next up previous
Next: Compatibility Up: Analysis Previous: Psychological Acceptability

Performance

As discussed in section 1, performance is one of the attractions of language-based protection. Because hardware protection is so much slower than any of the systems presented in this paper, we will instead discuss the performance differences among the three software systems. In all cases, we are assuming that the JVM uses a JIT compiler to generate and execute efficient machine code.

The stack introspection system has the highest runtime costs. At runtime, system classes must check whether the current enabled privileges allow them to proceed. At worst, this will have cost proportional to the current stack depth. These checks occur less often then one might think. Currently, stack introspection is used only to guard when a file or network connection is opened (an already expensive operation). The input and output streams act as capabilities for the open file or network connection and need no further security checks on read and write operations. While a specific input or output stream could leak, the general ability to open a file or network connection would still be contained.

Name space management does not incur any overhead at runtime, nor do unmodified capability systems. However, all systems must pay similar runtime costs when they implement interposition layers (i.e., to validate or limit arguments to low-level system routines).


next up previous
Next: Compatibility Up: Analysis Previous: Psychological Acceptability
Dan Wallach
7/26/1997