A UTOMATICALLY SECURING WEB 2.0 APPLICATIONS THROUGH REPLICATED EXECUTION Ben Livshits Microsoft Research.

Slides:

Advertisements

Similar presentations

Database Architectures and the Web

Advertisements

Oracle Database Architectures Are Extremely Complex, And Very Expensive. All of Their Complexity Goes Away ! The Snippet Engine Network Architectures Are.

11 ASP.NET Slides based off:. 22 B ACKGROUND - W EB A RCHITECTURE Web Server PC/Mac/Unix/... + Browser Client Server Request:

Administrative  Philosophy  Class survey  Grading  Proposal (5 points max)  Small projects (10 points each max)  Project (40 points max)  Presentation.

Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri.

IS 360 Course Introduction. Slide 2 What you will Learn (1) The role of Web servers and clients How to create HTML, XHTML, and HTML 5 pages suitable for.

S ECURING WEB 2.0 APPLICATIONS THROUGH REPLICATED EXECUTION Ben Livshits Microsoft Research K. Vikram Cornell University Abhishek Prateek IIT Delhi.

Ben Livshits and Emre Kiciman Microsoft Research Redmond, WA.

Outline IS400: Development of Business Applications on the Internet Fall 2004 Instructor: Dr. Boris Jukic Server Side Web Technologies: Part 1.

Introduction to Web Based Application. Web-based application TCP/IP (HTTP) protocol Using WWW technology & software Distributed environment.

Apache Tomcat Server Typical html Request/Response cycle

Administrative  Philosophy  Class survey  Grading  Project  Presentation.

A UTOMATICALLY SECURING WEB 2.0 APPLICATIONS THROUGH REPLICATED EXECUTION K. Vikram, Abhishek Prateek, Ben Livshits.

Part or all of this lesson was adapted from the University of Washington’s “Web Design & Development I” Course materials.

Web Programming Language Dr. Ken Cosh Week 1 (Introduction)

JSZap: Compressing JavaScript Code Martin Burtscher, UT Austin Ben Livshits & Ben Zorn, Microsoft Research Gaurav Sinha, IIT Kanpur.

Client/Server Architectures

INTRODUCTION TO WEB DATABASE PROGRAMMING

Web Design Scripting and the Web. Books on Scripting.

Load Balancing Dan Priece. What is Load Balancing? Distributed computing with multiple resources Need some way to distribute workload Discreet from the.

Server- Side technologies Client-side vs. Server-side scripts PHP basic ASP.NET basic ColdFusion.

Architecture Of ASP.NET. What is ASP?  Server-side scripting technology.  Files containing HTML and scripting code.  Access via HTTP requests.  Scripting.

Introduction to ASP.NET. Prehistory of ASP.NET Original Internet – text based WWW – static graphical content  HTML (client-side) Need for interactive.

Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

ASP.NET + Ajax Jesper Tørresø ITNET2 F08. Ajax Ajax (Asynchronous JavaScript and XML) A group of interrelated web development techniques used for creating.

AJAX in ASP.NET James Crowley Developer Fusion

Overview of Previous Lesson(s) Over View  ASP.NET Pages  Modular in nature and divided into the core sections  Page directives  Code Section  Page.

Meir Botner David Ben-David. Project Goal Build a messenger that allows a customer to communicate with a service provider for a fee.

Open Web App. Purpose To explain Open Web Apps To explain Open Web Apps To demonstrate some opportunities for a small business with this technology To.

Introduction to Internet Programming (Web Based Application)

JavaScript is a client-side scripting language. Programs run in the web browser on the client's computer. (PHP, in contrast, is a server-side scripting.

AJAX Making Dynamic Web pages more Dynamic Jim Hendricks April 25th, 2006.

Mark Dixon Page 1 3 – Web applications: Server-side code (JSP)

The Web Architecture and ASP.NET. Slide 2 Review of the Web (1) It began with HTTP and HTML, which delivers static Web pages to browsers which would render.

Web Interfaces, Forms & Databases Databases Snyder p HTML Basics Snyder p JavaScript Snyder Chapter 18.

WEB SCIENCE. What is the difference between the Internet and the World Wide Web? Internet is the entire network of connected computers and routers used.

AjaxScope & Doloto: Towards Optimizing Client-side Web 2.0 App Performance Ben Livshits Microsoft Research (joint work with Emre.

Introducing ASP.NET 2.0. Internet Technologies WWW Architecture Web Server Client Server Request Response Network HTTP TCP/IP PC/Mac/Unix + Browser (IE,

Monitoring the acquisition process by web widgets Leonardo Tininini and Antonino Virgillito ISTAT Meeting on the Management of Statistical Information.

Database Systems: Design, Implementation, and Management Eighth Edition Chapter 14 Database Connectivity and Web Technologies.

INLS 623– S TORED P ROCEDURES Instructor: Jason Carter.

JSON and A Comparison of Scripts. JSON: JavaScript Object Notation Based on a subset of the JavaScript Programming Language provides a standardized data.

Web Architecture Introduction

Web Design and Development. World Wide Web  World Wide Web (WWW or W3), collection of globally distributed text and multimedia documents and files 

 Previous lessons have focused on client-side scripts  Programs embedded in the page’s HTML code  Can also execute scripts on the server  Server-side.

Scripting Languages Client Side and Server Side. Examples of client side/server side Examples of client-side side include: JavaScript Jquery (uses a JavaScript.

