Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Cooperative Sharing of JavaScript, Browser, and Physical Resources Benjamin Livshits UC Berkeley Leo Meyerovich, David Zhu.

Published byEvangeline Ryan Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure Cooperative Sharing of JavaScript, Browser, and Physical Resources Benjamin Livshits UC Berkeley Leo Meyerovich, David Zhu."— Presentation transcript:

1 Secure Cooperative Sharing of JavaScript, Browser, and Physical Resources Benjamin Livshits UC Berkeley Leo Meyerovich, David Zhu

2 Web Application Security lipstick on a pig?

3 JIT compilers partitioned hardware Not Your Mother’s Browser browser kernels

4 Mashup Manifesto 1.sharing requires control 2.sharing must be natural 3.sharing must be cheap

5 What to Share? disk Hardware JavaScript Browser APIs parser, DOM, network,...

6 1.<CoFrame src=http://gadget.com/page id=gadget 2. passthroughBrowser="html css js" 3. delegatePhysical=".1 cpu"/>... 4. var toggle = true; 5. delegateBrowser(“network”, gadget, "http://gadget.com", 6. function () { if (toggle) return true; }); 7. function getData() { 8. toggle = false; 9. return "profile data"; } 10. aroundJS(gadget, getData, 11. function proceed (continue) { return continue(); });

7 JS Sharing with Cross-Principal Advice function getData Function.prototype AliceBob __proto__

8 JS Sharing with Cross-Principal Advice function getData Function.prototype __proto__ AliceBob

9 JS Sharing with Cross-Principal Advice function getData Function.prototype __proto__ function proceed execute function defaultDeny Messages execute set fld val get fld addField fld val removeField fld AliceBob set, get, … function proceed (continue) { return continue(); } function defaultDeny (continue) { throw ‘err’ }

10 JS Sharing with Cross-Principal Advice function getData Function.prototype __proto__ function proceed execute function defaultDeny Messages execute set fld val get fld addField fld val removeField fld AliceBob set, …, get

11 JS Sharing with Cross-Principal Advice function getData Function.prototype __proto__ function proceed execute function defaultDeny Messages execute set fld val get fld addField fld val removeField fld AliceBob execute, set, get, addField, removeField set, …, get Cornelia set, …

12 browser Browser API Sharing with Non-Tampering Advice facebook.com gadget.com delegateBrowser(“network”, gadget, "http://gadget.com", function () { if (toggle) return true; }); delegation: non-tampering advice facebook.com parser, DOM, CSS,...

13 Physical Resource Sharing with TessellationOS disk layout render layout render layout render … ……

14 Mashup Manifesto 1.sharing requires control 2.sharing must be natural 3.control must be cheap

15 Related Work Physical Resource Sharing Resource Containers E Gazelle TessellationOS Chrome JavaScript Sharing Caja MashupOS Object Views ConScript Browser API Sharing OP Browser ConScript ServiceOS

16 backup slides.

17

18 Sharing Browser APIs: Today Facebook.com advice DOM (FFI)

19 Sharing Browser APIs: Tomorrow Facebook.com DOM (FFI) advice browser kernel b r o w s e r k e r n e l

20 The Times They Are A-Changin’ method-based JIT trace-based compilation static compilation method-based JIT trace-based compilation static compilation GPU rendering parser generator parallel layout multicore CSS selectors parallel parsing hardware partitioning hypervisor, microkernel, browser JIT (C#, X86, …) browser kernel solver generator

21 container.com gadget.com BROWS ER

22 container.com gadget.com BROWS ER gadget fork bomb!!! YouTube policy?

23 container.com gadget.com BROWS ER A New Hope

Download ppt "Secure Cooperative Sharing of JavaScript, Browser, and Physical Resources Benjamin Livshits UC Berkeley Leo Meyerovich, David Zhu."

Similar presentations

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Molecular Biomedical Informatics Web Programming 1.

Molecular Biomedical Informatics Web Programming 1.
Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley.

Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley.
Atlantis: Robust, Extensible Execution Environments for Web Applications Hi! Today I’ll describe Atlantis, which is a new exokernel architecture for web.

Atlantis: Robust, Extensible Execution Environments for Web Applications Hi! Today I’ll describe Atlantis, which is a new exokernel architecture for web.
Web Applications HTML5 Games Windows 8 HTML Apps Basic Web Pages JavaScript Execution Speed DOM Interactions Accelerated Graphics Page Load Time.

Web Applications HTML5 Games Windows 8 HTML Apps Basic Web Pages JavaScript Execution Speed DOM Interactions Accelerated Graphics Page Load Time.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
1. 2 “Well-designed graphics are usually the simplest” Big Data is Different: going from Data Reporting to Knowledge Discovery … small & static charts.

1. 2 “Well-designed graphics are usually the simplest” Big Data is Different: going from Data Reporting to Knowledge Discovery … small & static charts.
1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.

1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft.

ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich UC Berkeley Benjamin Livshits Microsoft.
Vaibhav Rastogi and Yi Yang.  Web 2.0 – rich applications  A website hosts content it may not be responsible for  Third party gadgets  Third party.

Vaibhav Rastogi and Yi Yang.  Web 2.0 – rich applications  A website hosts content it may not be responsible for  Third party gadgets  Third party.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications Prateek Saxena UC Berkeley David Molnar Microsoft Research.

S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications Prateek Saxena UC Berkeley David Molnar Microsoft Research.
IS 360 Course Introduction. Slide 2 What you will Learn (1) The role of Web servers and clients How to create HTML, XHTML, and HTML 5 pages suitable for.

IS 360 Course Introduction. Slide 2 What you will Learn (1) The role of Web servers and clients How to create HTML, XHTML, and HTML 5 pages suitable for.
Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)

Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)
Canvas, SVG, Workers Doncho Minkov Telerik Corporation www.telerik.com.

Canvas, SVG, Workers Doncho Minkov Telerik Corporation
Forms, Validation Week 7 INFM 603. Announcements Try placing today’s example in htdocs (XAMPP). This will allow you to execute examples that rely on PHP.

Forms, Validation Week 7 INFM 603. Announcements Try placing today’s example in htdocs (XAMPP). This will allow you to execute examples that rely on PHP.
JavaScript CMPT 281. Outline Introduction to JavaScript Resources What is JavaScript? JavaScript in web pages.

JavaScript CMPT 281. Outline Introduction to JavaScript Resources What is JavaScript? JavaScript in web pages.
Browserscope O'Reilly Velocity OLC Dec 8, 2009. www.browserscope.org.

Browserscope O'Reilly Velocity OLC Dec 8,
Virtualization Concept. Virtualization  Real: it exists, you can see it.  Transparent: it exists, you cannot see it  Virtual: it does not exist, you.

Virtualization Concept. Virtualization  Real: it exists, you can see it.  Transparent: it exists, you cannot see it  Virtual: it does not exist, you.

Similar presentations

Ads by Google