Resource Management controls the applications' access to resources. Resources can be static or dynamic. Static resources do not change during application operation; examples are disk or database quota and maximum memory limits. Dynamic resources are consumed during application execution and need to be 'refilled' from time to time. Examples of dynamic resources are CPU-time and SMS messages. Dynamic resources are also well suited to throttling functions. In this case, applications are only allowed to consume a certain resource amount during any given time, say "10 CPU seconds within one minute" or "3 SMS messages per second".
Within the Application Sandbox, applications are limited to specified resources. For example, quota functions can enforce file limits, and memory allocation functions can enforce memory limits. Most Operating Systems and databases provide means to configure these parameters, and even PHP and Java provide stubs that can be used to control memory management per application.
Controlling dynamic resources is more difficult than controlling static resources since multiple instances of the application may consume the same type of resource (e.g. Apache or Tomcat threads). Here either the independent resource controllers must be synchronized (e.g. CPU time) or a central function must be used to monitor and control resource usage (e.g. SMS messaging).
Either way, - static or dynamic - the resource controllers provide means of alerting the ASP of misuse.
Resource throttling is like controlling the flow of a water from a bucket. For CPU usage throttling, the bucket has a certain volume and rate of inflow. The water unit represents a CPU second, the inflow rate defines how quickly the resource is replenished, the water level in the bucket defines the maximum available CPU seconds currently available (for usage bursts) and the overall bucket volume defines the maximum burst size. For messaging throttling, the amount of water in the bucket represents the number of buffered messages, the bucket volume is the maximum number of buffered messages and the 'diameter' of the outflow determines the maximum available transmission rate.
Functionality Management: Limiting Application Access to Functionality
Functionality Management limits the applications' access to functions provided by the OS and other services. Limiting access to certain sections in the file tree is well supported by the OS (permissions, ACLs), but it's usually difficult to restrict access to functionality provided by OS libraries or services. For example, you might want to restrict access to the TCP stack to prevent the application from connecting to local services or to a 3rd-party host. Completely blocking the functionality may not be possible. It may be desirable to allow TCP-connection establishment only to selected systems and services.
Another example is database access. The application needs to be able to connect using certain username and password pairs, but must be prevented from executing brute-force database attacks. In this case, the functions cannot simply be disabled for a particular application. The function parameters must be verified and approved at runtime before granting access to the function. This is usually achieved by using a wrapper function with a parameter check and by preventing direct access to the original function.
Application Management: Supporting the System Administrator
Application Management supports the system administrator across the full application lifecycle (installation, configuration, operation, maintenance, de-commissioning). One of the main tasks is Sandbox configuration per application. Obviously, Resource Management and Functionality Management require in-depth knowledge of the different features and parameters to configure. It would be easy to misconfigure them due to lack of training or knowledge. To simplify configuration and to reduce the risk of misconfiguration, Application Management introduces pre-defined Resource Templates and Functionality Templates. These templates have names such as "high-traffic, memory-intensive resource use" or "untrusted, single-DB-logon" and reduce the risks of introducing security holes.
A note to the implementation of the Application Sandbox. We first implemented a sandbox for PHP as the application environment of choice. Here, some static limits and functionality restrictions can be made using php.ini (or the application specific .htaccess file), but control of dynamic resources and fine-grain functionality control (like the parameter checks described above) were not available. The modular structure of PHP provided the ideal basis for application specific function wrappers, without requiring a single change in the PHP framework or the PHP modules. Creation of an application Sandbox for Java proved more difficult, even though the existing security framework was more mature. For Java, some modifications in the Jakarta Tomcat's servlet container source code were required to provide the full solution.
Conclusion
With the introduction of the Application Sandbox and its features as described above the mobile service provider (and fixed-line ASPs) can finally host applications without worries, opening their network to the vast variety of applications developed by the Open Source Community or commercial entities without the need for prior verification and without potentially risking the application or network service quality.
About the author:
Roland Schmidt is CTO of Contec Innovations, a provider of an open, carrier-class service delivery platform. Mr. Schmidt is an expert in Internet security and telecommunications gateway solutions, he has led a diverse set of software development and consulting projects, the PHP/JSP Application Sandbox as described above being one of the recent ones.
