2nd USENIX Conference on Web Application Development ...

More documents

Recommendations

Info

tion (e.g. topics inferred from browsing history) via reference-monitored APIs—but neither plug-ins nor JS extensions can guarantee the integrity or security of the mined data as it flows through the browser. These projects incur development and maintenance costs well above the inherent complexity of their added functionality. Moreover, patching browser sources makes it difficult to update the projects for new versions of the browsers. This overhead obscures the fact that such research projects are essentially extensions to the webbrowsing experience, and would be much simpler to realize on a flexible platform with more powerful extension mechanisms. Though existing extension points in mainstream browsers vary widely in both design and power, none can support the research projects described above. 1.1 The extensible future of web browsers Web browsers have evolved from their beginnings as mere document viewers into web-application runtime platforms. Applications such as Outlook Web Access or Google Documents are sophisticated programs written in HTML, CSS and JS that use the browser only for rendering and execution and ignore everything else browsers provide (bookmarks, navigation, tab management, etc.). Projects like Mozilla Prism 3 strip away all the browser “chrome” while reusing the underlying HTML/CSS/JS implementation (in this case, Gecko), letting webapps run like native apps, outside of the typical browser. Taken to an extreme, “traditional” applications such as Firefox or Thunderbird are written using Gecko’s HTML/CSS/JS engine, and clearly are not themselves hosted within a browser. While browsers and web apps are growing closer, they are still mostly separate with no possibility of tight, customizable integration between them. Blogging clients such as WordPress, instant messaging clients such as Gchat, and collaborative document editors such as Mozilla Skywriter are three disjoint web applications, all designed to create and share content. An author might be using all three simultaneously, and searching for relevant web resources to include as she writes. Yet the only way to do so is to “escape the system”, copying and pasting web content via the operating system. 1.2 Contributions The time has come to reconsider browser architectures with a focus on extensibility. We present C3: a reconfigurable, extensible implementation of HTML, CSS and JS designed for web client research and experimentation. C3 is written entirely in C # and takes advantage of .Net’s libraries and type-safety. Similar to Firefox building atop 3 http://prism.mozillalabs.com/ 2 Gecko, we have built a prototype browser atop C3, using only HTML, CSS and JS. By reconfigurable, we mean that each of the modules in our browser—Document Object Model (DOM) implementation, HTML parser, JS engine, etc.—is loosely coupled by narrow, typesafe interfaces and can be replaced with alternate implementations compiled separately from C3 itself. By extensible, we mean that the default implementations of the modules support run-time extensions that can be systematically introduced to 1. extend the syntax and implementation of HTML 2. transform the DOM when being parsed from HTML 3. extend the UI of the running browser 4. extend the environment for executing JS, and 5. transform and modify running JS code. Compared to existing browsers, C3 introduces novel extension points (1) and (5), and generalizes existing extension points (2)–(4). These extension points are treated in order in Section 3. We discuss their functionality and their security implications with respect to the same-origin policy [13]. We also provide examples of various extensions that we and others have built. The rest of the paper is structured as follows. Section 2 gives an overview of C3’s architecture and highlights the software engineering choices made to further our modularity and extensibility design goals. Section 3 presents the design rationale for our extension points and discusses their implementation. Section 4 evaluates the performance, expressiveness, and security implications of our extension points. Section 5 describes future work. Section 6 concludes. 2 C3 architecture and design choices As a research platform, C3’s explicit design goals are architectural modularity and flexibility where possible, instead of raw performance. Supporting the various extension mechanisms above requires hooks at many levels of the system. These goals are realized through careful design and implementation choices. Since many requirements of an HTML platform are standardized, aspects of our architecture are necessarily similar to other HTML implementations. C3 lacks some of the features present in mature implementations, but contains all of the essential architectural details of an HTML platform. C3’s clean-slate implementation presented an opportunity to leverage modern software engineering tools and practices. Using a managed language such as C # sidesteps the headaches of memory management, buffer overruns, and many of the common vulnerabilities in production 62 WebApps ’11: <strong>2nd</strong> <strong>USENIX</strong> <strong>Conference</strong> on Web Application Development <strong>USENIX</strong> Association
