A Java Operating System as the Foundation of a Secure Network Operating System

Errors in the design and implementation of operating system kernels and system programs lead to security problems that very often cause a complete breakdown of all security mechanisms of the system. We present the architecture of the JX operating system, which avoids two categories of these errors. First, there are implementation errors, such as buffer overflows, dangling pointers, and memory leaks, caused by the use of unsafe languages. We eliminate these errors by using Java—a typesafe language with automatic memory management—for the implementation of the complete operating system. Second, there are architectural errors caused by complex system architectures, poorly understood interdependencies between system components, and minimal modularization. JX addresses these errors by following well-known principles, such as least-privilege and separation-of-privilege, and by using a minimal security kernel, which, for example, excludes the filesystem. Java security problems, such as the huge trusted class library and reliance on stack inspection are avoided. Code of different trustworthiness or code that belongs to different principals is separated into isolated domains. These domains represent independent virtual machines. Sharing of information or resources between domains can be completely controlled by the security kernel.