JAMUS: Java Accommodation of Mobile Untrusted Software

Authors: Nicolas Le Sommer
and Frédéric Guidec
VALORIA Laboratory, University of
South Brittany, France
Nicolas.Lesommer@univ-ubs.fr and

Security is a major issue for mobile components (programs,
applets, mobile agents...) that roam the Internet. When down-loading
a software component from the Internet, it is often
impossible to decide in advance if this piece of code should
be considered as safe or potentially dangerous for the local
system. A malicious – or simply buggy – component might
put the whole system in jeopardy, as it might destroy crucial
data files, or consume too much CPU time, memory, or
network bandwidth. Another important issue when hosting
mobile components is resource management. Some compo-nents
can do very well with sparse resources, while others
require predictable or guaranteed levels of quality of service
regarding resource availability.

With the JAMUS (Java Accommodation of Mobile Untrusted
Software) platform we propose solutions to such problems,
based on a contractual approach of resource management and
access control. JAMUS can accommodate mobile Java com-ponents,
provided that these components can specify their
requirements regarding resource usage in both a qualitative
way (e.g., access rights to parts of the file system) and a quan-titative
way (e.g., read and write quotas). The requirements of
a candidate component are used by a resource broker in order
to decide if this component can be admitted on the platform.
Admission control is based on a resource reservation scheme:
a component is admissible only if the resources it requires are
available in sufficient quality and quantity. Moreover, when
a component is admitted by the resource broker, the resources
it required are reserved for this component.

Once a component has been accepted by the resource broker,
it can start running on the platform. However, this component
is still considered as a potential threat to the local system. Its
execution is submitted to a constant monitoring, so that
resource access violations can be readily detected and dealt
with. A major consequence of this approach is that no compo-nent
can access or monopolize resources to the detriment of
other components.