HtmlParser CssParser IHtmlParser ICssParser IDownloadManager JS Engine DOM implementation UI Event loop Node, Element, . . . Default download manager Browser executable WinForms renderer ILayoutListener Layout Figure 1: C3’s modular architecture Assembly Class Interface Communication Implementation Threads IRenderer browsers. Using a higher-level language better preserves abstractions and simplifies many implementation details. Code Contracts [4] are used throughout C3 to ensure implementation-level invariants and safety properties— something that is not feasible in existing browsers. Below, we sketch C3’s module-level architecture, and elaborate on several core design choices and resulting customization opportunities. We also highlight features that enable the extension points examined in Section 3. 2.1 Pieces of an HTML platform The primary task of any web platform is to parse, render, and display an HTML document. For interactivity, web applications additionally require the managing of events such as user input, network connections, and script evaluation. Many of these sub-tasks are independent; Figure 1 shows C3’s module-level decomposition of these tasks. The HTML parser converts a text stream into an object tree, while the CSS parser recognizes stylesheets. The JS engine dispatches and executes event handlers. The DOM implementation implements the API of DOM nodes, and implements bindings to expose these methods to JS scripts. The download manager handles actual network communication and interactions with any on-disk cache. The layout engine computes the visual structure and appearance of a DOM tree given current CSS styles. The renderer displays a computed layout. The browser’s UI displays the output of the renderer on the screen, and routes user input to the DOM. 2.2 Modularity Unlike many modern browsers, C3’s design embraces loose coupling between browser components. For example, it is trivial to replace the HTML parser, renderer 3 frontend, or JS engine without modifying the DOM implementation or layout algorithm. To make such drop-in replacements feasible, C3 shares no data structures between modules when possible (i.e., each module is heapdisjoint). This design decision also simplifies threading disciplines, and is further discussed in Section 2.7. Simple implementation-agnostic interfaces describe the operations of the DOM implementation, HTML parser, CSS parser, JS engine, layout engine, and front-end renderer modules. Each module is implemented as a separate .Net assembly, which prevents modules from breaking abstractions and makes swapping implementations simple. Parsers could be replaced with parallel [8] or speculative 4 versions; layout might be replaced with a parallel [11] or incrementalizing version, and so on. The default module implementations are intended as straightforward, unoptimized reference implementations. This permits easy permodule evaluations of alternate implementation choices. 2.3 DOM implementation The DOM API is a large set of interfaces, methods and properties for interacting with a document tree. We highlight two key design choices in our implementation: what the object graph for the tree looks like, and the bindings of these interfaces to C # classes. Our choices aim to minimize overhead and “boilerplate” coding burdens for extension authors. Object trees: The DOM APIs are used throughout the browser: by the HTML parser (Section 2.4) to construct the document tree, by JS scripts to manipulate that tree’s structure and query its properties, and by the layout engine to traverse and render the tree efficiently. These clients use distinct but overlapping subsets of the APIs, which means they must be exposed both to JS and to C # , which in turn leads to the first design choice. One natural choice is to maintain a tree of “implementation” objects in the C # heap separate from a set of “wrapper” objects in the JS heap 5 containing pointers to their C # counterparts: the JS objects are a “view” of the underlying C # “model”. The JS objects contain stubs for all the DOM APIs, while the C # objects