Presentation is loading. Please wait.

Presentation is loading. Please wait.

Y >_< I Y 一,一一,一 I A Safety-Oriented Platform for Web Applications Richard S.Cox Jacob Gorm Hansen Steven D.Gribble Henry M. Levy IEEE S&P 2006 Zong-Cing.

Published byEvelyn Simon Modified over 8 years ago

Similar presentations

Presentation on theme: "Y >_< I Y 一,一一,一 I A Safety-Oriented Platform for Web Applications Richard S.Cox Jacob Gorm Hansen Steven D.Gribble Henry M. Levy IEEE S&P 2006 Zong-Cing."— Presentation transcript:

1 Y >_< I Y 一,一一,一 I A Safety-Oriented Platform for Web Applications Richard S.Cox Jacob Gorm Hansen Steven D.Gribble Henry M. Levy IEEE S&P 2006 Zong-Cing Lin @ PAS, CSIE

2 Y >_< I Y 一,一一,一 I Outline Introduction Tahoma’s Architecture and Abstractions Evaluation Safety and Performance Related Work Conclusion Follow-up Research Zong-Cing Lin @ PAS, CSIE

3 Y >_< I Y 一,一一,一 I Introduction Web –A repository of interconnected, static content (Long Long ago) –A delivery system for complex, distributed applications and active content. (Recently) Modern browsers now serve as de facto operating systems –Managing dynamic and potentially malicious applications. Unfortunately, browsers have not adapted to their new role, leaving the user vulnerable to many potential threats. Zong-Cing Lin @ PAS, CSIE

4 Y >_< I Y 一,一一,一 I Architecture principles A thorough re-examination of the basic browser architecture is required. This paper follows those design principles –Web applications should not be trusted. –Web browsers should not be trusted. –Users should be able to identify and manage downloaded Web applications Zong-Cing Lin @ PAS, CSIE

5 Y >_< I Y 一,一一,一 I How to achieve those principles? Enforce isolation between web applications. Enforce isolation between web application and host OS. Enforce policies defined by the web services to control the execution of its browsing behavior Zong-Cing Lin @ PAS, CSIE

6 Y >_< I Y 一,一一,一 I Tahoma Architecture Trusted system layer, the browser operating system (BOS). Explicit support for Web applications. –Browser instance: a client-side browser executing dynamic web content and code. –Web service: a collection of web sites with which the browser instance is permitted to communicate. Zong-Cing Lin @ PAS, CSIE

7 Y >_< I Y 一,一一,一 I Architecture Zong-Cing Lin @ PAS, CSIE

8 Y >_< I Y 一,一一,一 I What should BOS do? It provides resource support to browser instances and manages those resource –Sandbox –Network proxy –Storage –Bookmark –Download management –Display Zong-Cing Lin @ PAS, CSIE

9 Y >_< I Y 一,一一,一 I Browser Operating System Three main BOS processes are: –The BOS kernel managing browser instances and the durable storage of the system –The network proxy A reverse firewall that enforces network access policies for Web applications –The window manager aggregating browser instance windows into the physical screen. Zong-Cing Lin @ PAS, CSIE

10 Y >_< I Y 一,一一,一 I BOS Architecture Zong-Cing Lin @ PAS, CSIE

11 Y >_< I Y 一,一一,一 I Zong-Cing Lin @ PAS, CSIE

12 Y >_< I Y 一,一一,一 I Accessing a Web application for the first time Must approve its installation. Only then will Tahoma create a new virtual machine, install within it the browser code and data, and execute the new browser instance. The BOS caches approvals, so the user need not re-approve a Web application on subsequent executions. Zong-Cing Lin @ PAS, CSIE

13 Y >_< I Y 一,一一,一 I Manifests An XML document that included –A machine readable manifest name –A human-readable Web application name –A globally unique identifier for the application. –A network policy –A browser policy –A digital signature for the Web service Zong-Cing Lin @ PAS, CSIE

14 Y >_< I Y 一,一一,一 I Manifests (cont’d) Zong-Cing Lin @ PAS, CSIE

15 Y >_< I Y 一,一一,一 I Tahoma’s architecture with VM The VM environment provided for the browser instance has several advantages. –A web application is safe from interference by other applications –The user can easily remove all local effects of a web application by simply deleting its VM. –The VM environment increases flexibility for the programming of web applications. Zong-Cing Lin @ PAS, CSIE