- "Wireless Apps, Page 1/2"
- "Wireless Apps, Page 2/2"
Related Articles
Technology White Papers
"At the end of a week in which Electronic Arts confirmed it wasn't developing a thing for the Wii U, one of the software engineers in EA Sports' Canada studio, in a series of since-deleted tweets, disparaged the console as 'crap' and suggested Nintendo should give up on hardware altogether. 'The Wii U is crap. Less powerful than an Xbox 360. Poor online/store. Weird tablet', tweeted Bob Summerwill, listed as a senior software engineer at EA Canada, in a reply to a tweet posting a link about EA's no-Wii U news. 'Nintendo are walking dead at this point'." The Wii U is turning into the 21st century's Virtual Boy.
0 
"In NixOS, the entire operating system - the kernel, applications, system packages, configuration files, and so on - is built by the Nix package manager from a description in a purely functional build language. The fact that it's purely functional essentially means that building a new configuration cannot overwrite previous configurations. Most of the other features follow from this." Interesting approach. A Linux distribution, sure, but with some very refreshing ideas about system configuration.
Appfour added, among other features, C/C++ support to its new version of AIDE. From Android-IDE, "Now you can write parts of your app or your whole app in C/C++ on your device. AIDE supports the Standard Android NDK toolchain (GCC 4.6 + Bionic, STL, ...). No changes are necessary if you want to build an app developed on a PC with Eclipse. C/C++ development is fully integrated: Build errors appear in the error list and files can easily be navigated to with Go to file. The editor supports C/C++ syntax highlighting."
Ars nails it: "The answer is that Google did announce what amounts to a fairly substantial Android update yesterday. They simply did it without adding to the update fragmentation problems that continue to plague the platform. By focusing on these changes and not the apparently-waiting-in-the-wings update to the core software, Google is showing us one of the ways in which it's trying to fix the update problem."
"It is good for programmers to understand what goes on inside a processor. The CPU is at the heart of our career. What goes on inside the CPU? How long does it take for one instruction to run? What does it mean when a new CPU has a 12-stage pipeline, or 18-stage pipeline, or even a 'deep' 31-stage pipeline? Programs generally treat the CPU as a black box. Instructions go into the box in order, instructions come out of the box in order, and some processing magic happens inside. As a programmer, it is useful to learn what happens inside the box. This is especially true if you will be working on tasks like program optimization. If you don't know what is going on inside the CPU, how can you optimize for it? This article is about what goes on inside the x86 processor's deep pipeline."
"It was the only moment I heard regret slip into Otellini's voice during the several hours of conversations I had with him. 'The lesson I took away from that was, while we like to speak with data around here, so many times in my career I've ended up making decisions with my gut, and I should have followed my gut,' he said. 'My gut told me to say yes.'" The world would've been a much different place - Apple would have been less dependant on Samsung for its chips, which probably would've meant less money for Samsung to develop its Galaxy business.Glass is getting some love at Google I/O as well. New applications have been released - Facebook, Twitter, Evernote, Elle, Tumblr, and CNN. Perhaps more interesting: the newly announced Google Glass Developer Kit will allow offline applications and direct hardware access - great for hacking and expanding Glass' potential. This kit will really allow hackers to put Glass through its paces."But Beck and Merrill decided that simply banning toxic players wasn't an acceptable solution for their game. Riot Games began experimenting with more constructive modes of player management through a formal player behavior initiative that actually conducts controlled experiments on its player base to see what helps reduce bad behavior. The results of that initiative have been shared at a lecture at the Massachusetts Institute of Technology and on panels at the Penny Arcade Expo East and the Game Developers Conference." Absolutely fascinating stuff. I'm a League of Legends player, and to be honest, the community isn't nearly as bad as some make it out to be. I'm happy Riot games has the guts to employ science to address the issue.
"Android and iOS, the number one and number two ranked smartphone operating systems worldwide, combined for 92.3% of all smartphone shipments during the first quarter of 2013 as Windows Phone crept past BlackBerry for 3rd place. According to the International Data Corporation Worldwide Quarterly Mobile Phone Tracker, Android smartphone vendors and Apple shipped a total of 199.5 million units worldwide during 1Q13, up 59.1% from the 125.4 million units shipped during 1Q12." Windows Phone doubles from a few to twice few, iOS loser market share as its growth is slower than that of the overall market. BlackBerry continues slide into irrelevance."According to the latest research from our Wireless Smartphone Strategies service, global Android smartphone profits reached US$5 billion in total during the first quarter of 2013. Samsung dominated and captured an impressive 95 percent share of all Android smartphone profits." Wow.