contain implementations and additional helper routines. This design incurs the overheads of extra pointer dereferences (from the JS APIs to the C # helpers) and of keeping the wrappers synchronized with the implementation tree. However, it permits specializing both representations for their respective usages, and the extra indirection enables 4 http://hsivonen.iki.fi/speculative-html5-parsing/ 5 Expert readers will recognize that “objects in the JS heap” are implemented by C # “backing” objects; we are distinguishing these from C # objects that do not “back” any JS object. <strong>USENIX</strong> Association WebApps ’11: <strong>2nd</strong> <strong>USENIX</strong> <strong>Conference</strong> on Web Application Development 63
Page 1 and 2:
Proceedings of the 2nd</str
Page 3 and 4:
USENIX Association
Page 5:
WebApps ’11: 2nd
Page 9 and 10:
GuardRails: A Data-Centric Web Appl
Page 11 and 12:
Policy Annotation Only admins can d
Page 13 and 14:
@edit, price, false, :nothing To ma
Page 15 and 16:
tags in the Project description, bu
Page 17 and 18:
String Command Result "foobar".gsub
Page 19 and 20: Transformation Status Homepage Logi
Page 21 and 22: Abstract Ioannis Papagiannis Imperi
Page 23 and 24: Num. of Occurrences Type Wordpress
Page 25 and 26: Sanitisation htmlentities() functio
Page 27 and 28: Original expression Transformed exp
Page 29 and 30: non-tracking code with a simple str
Page 31 and 32: Direct request vulnerabilities. The
Page 33 and 34: Abstract Secure Data Preservers for
Page 35 and 36: e found for a variety of services.
Page 37 and 38: 3.2 Operational View The lifecycle
Page 39 and 40: it automatically). A user or servic
Page 41 and 42: given the availability of client-si
Page 43 and 44: can only be decrypted by the base l
Page 45 and 46: BenchLab: An Open Testbed for Reali
Page 47 and 48: 2.2. Realistic load generation Real
Page 49 and 50: virtual machine with the software s
Page 51 and 52: the Olio calendaring applications (
Page 53 and 54: able to match Firefox’s optimized
Page 55 and 56: 5.4.1. Local vs remote users We obs
Page 57 and 58: Resource Provisioning of Web Applic
Page 59 and 60: in a directed acyclic graph [3]. Th
Page 61 and 62: accordingly. This is the goal of in
Page 63 and 64: Although expressing performance pro
Page 65 and 66: Response time (ms) Response time (m
Page 67 and 68: Response time (ms) Response time (m
Page 69: C3: An Experimental, Extensible, Re
Page 73 and 74: node during construction. This immu
Page 75 and 76: public interface IDOMTagFactory { I
Page 77 and 78: 3.2 JS execution Point (2): Runtime
Page 79 and 80: Extensions IE: Available from C3-eq
Page 81: extensions for web-scale use. The r
Page 84 and 85: dangerous permissions. In compariso
Page 86 and 87: Permission Popular Unpopular Plug-i
Page 88 and 89: (a) Prevalence of Dangerous permiss
Page 90 and 91: its functionality to the permission
Page 92 and 93: y ACCESS COARSE LOCATION. 358 appli
Page 94 and 95: 7 Conclusion This study contributes
Page 96 and 97: 5 discusses the pros and cons of th
Page 98 and 99: the client is free to use them how
Page 100 and 101: data it uses RESTful API which in t
Page 102 and 103: On top of Django we are using a sma
Page 104 and 105: nal design. Moreover, when the whol
Page 106 and 107: [5] The spring framework. http://ww
Page 108 and 109: of strcpy can preclude the introduc
Page 110 and 111: Integer-valued Binary Stored XSS Re
Page 112 and 113: Java Perl PHP Number of programmers
Page 114 and 115: 0 2 4 6 8 10 0 1 2 3 Team Number La
Page 116 and 117: 0 10 20 30 Number of Vulnerabilitie
Page 118 and 119: Automated black-box penetration tes
Page 121 and 122:
Abstract Integrating Long Polling w
Page 123 and 124:
the Web server, the framework dispa
Page 125 and 126:
all() => [Record] filter(condition)
Page 127 and 128:
in any future requests associated w
Page 129 and 130:
��
Page 131 and 132:
quests to be put to sleep. For exam
Page 133 and 134:
Abstract Detecting Malicious Web Li
Page 135 and 136:
3 Discriminative Features Our metho
Page 137 and 138:
the total number of unique IPs and
Page 139 and 140:
Table 8: Detection accuracy and tru
Page 141 and 142:
centraldevideoscomhomensmaduros. bl
Page 143 and 144:
Web content by executing the conten
Page 145 and 146:
Maverick: Providing Web Application
Page 147 and 148:
must schedule USB messages to provi
Page 149 and 150:
priate Web driver. USB events sent
Page 151 and 152:
hardware IDs to the browser kernel
Page 153 and 154:
PhotoBooth latency JavaScript drive
Page 155 and 156:
delegate the higher-level abstracti
show all

2nd USENIX Conference on Web Application Development ...

Create successful ePaper yourself

Delete template?

Save as template?