Web Services Using Visual.NET By Kevin Tse. Agenda What are Web Services and Why are they Useful ? SOAP vs CORBA Goals of the Web Service Project Proposed.

 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.

The basics of knowing the difference CLIENT VS. SERVER.

Web Technologies Lecture 6 State preservation. Motivation How to keep user data while navigating on a website? – Authenticate only once – Store wish list.

ISYS 350 Building Business Applications David Chao.

Overview of Previous Lesson(s) Over View  ASP is a technology that enables scripts in web pages to be executed by an Internet server.  ASP.NET is a.

JavaScript and Ajax (Internet Background) Week 1 Web site:

Text INTRODUCTION TO ASP.NET. InterComm Campaign Guidelines CONFIDENTIAL Simply Server side language Simplified page development model Modular, well-factored,

Overview Web Technologies Computing Science Thompson Rivers University.

Basics Components of Web Design & Development Basics, Components, Design and Development.

JavaScript Invented 1995 Steve, Tony & Sharon. A Scripting Language (A scripting language is a lightweight programming language that supports the writing.

A Presentation Presentation On JSP On JSP & Online Shopping Cart Online Shopping Cart.

Open Solutions for a Changing World™ Eddy Kleinjan Copyright 2005, Data Access WordwideNew Techniques for Building Web Applications June 6-9, 2005 Key.

CS320 Web and Internet Programming Introduction to Web Application Development Chengyu Sun California State University, Los Angeles.

Brief Look InTo JavaScript Dr. Thomas Hicks Computer Science Department Trinity University.

1 Chapter 1 INTRODUCTION TO WEB. 2 Objectives In this chapter, you will: Become familiar with the architecture of the World Wide Web Learn about communication.

INLS 623– Stored Procedures

Doloto: Code Splitting for Web 2.0 Applications

Doloto: Code Splitting for Web 2.0 Applications

Doloto: Code Splitting for AJAX Applications

Choosing between Silverlight and AJAX

ASP.NET Imran Rashid CTO at ManiWeber Technologies.

Presentation transcript:

A UTOMATICALLY SECURING WEB 2.0 APPLICATIONS THROUGH REPLICATED EXECUTION Ben Livshits Microsoft Research

Web 2.0 is Upon Us 2

JavaScript + DHTML Client-side computation Server-side computation Client-side rendering Static HTML Web 1.0 → Web 2.0 3

M OTIVATION & P ROJECT G OALS

Motivation Microsoft Company Store 5

Motivation Distributed Computing on a Planetary Scale Nepal 6

Motivation Web Developer’s Mantra Thou shall not trust the client No data integrity No code integrity 7

Motivation Tension Headaches 8 Move code to the server for security Move code to client for performance

Motivation Security vs. Performance 9 responsiveness security Web 1.0: ASP.NET PHP Web 2.0: AJAX Silverlight Ripley With Ripley, placing computation on the client does not reduce computational integrity

A RCHITECTURE

Algorithms Ripley Architecture 1.Keep a replica of the client code 2.Capture user events & transmit to server for replay 3.Compare server and client results Server Replica Client Ripley checker events = {key: ‘a’, id=‘name’; click: id=‘name’} m' m e 11

Algorithms Ripley Architecture 1.Keep a replica of the client code 2.Capture user events & transmit to server for replay 3.Compare server and client results Ripley checker events = {key: ‘a’, id=‘name’; click: id=‘name’} m' m e Client Client-side code instrumented Rewrite event handlers Capture “default” events Buffer events for performance Server Replica button.onClick = function buttonHandler(e) { var obj = eventTrigger(e); var notify = document.getElementById && document.getElementById('notify'); notify.value = 'You clicked on ' + obj.value; return true; }; button.onClick = function buttonHandler(e) { ripleyEnqueue(e); // inserted by rewriting var obj = eventTrigger(e); var notify = document.getElementById && document.getElementById('notify'); notify.value = 'You clicked on ' + obj.value; return true; }; 12

Algorithms Ripley Architecture 1.Keep a replica of the client code 2.Capture user events & transmit to server for replay 3.Compare server and client results Client Ripley checker events = {key: ‘a’, id=‘name’; click: id=‘name’} m' m e Server Replica Run replica in a Ripley emulator Run in.NET, not in JavaScript, 100x speed increase 13

Algorithms Implementation Details Client: Run as part of tier-splitting – Rewrite client component to capture events – Queue on the client, marshal to the server Server: Rewrite the original assembly – Catch events on the server, de-marshal – Checker: compare m vs. m’ Client replica: – Emulator is a light-weight browser replacement – Client adapted to run within the emulator 14

Algorithms Eager vs. Lazy Transfer 15

E XPERIMENTAL R ESULTS

Experiments Ripley Applications Shopping cart Sudoku Blog Speed typing Online Quiz Distributed online game 17

Experiments Performance Overhead Summary 18

Experiments Network Overhead 19

Experiments Client and Server Overhead 20

Experiments Memory Overhead 21

Conclusions 1.Strong protection: – Automatic protection of distributed web apps – Provides strong integrity guarantees 2.Easy for developer: – No developer involvement required – Protects existing Volta apps out-of-the-box 22

Ripley: Vision for the Future Secure-by-construction Software + Services 23 Ripley server farm Web 2.0 App

Contact us Ben Livshits Microsoft Research Ripley project 24