1. S ECURING WEB 2.0 APPLICATIONS THROUGH REPLICATED EXECUTION Ben Livshits Microsoft Research K. Vikram Cornell University Abhishek Prateek IIT Delhi

2. Web 2.0 is Upon Us 2

3. JavaScript + DHTML Client-side computation Server-side computation Client-side rendering Static HTML Web 1.0 → Web 2.0 3 Advantage of the AJAX model: greater application responsiveness Advantage of the AJAX model: greater application responsiveness

4. Motivation

5. AJAX-based Shopping Cart (Fantasy) 5 clientserver 1 final RPC

6. Motivation Shopping Cart (Reality) 6 clientserver

7. Motivation Web Developer’s Mantra Thou shall not trust the client No data integrity No code integrity 7

8. Motivation Tension Headaches 8 Move code to the server for security Move code to client for performance

9. Motivation Security vs. Performance 9 responsiveness security Web 1.0: ASP.NET PHP Web 2.0: AJAX Silverlight Ripley With Ripley, placing computation on the client does not reduce the computational integrity Focus on integrity, not confidentiality Doesn't not protect against other issues like SQL injection attacks Focus on integrity, not confidentiality Doesn't not protect against other issues like SQL injection attacks

10. Architecture

11. Algorithms Ripley Architecture 1.Keep a replica of the client code 2.Capture user events & transmit to server for replay 3.Compare server and client results Server Replica Client Ripley checker events = {key: ‘a’, id=‘name’; click: id=‘name’} m' m e 11

12. Algorithms Zero-latency RPCs 12 ReplicaServerDatabaseClient.NET JavaScript

13. Algorithms Seems Too Much Like Magic. Is this Feasible? Create deterministic replay system – How to we replicate JavaScript code? – Cross-browser differences? – Non-determinism? How do we scale it? – Replica overhead on server – Hundreds of concurrent replicas 13

14. Algorithms The Volta Distributing Compiler Illustrated 14 IL-to-IL IL-to-JS JS.NET bytecode Volta Replica

15. Algorithms Ripley Architecture 1.Keep a replica of the client code 2.Capture user events & transmit to server for replay 3.Compare server and client results Ripley checker events = {key: ‘a’, id=‘name’; click: id=‘name’} m' m e Client Server Replica 15 Client-side code instrumented – Rewrite event handlers – Capture “default” events Network overhead – Buffer events for performance – Piggy-back on existing RPCs

16. Algorithms Ripley Architecture 1.Keep a replica of the client code 2.Capture user events & transmit to server for replay 3.Compare server and client results Client Ripley checker events = {key: ‘a’, id=‘name’; click: id=‘name’} m' m e Server Replica Run replica in a Ripley emulator In.NET, not in JavaScript, 10-100x speed increase 16

17. Experiments

18. Ripley Applications Shopping cart Sudoku Blog Speed typing Online Quiz Distributed online game 18

19. Experiments Performance Overhead: Volta Benchmarks 19

20. Experiments Replicating Hotmail Hotmail size – 793 KB download – 703 KB JavaScript – 31,000+ lines of code 20 10 minutes of normal use Requests: 617 KB Responses: 3,045 KB

21. Experiments Replicating Hotmail 21

22. Conclusions 1.Strong protection: – Automatic protection of distributed web apps – Provides strong integrity guarantees 2.Easy for developer: – No developer involvement required – Protects existing Volta apps out-of-the-box 22

23. Ripley: Vision for the Future Secure-by-construction Software + Services 23 Ripley server farm Web 2.0 App

24. Contact us Ben Livshits (livshits@microsoft.com)livshits@microsoft.com Microsoft Research Ripley project 24

25. Algorithms Malicious Event Stream Server Replica Client Ripley checker events = {key: ‘$’, id=‘$%$^&’; click: id=‘name’} m' m e 25 ‘$%$^&’ Every attack against integrity of the Ripley-protected application was possible against the standalone app