Presentation is loading. Please wait.

Presentation is loading. Please wait.

A UTOMATICALLY SECURING WEB 2.0 APPLICATIONS THROUGH REPLICATED EXECUTION Ben Livshits Microsoft Research.

Published byPierce Freeman Modified over 8 years ago

Similar presentations

Presentation on theme: "A UTOMATICALLY SECURING WEB 2.0 APPLICATIONS THROUGH REPLICATED EXECUTION Ben Livshits Microsoft Research."— Presentation transcript:

1 A UTOMATICALLY SECURING WEB 2.0 APPLICATIONS THROUGH REPLICATED EXECUTION Ben Livshits Microsoft Research

2 Web 2.0 is Upon Us 2

3 JavaScript + DHTML Client-side computation Server-side computation Client-side rendering Static HTML Web 1.0 → Web 2.0 3

4 M OTIVATION & P ROJECT G OALS

5 Motivation Microsoft Company Store 5

6 Motivation Distributed Computing on a Planetary Scale Nepal 6

7 Motivation Web Developer’s Mantra Thou shall not trust the client No data integrity No code integrity 7

8 Motivation Tension Headaches 8 Move code to the server for security Move code to client for performance

9 Motivation Security vs. Performance 9 responsiveness security Web 1.0: ASP.NET PHP Web 2.0: AJAX Silverlight Ripley With Ripley, placing computation on the client does not reduce computational integrity

10 A RCHITECTURE

11 Algorithms Ripley Architecture 1.Keep a replica of the client code 2.Capture user events & transmit to server for replay 3.Compare server and client results Server Replica Client Ripley checker events = {key: ‘a’, id=‘name’; click: id=‘name’} m' m e 11

12 Algorithms Ripley Architecture 1.Keep a replica of the client code 2.Capture user events & transmit to server for replay 3.Compare server and client results Ripley checker events = {key: ‘a’, id=‘name’; click: id=‘name’} m' m e Client Client-side code instrumented Rewrite event handlers Capture “default” events Buffer events for performance Server Replica button.onClick = function buttonHandler(e) { var obj = eventTrigger(e); var notify = document.getElementById && document.getElementById('notify'); notify.value = 'You clicked on ' + obj.value; return true; }; button.onClick = function buttonHandler(e) { ripleyEnqueue(e); // inserted by rewriting var obj = eventTrigger(e); var notify = document.getElementById && document.getElementById('notify'); notify.value = 'You clicked on ' + obj.value; return true; }; 12

13 Algorithms Ripley Architecture 1.Keep a replica of the client code 2.Capture user events & transmit to server for replay 3.Compare server and client results Client Ripley checker events = {key: ‘a’, id=‘name’; click: id=‘name’} m' m e Server Replica Run replica in a Ripley emulator Run in.NET, not in JavaScript, 100x speed increase 13

14 Algorithms Implementation Details Client: Run as part of tier-splitting – Rewrite client component to capture events – Queue on the client, marshal to the server Server: Rewrite the original assembly – Catch events on the server, de-marshal – Checker: compare m vs. m’ Client replica: – Emulator is a light-weight browser replacement – Client adapted to run within the emulator 14

15 Algorithms Eager vs. Lazy Transfer 15

16 E XPERIMENTAL R ESULTS

17 Experiments Ripley Applications Shopping cart Sudoku Blog Speed typing Online Quiz Distributed online game 17

18 Experiments Performance Overhead Summary 18

19 Experiments Network Overhead 19

20 Experiments Client and Server Overhead 20

21 Experiments Memory Overhead 21

22 Conclusions 1.Strong protection: – Automatic protection of distributed web apps – Provides strong integrity guarantees 2.Easy for developer: – No developer involvement required – Protects existing Volta apps out-of-the-box 22

23 Ripley: Vision for the Future Secure-by-construction Software + Services 23 Ripley server farm Web 2.0 App

24 Contact us Ben Livshits (livshits@microsoft.com)livshits@microsoft.com Microsoft Research Ripley project 24

Download ppt "A UTOMATICALLY SECURING WEB 2.0 APPLICATIONS THROUGH REPLICATED EXECUTION Ben Livshits Microsoft Research."

Similar presentations

Database Architectures and the Web

Database Architectures and the Web
Oracle Database Architectures Are Extremely Complex, And Very Expensive. All of Their Complexity Goes Away ! The Snippet Engine Network Architectures Are.

