Secure Cooperative Sharing of JavaScript, Browser, and Physical Resources Benjamin Livshits UC Berkeley Leo Meyerovich, David Zhu.

Slides:



Advertisements
Similar presentations
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Advertisements

Molecular Biomedical Informatics Web Programming 1.
Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley.
Atlantis: Robust, Extensible Execution Environments for Web Applications Hi! Today I’ll describe Atlantis, which is a new exokernel architecture for web.
Web Applications HTML5 Games Windows 8 HTML Apps Basic Web Pages JavaScript Execution Speed DOM Interactions Accelerated Graphics Page Load Time.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
1. 2 “Well-designed graphics are usually the simplest” Big Data is Different: going from Data Reporting to Knowledge Discovery … small & static charts.
1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft.
Vaibhav Rastogi and Yi Yang.  Web 2.0 – rich applications  A website hosts content it may not be responsible for  Third party gadgets  Third party.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications Prateek Saxena UC Berkeley David Molnar Microsoft Research.
IS 360 Course Introduction. Slide 2 What you will Learn (1) The role of Web servers and clients How to create HTML, XHTML, and HTML 5 pages suitable for.
Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)
Canvas, SVG, Workers Doncho Minkov Telerik Corporation
Forms, Validation Week 7 INFM 603. Announcements Try placing today’s example in htdocs (XAMPP). This will allow you to execute examples that rely on PHP.
JavaScript CMPT 281. Outline Introduction to JavaScript Resources What is JavaScript? JavaScript in web pages.
Browserscope O'Reilly Velocity OLC Dec 8,
Virtualization Concept. Virtualization  Real: it exists, you can see it.  Transparent: it exists, you cannot see it  Virtual: it does not exist, you.
Department of Electrical Engineering and Computer Science CONSCRIPT: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser.
JavaScript Teppo Räisänen LIIKE/OAMK HTML, CSS, JavaScript HTML defines the structure CSS defines the layout JavaScript is used for scripting It.
BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
MOOD FOOD. PROMOTIONAL WEBSITE Front end of a cross-module project between Advanced Rich Internet Applications and Advanced Client Side Scripting. Promotional.
Introduction to Operating Systems Chapter 1. cs431 -cotter2 Lecture Objectives Understand the relationship between computing hardware, operating system,
Browserscope Open-source, community-driven project for profiling browsers Goals: foster browser innovation be a resource for web.
ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS Design.
Client/browser productivity language Ras Bodik, Thibaud Hottelier, James Ide, and Doug Kimelman(IBM)
1 JavaScript in Context. Server-Side Programming.
JavaScript – Quiz #9 Lecture Code:
Cross Site Integration “mashups” cross site scripting.
Embedded Software SKKU 28 1 WebKit/EFL. Embedded Software SKKU 28 2 WebKit Parsing Layout and Painting WebKit and EFL Contents.
Extending HTML CPSC 120 Principles of Computer Science April 9, 2012.
Scaling Charts with Design and GPUs Leo Meyerovich CEO of Graphistry.com | UC Berkeley 1.
AjaxScope & Doloto: Towards Optimizing Client-side Web 2.0 App Performance Ben Livshits Microsoft Research (joint work with Emre.
C C Implementation  Prototype based on Firefox 3.0b2 codebase/ Spidermonkey VM  Uses SM contexts to manage multiple JavaScript execution contexts simultaneously.
Web Design: Basic to Advanced Techniques Fall 2010 Mondays 7-9pm 200 Sutardja-Dai Hall Introduction to PHP.
Rich Layout from First Principles Specification, Generation, and Parallelization Adam Jiang, Leo Meyerovich with Seth Fowler, John Ng, and RasBodik Hot.
PERFORMANCE ENHANCEMENT IN ASP.NET By Hassan Tariq Session #1.
GAZELLE THE MULTI-PRINCIPAL OS CONSTRUCTION OF THE GAZELLE WEB BROWSER.
CISC 3140 (CIS 20.2) Design & Implementation of Software Application II Instructor : M. Meyer Address: Course Page:
Vaibhav Rastogi and Yi Yang.  SOP is outdated  Netscape introduced this policy when most content on the Internet was static  Differences amongst different.
CS50 Week 9 Sam Green ’
Events & Callbacks (ESaaS §6.5) © 2013 Armando Fox & David Patterson, all rights reserved.
Web Technologies Lecture 7 Synchronous vs. asynchronous.
Plug-in Architectures Presented by Truc Nguyen. What’s a plug-in? “a type of program that tightly integrates with a larger application to add a special.
Mobile: Today and Beyond Stuart Parmenter, Director of Mobile
Targeted Bottleneck #1: Rule Matching EECS Electrical Engineering and Computer Sciences B ERKELEY P AR L AB Parallel Cascading Style Sheets Leo Meyerovich,
An Overview of the AgentCubes Web API Scott Keller Erin Rowland Stuart Reed Michael Wally George McCabe dy· na· mo: (n.) A generator 1Erin Rowland.
1 Javascript CS , Spring What is Javascript ? Browser scripting language  Dynamic page creation  Interactive  Embedded into HTML pages.
Web Components Polymer. Agenda I want bootstrap : 3 Today.
Cloud Environment Spring  Microsoft Research Browser (2009)  Multi-Principal Environment with Browser OS  Next Step Towards Secure Browser 
Microsoft Edge F12 Use Microsoft Edge to finish turning F12 around and get her going in the right direction F12 Focus for Win10.
The State of WebDynamo: An AgentCubes Web API Scott Keller Erin Rowland Stuart Reed Michael Wally George McCabe dy· na· mo: (n.) A generator 1Erin Rowland.
CGS 3066: Web Programming and Design Spring 2016 Introduction to JavaScript.
CNIT 133 Interactive Web Pags – JavaScript and AJAX Popup Boxes.
1 WebAssembly: WASM means more powerful web apps. 류철 한국전자통신연구원 모바일서비스플랫폼연구팀.
Building a Chrome extension Chance Feick |. Outline History Development – Manifest File – Content Scripts – chrome.* API Installation Deployment Live.
Introduction to WebKit Girish Ramakrishnan. History
Programming Web Pages with JavaScript
Windows Summit /4/2018 © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be.
Leo Meyerovich, David Zhu
Introduction to Programming the WWW I
Building Native Mobile Apps with Angular 2.0 and NativeScript
Unit 6 part 3 Test Javascript Test.
Client-Server Model: Requesting a Web Page
Murach's JavaScript and jQuery (3rd Ed.)
Presentation transcript:

