolate system. Unfortunately,
flexibility often comes with a cost: systems unprotected from
misbehaved end-user extensions are fragile and prone to instability.
Object-oriented programming models are a good fit for the development of this kind of system. An extension can be designed as a refinement to an existing class and loaded into a running system. In our model, when code is downloaded into the system, it is used to replace a virtual function on an existing C++ object. Because our tool is source-language-neutral, it can be used to build safe, extensible systems written in other languages as well. There are three methods commonly used to make end-user extensions safe: restrict the extension language (e.g., Java), interpret the extension language (e.g., Tcl), or combine run-time checks with a trusted environment. The third technique is the one discussed here; it offers the twin benefits of the flexibility to implement extensions in an unsafe language, such as C++, and the performance of compiled code. MiSFIT, the Minimal i386 Software Fault Isolation Tool, can be used as a component of a tool set for building safe extensible systems in C++. MiSFIT transforms C++ code, compiled by the Gnu C++ compiler, into safe binary code. Combined with a runtime support library, the overhead of MiSFIT is an order of magnitude lower than the overhead of interpreted Java, and permits safe extensible systems to be written in C++. |
|
|
|
|
|
|