next up previous
Next: Resource Management Policies Up: Security Mechanisms Previous: Language-based Protection

Resource Accounting

The proxy keeps track of an applet's resource consumption in the following five aspects:

Mutexes and locks are not included because each applet can only lock objects created by it, and all locks are automatically relinquished upon termination of the applet execution. We also do not track process-related operations because the applet cannot spawn new threads or processes. Rather, each applet is executed in a new process when a user request for the active object arrives.

The storage size, disk bandwidth and network bandwidth consumptions are kept track of by the ActiveProxy class methods, since they must be called in order for the applet to gain access to those resources. The process running the applet also sets a one-second alarm and record the CPU time and virtual memory sizes in the alarm handler. Limiting the CPU and virtual memory sizes is implemented by the setrlimit system call before branching to the applet's execution.

To prevent denial of service attacks, the proxy imposes upper-limits on all five resources. By default, the upper limit for CPU time is proportional to the latency of sending the request to the server and receiving the response. The virtual memory size is proportional to the length of the response to the client request. The storage size and disk bandwidth limit are also proportional to the response size. Finally, the network bandwidth consumption cannot exceed the response size. The limits are designed with the assumption that the goal of caching the documents is to reduce network traffic. If the goal of caching is for reliability or other reasons, the limits can be raised by the proxy. In our initial prototype, we simply use fixed constants for these limits for ease of implementation.


next up previous
Next: Resource Management Policies Up: Security Mechanisms Previous: Language-based Protection
Pei Cao
7/22/1998