Oracle Database Architectures Are Extremely Complex, And Very Expensive. All of Their Complexity Goes Away ! The Snippet Engine Network Architectures Are.
11 ASP.NET Slides based off:. 22 B ACKGROUND - W EB A RCHITECTURE Web Server PC/Mac/Unix/... + Browser Client Server Request:

11 ASP.NET Slides based off:. 22 B ACKGROUND - W EB A RCHITECTURE Web Server PC/Mac/Unix/... + Browser Client Server Request:
Administrative  Philosophy  Class survey  Grading  Proposal (5 points max)  Small projects (10 points each max)  Project (40 points max)  Presentation.

Administrative  Philosophy  Class survey  Grading  Proposal (5 points max)  Small projects (10 points each max)  Project (40 points max)  Presentation.
Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri.

Gatekeeper : Mostly Static Enforcement of Security & Reliability Policies for JavaScript Code Ben Livshits Salvatore Guarnieri.
IS 360 Course Introduction. Slide 2 What you will Learn (1) The role of Web servers and clients How to create HTML, XHTML, and HTML 5 pages suitable for.

IS 360 Course Introduction. Slide 2 What you will Learn (1) The role of Web servers and clients How to create HTML, XHTML, and HTML 5 pages suitable for.
S ECURING WEB 2.0 APPLICATIONS THROUGH REPLICATED EXECUTION Ben Livshits Microsoft Research K. Vikram Cornell University Abhishek Prateek IIT Delhi.

S ECURING WEB 2.0 APPLICATIONS THROUGH REPLICATED EXECUTION Ben Livshits Microsoft Research K. Vikram Cornell University Abhishek Prateek IIT Delhi.
Ben Livshits and Emre Kiciman Microsoft Research Redmond, WA.

Ben Livshits and Emre Kiciman Microsoft Research Redmond, WA.
Outline IS400: Development of Business Applications on the Internet Fall 2004 Instructor: Dr. Boris Jukic Server Side Web Technologies: Part 1.

Outline IS400: Development of Business Applications on the Internet Fall 2004 Instructor: Dr. Boris Jukic Server Side Web Technologies: Part 1.
Introduction to Web Based Application. Web-based application TCP/IP (HTTP) protocol Using WWW technology & software Distributed environment.

Introduction to Web Based Application. Web-based application TCP/IP (HTTP) protocol Using WWW technology & software Distributed environment.
Apache Tomcat Server Typical html Request/Response cycle

Apache Tomcat Server Typical html Request/Response cycle
Administrative  Philosophy  Class survey  Grading  Project  Presentation.

Administrative  Philosophy  Class survey  Grading  Project  Presentation.
A UTOMATICALLY SECURING WEB 2.0 APPLICATIONS THROUGH REPLICATED EXECUTION K. Vikram, Abhishek Prateek, Ben Livshits.

A UTOMATICALLY SECURING WEB 2.0 APPLICATIONS THROUGH REPLICATED EXECUTION K. Vikram, Abhishek Prateek, Ben Livshits.
Part or all of this lesson was adapted from the University of Washington’s “Web Design & Development I” Course materials.

Part or all of this lesson was adapted from the University of Washington’s “Web Design & Development I” Course materials.
269200 Web Programming Language Dr. Ken Cosh Week 1 (Introduction)

Web Programming Language Dr. Ken Cosh Week 1 (Introduction)
JSZap: Compressing JavaScript Code Martin Burtscher, UT Austin Ben Livshits & Ben Zorn, Microsoft Research Gaurav Sinha, IIT Kanpur.

JSZap: Compressing JavaScript Code Martin Burtscher, UT Austin Ben Livshits & Ben Zorn, Microsoft Research Gaurav Sinha, IIT Kanpur.
Client/Server Architectures

Client/Server Architectures
INTRODUCTION TO WEB DATABASE PROGRAMMING

INTRODUCTION TO WEB DATABASE PROGRAMMING
Web Design Scripting and the Web. Books on Scripting.

Web Design Scripting and the Web. Books on Scripting.
Load Balancing Dan Priece. What is Load Balancing? Distributed computing with multiple resources Need some way to distribute workload Discreet from the.

Load Balancing Dan Priece. What is Load Balancing? Distributed computing with multiple resources Need some way to distribute workload Discreet from the.

Similar presentations

Ads by Google