Garbage Collector Memory Accounting in Language-Based Systems

Authors: David Price
Algis Rudys
Dan S. Wallach
Abstract: Language run-time systems are often called upon to safely execute mutually distrustful tasks within the same runtime, protecting them from other tasks' bugs or otherwise hostile behavior. Well-studied access controls exist in systems such as Java to prevent unauthorized reading or writing of data, but techniques to measure and control resource usage are less prevalent. In particular, most language run-time systems include no facility to account for and regulate heap memory usage on a per-task basis. This oversight can be exploited by a misbehaving task, which might allocate and hold live enough memory to cause a denial-of-service attack, crashing or slowing down other tasks. In addition, tasks can legitimately share references to the same objects, and traditional approaches that charge memory to its allocator fail to properly account for this sharing. We present a method for modifying the garbage collector, already present in most modern language run-time systems, to measure the amount of live memory reachable from each task as it performs its regular duties. Our system naturally distinguishes memory shared across tasks from memory reachable from only a single task without requiring incompatible changes to the semantics of the programming language. Our prototype implementation imposes negligible performance overheads in a variety of benchmarks, yet provides enough information for the expression of rich policies to express the limits on a task's memory usage.
Published: The IEEE Symposium on Security and Privacy (Berkeley, CA), May 2003.
Download: Postscript
Adobe PDF
BibTEX Entry
Additional Notes: The Multitasking garbage collector microbenchmark we used in this paper is available at http://www.cs.rice.edu/~arudys/software/tree-bench.tar.gz.

arudys@rice.edu, Department of Computer Science, Rice University

Last modified: Mon Aug 4 03:50:34 CDT 2003