16 Y >_< I Y 一,一一,一 I Xen and BOS Zong-Cing Lin @ PAS, CSIE

17 Y >_< I Y 一,一一,一 I Communication between BOS and browser instances Instance to BOS communications –XML-formatted remote procedure call –Carried over a TCP connection –Messages arriving on these links are authentic. –Like the way a traditional kernel uses the current process ID to determine the origin of a system call. Zong-Cing Lin @ PAS, CSIE

18 Y >_< I Y 一,一一,一 I Transfer of objects outside of a VM E.g. copy a photo from a web-mail application into a photo album, or vice versa. BOS kernel implements a private “holding bin” for each browser instance. –Two browser-calls (instance to BOS) BinStore BinFetch –Transfer between the holding bin and the host OS initiated explicitly by a user through a trusted Tahoma tool. Can’t be initiated by the browser instance Zong-Cing Lin @ PAS, CSIE

19 Y >_< I Y 一,一一,一 I Browser Instance Fettered Internet link –A Xen virtual point-to-point network link is established between the browser instance and BOS –In BOS, run an Http proxy process it checks each requested URL against the browser instance’s network policy Virtual disks –A read-only root disk base file system for browser instance, including its OS’ image. –A writable data disk For any data the browser instance needs to durably store on the local system. Zong-Cing Lin @ PAS, CSIE

20 Y >_< I Y 一,一一,一 I Browser Instance (cont’d) Virtual disks policy advantages: –It permits simple update semantics if the root disk changes. –The user’s OS is isolated from potentially dangerous changes. E.g. spyware. –The user can remove all durable changes made by an application simply by deleting its browser instance. Zong-Cing Lin @ PAS, CSIE

21 Y >_< I Y 一,一一,一 I Window Manager Running in BOS For performance –The window manager offloads work, using functions available in the GPU. For safety –All graphics state is maintained by and charged to the browser instances themselves –Ensures that browser instances can’t perform DoS attacks by consuming excessive BOS resources Zong-Cing Lin @ PAS, CSIE

22 Y >_< I Y 一,一一,一 I Window Manager (cont’d) Zong-Cing Lin @ PAS, CSIE

23 Y >_< I Y 一,一一,一 I Browsers (or other application) Three kinds of modifications may be necessary –Linking to libQT to access the Tahoma graphics subsystem –Using a browser-calls to access remote services –Using browser-calls for new functions Zong-Cing Lin @ PAS, CSIE

24 Y >_< I Y 一,一一,一 I Evaluate Safety 1.Weak sandbox –Active content can replace a portion of the JavaScript runtime with its own scripts and gain access to trusted areas of Mozilla. 2.Vulnerable sharing interface –By crafting an HTML upload form, attackers can select the name of a file to transfer, accessing any file on the user’s machine. 3.Improper labeling –By subverting DNS, an attacker can trick a browser into sending cached credentials to an IP address of the attacker’s choosing. 4.Interface spoofing –Web content can override Mozilla’s user interface, allowing attackers to spoof interface elements or remote sites. 5.Other –Though instructed by the user not to do so, Mozilla stores a password on disk. Class% contained 1100% (55 of 55) 286% (25 of 29) 333% (4 of 12) 4100% (11 of 11) 50% (2 of 2) Zong-Cing Lin @ PAS, CSIE

25 Y >_< I Y 一,一一,一 I Evaluate Performance Experimental environments –Intel Pentium4 3.0GHz with 800MHz front-side bus –1GB of RAM –ATI Radeon 9600SE –Intel Pro/1000 NIC –Asante FriendlyNet GZ5-2400 gigabyte switch –Linux kernel 2.6.10 –Xen 2.0 unstable branch with patches through March 7,2005. Zong-Cing Lin @ PAS, CSIE

