Third USENIX Conference on Object-Oriented Technologies (COOTS), 1997
A Tool for Constructing Safe Extensible C++ Systems
The boundary between application and system is
becoming increasingly permeable. Extensible applications, such as web browsers, database systems, and
operating systems, demonstrate the value of allowing
end-users to extend and modify the behavior of what
was formerly considered to be a static, inviolate system.
Unfortunately, flexibility often comes with a cost: systems unprotected from misbehaved end-user extensions
are fragile and prone to instability.
Object-oriented programming models are a good fit
for the development of this kind of system. An extensions can be designed as a refinement of an existing
class, and loaded into a running system. In our model,
when code is downloaded into the system, it is used to
replace a virtual function on an existing C++ object.
Because our tool is source-language neutral, it can be
used to build safe extensible systems written in other
languages as well.
There are three methods commonly used to make
end-user extensions safe: restrict the extension language
(e.g., Java), interpret the extension language (e.g., Tcl),
or combine run-time checks with a trusted environment.
The third technique is the one discussed here; it offers
the twin benefits of the flexibility to implement extensions in an unsafe language, such as C++, and the performance of compiled code.
MiSFIT, the Minimal i386 Software Fault Isolation
Tool, can be used as the central component of a tool set
for building safe extensible systems in C++. MiSFIT
transforms C++ code, compiled by g++, into safe binary
code. Combined with a runtime support library, the
overhead of MiSFIT is an order of magnitude lower than
the overhead of interpreted Java, and permits safe extensible systems to be written in C++.