|
Third USENIX Conference on Object-Oriented Technologies (COOTS), 1997
A Tool for Constructing Safe Extensible C++ Systems
Christopher Small
Harvard University
Abstract
The boundary between application and system is
becoming increasingly permeable. Extensible applications, such as web browsers, database systems, and
operating systems, demonstrate the value of allowing
end-users to extend and modify the behavior of what
was formerly considered to be a static, inviolate system.
Unfortunately, flexibility often comes with a cost: systems unprotected from misbehaved end-user extensions
are fragile and prone to instability.
Object-oriented programming models are a good fit
for the development of this kind of system. An extensions can be designed as a refinement of an existing
class, and loaded into a running system. In our model,
when code is downloaded into the system, it is used to
replace a virtual function on an existing C++ object.
Because our tool is source-language neutral, it can be
used to build safe extensible systems written in other
languages as well.
There are three methods commonly used to make
end-user extensions safe: restrict the extension language
(e.g., Java), interpret the extension language (e.g., Tcl),
or combine run-time checks with a trusted environment.
The third technique is the one discussed here; it offers
the twin benefits of the flexibility to implement extensions in an unsafe language, such as C++, and the performance of compiled code.
MiSFIT, the Minimal i386 Software Fault Isolation
Tool, can be used as the central component of a tool set
for building safe extensible systems in C++. MiSFIT
transforms C++ code, compiled by g++, into safe binary
code. Combined with a runtime support library, the
overhead of MiSFIT is an order of magnitude lower than
the overhead of interpreted Java, and permits safe extensible systems to be written in C++.
|
Need help? Use our Contacts page.
Technical Program