26 Y >_< I Y 一,一一,一 I Browser fork latency Zong-Cing Lin @ PAS, CSIE

27 Y >_< I Y 一,一一,一 I Web object download lantency (LAN) Zong-Cing Lin @ PAS, CSIE 444ms this latency is well below the 625 ms response-time threshold for users to operate in an optimal “automatic response” mode From “A performance model of system delay and user strategy selection”, SIGCHI conference on Human factors in computing system, 1992

28 Y >_< I Y 一,一一,一 I Long-lived TCP throughput (LAN) Zong-Cing Lin @ PAS, CSIE

29 Y >_< I Y 一,一一,一 I Interrupt Batching For 10Mb or 100Mb NIC –One hardware interrupt per packet –System crash for 1Gb NIC (interrupt livelock) Interrupt Batching –One hardware interrupt for many packets (depending on NIC buffer size) Zong-Cing Lin @ PAS, CSIE

30 Y >_< I Y 一,一一,一 I User Interface Performance Mplayer: for streaming media applications 512*304 pixel DIVX/AVI video at 25 frames per second Zong-Cing Lin @ PAS, CSIE

31 Y >_< I Y 一,一一,一 I Related Work Web security vulnerabilities –Java applet, SQL injection, buffer overflow, etc. Sandboxes Safely executing download applications Trust and user interfaces –Spoofing the user interface of trusted executables, fooling the user into providing sensitive information Zong-Cing Lin @ PAS, CSIE

32 Y >_< I Y 一,一一,一 I Conclusions Tahoma can prevent or contain 87% of the vulnerabilities that have been identified in the widely used Mozilla browser without sacrifice performance for the benefits of stronger isolation and safety. Zong-Cing Lin @ PAS, CSIE

33 Y >_< I Y 一,一一,一 I Follow-up research1 Temporal search: detecting hidden malware timebombs with virtual machines –Jedidiah R. Crandall, Gary Wassermann, Daniela A. S. de Oliveira, Zhendong Su, S. Felix Wu, Frederic T. Chong University of CaliforniaJedidiah R. CrandallGary WassermannDaniela A. S. de Oliveira Zhendong SuS. Felix WuFrederic T. Chong –ASPLOS 2006 Zong-Cing Lin @ PAS, CSIE

34 Y >_< I Y 一,一一,一 I Follow-up research2 Protection and Communication Abstractions for Web Browsers in MashupOS –Helen J. Wang, Xiaofeng Fan, Jon Howell Microsoft Research, Redmond, WAHelen J. WangXiaofeng FanJon Howell –Collin Jackson Stanford University, Palo Alto, CACollin Jackson –SIGOPS 2007 Zong-Cing Lin @ PAS, CSIE

Download ppt "Y >_< I Y 一,一一,一 I A Safety-Oriented Platform for Web Applications Richard S.Cox Jacob Gorm Hansen Steven D.Gribble Henry M. Levy IEEE S&P 2006 Zong-Cing."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
4.01 How Web Pages Work.

4.01 How Web Pages Work.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Content  Overview of Computer Networks (Wireless and Wired)  IP Address, MAC Address and Workgroups  LAN Setup and Creating Workgroup  Concept on.

Content  Overview of Computer Networks (Wireless and Wired)  IP Address, MAC Address and Workgroups  LAN Setup and Creating Workgroup  Concept on.
The Internet Useful Definitions and Concepts About the Internet.

The Internet Useful Definitions and Concepts About the Internet.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.

INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Topics in this presentation: The Web and how it works Difference between Web pages and web sites Web browsers and Web servers HTML purpose and structure.

Topics in this presentation: The Web and how it works Difference between Web pages and web sites Web browsers and Web servers HTML purpose and structure.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
269200 Web Programming Language Dr. Ken Cosh Week 1 (Introduction)

Web Programming Language Dr. Ken Cosh Week 1 (Introduction)
File Systems and N/W attached storage (NAS) www.bookspar.com | VTU NOTES | QUESTION PAPERS | NEWS | VTU RESULTS | FORUM | BOOKSPAR ANDROID APP.

File Systems and N/W attached storage (NAS) | VTU NOTES | QUESTION PAPERS | NEWS | VTU RESULTS | FORUM | BOOKSPAR ANDROID APP.
Client/Server Architectures

Client/Server Architectures

Similar presentations

Ads by Google