Secure Cooperative Sharing of JavaScript, Browser, and Physical Resources Benjamin Livshits UC Berkeley Leo Meyerovich, David Zhu

Web Application Security lipstick on a pig?

JIT compilers partitioned hardware Not Your Mother’s Browser browser kernels

Mashup Manifesto 1.sharing requires control 2.sharing must be natural 3.sharing must be cheap

What to Share? disk Hardware JavaScript Browser APIs parser, DOM, network,...

1.<CoFrame src= id=gadget 2. passthroughBrowser="html css js" 3. delegatePhysical=".1 cpu"/> var toggle = true; 5. delegateBrowser(“network”, gadget, " 6. function () { if (toggle) return true; }); 7. function getData() { 8. toggle = false; 9. return "profile data"; } 10. aroundJS(gadget, getData, 11. function proceed (continue) { return continue(); });

JS Sharing with Cross-Principal Advice function getData Function.prototype AliceBob __proto__

JS Sharing with Cross-Principal Advice function getData Function.prototype __proto__ AliceBob

JS Sharing with Cross-Principal Advice function getData Function.prototype __proto__ function proceed execute function defaultDeny Messages execute set fld val get fld addField fld val removeField fld AliceBob set, get, … function proceed (continue) { return continue(); } function defaultDeny (continue) { throw ‘err’ }

JS Sharing with Cross-Principal Advice function getData Function.prototype __proto__ function proceed execute function defaultDeny Messages execute set fld val get fld addField fld val removeField fld AliceBob set, …, get

JS Sharing with Cross-Principal Advice function getData Function.prototype __proto__ function proceed execute function defaultDeny Messages execute set fld val get fld addField fld val removeField fld AliceBob execute, set, get, addField, removeField set, …, get Cornelia set, …

browser Browser API Sharing with Non-Tampering Advice facebook.com gadget.com delegateBrowser(“network”, gadget, " function () { if (toggle) return true; }); delegation: non-tampering advice facebook.com parser, DOM, CSS,...

Physical Resource Sharing with TessellationOS disk layout render layout render layout render … ……

Mashup Manifesto 1.sharing requires control 2.sharing must be natural 3.control must be cheap

Related Work Physical Resource Sharing Resource Containers E Gazelle TessellationOS Chrome JavaScript Sharing Caja MashupOS Object Views ConScript Browser API Sharing OP Browser ConScript ServiceOS

backup slides.

Sharing Browser APIs: Today Facebook.com advice DOM (FFI)

Sharing Browser APIs: Tomorrow Facebook.com DOM (FFI) advice browser kernel b r o w s e r k e r n e l

The Times They Are A-Changin’ method-based JIT trace-based compilation static compilation method-based JIT trace-based compilation static compilation GPU rendering parser generator parallel layout multicore CSS selectors parallel parsing hardware partitioning hypervisor, microkernel, browser JIT (C#, X86, …) browser kernel solver generator

container.com gadget.com BROWS ER

container.com gadget.com BROWS ER gadget fork bomb!!! YouTube policy?

container.com gadget.com BROWS ER A New Hope

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.