Transcript A safety-Oriented Platform for Web Applications

A safety-Oriented Platform for
Web Applications
Author: Richard S. Cox, Jacob Gorm Hansen,
Steven D. Gribble, Henry M. Levy
Presenter: Jun Tao
Overview
•
•
•
•
Introduction
Architecture
Implementation
Evaluation
Introduction
• Nascent Web
– Hypertext document system
– Fetched and presented simple static content
• Modern Web
– Provides access to an enormous number of
service and resources
– Download and execute programs
– A de facto operating system for executing clientside components of Web Applications
Introduction
• Current browsers are vulnerable
– Drive-by downloads can cause spyware infections
– Trusted plug-ins may have security holes
– Browsers fails to provide isolation
Introduction
• A new browsing system architecture : Tahoma
– Three key principles
• Web Application should not be trusted
• Web browsers should not be trusted
• Users should be able to identify and manage downloaded
Web application
– Web applications are isolated in their own private
virtual machine
– A prototype of the Tahoma browsing system using
Linux and the Xen virtual machine monitor is
implemented
Architecture
• Tahoma’s six key features
– Defines a new trusted system layer, the browser
operating system (BOS)
– Provides explicit support for Web application
• Browser instance
• Web service
– Enforces isolation between Web applications
– Enforces policies defined by the Web service
• Manifest
– Supports an enhanced window interface
– Provides resource support
Architecture
Architecture
• Web Applications
– The execution environment as viewed by browser
instance
Architecture
• Web Applications (continued)
– Users accessing a Web application for the first
time must approve its installation
– Advantages of the VM environment
• Web application is safe from interference by other
application
• Local effects can be easily removed
• Increases flexibility for the programming of Web
applications
Architecture
• Web applications (continued)
– Manifest
• Used by Web service to specify the characteristics of its
application
• Can be retrieved by BOS when it first accesses the
service
• Presents a digital signature
• Specifies the code that will run in the browser instance
• Specifies Internet access policies
– Web sites or URLs that are allowed to access
– Protect the Web application from compromised browsers
Architecture
• The Browser Operating System (BOS)
– Trusted computing base for the Tahoma browsing
system
– Instantiates and manages the collection of
browser instances
• Multiplex the virtual screens
• Store long-term state associated with browser instance
• Enforce the network policies
Architecture
Architecture
• The Browser Operating System (continued)
– Provides users with control panel and bookmark
management tools
– Mediates all network interactions between a
browser instance and remote Web sites
– Different choices of implementation
• Running in its own virtual machine with browser
instances running in separate virtual machine
• Implemented as a virtual machine monitor running
directly on the physical hardware, with browser
instances running in VMs above it
Implementation
Implementation
• Three main BOS processes
– BOS kernel: manages browser instances and the
durable storage of the system
– Network proxy: a reverse firewall
– Windows Manager: aggregates browser instance
windows into the physical screen
Implementation
• Communications between BOS and Browser
instances
– Interface: libraries linked into the browser
• BOS system functions (libBOS)
• Graphics functions (libQT)
– Using browser-calls and upcalls
• Implemented as XML-formatted remote procedure calls
• Carried over a TCP connection on a point-to-point
virtual network
Implementation
• Inter-browser communication paths
– fork browser-calls
• Include the target URL
– BinStore and BinFetch browser-calls
• BOS implements private holding bin for each browser
instance
• Transfer between the holding bin and the host OS must
be initiated by a user through a trusted Tahoma tool
Implementation
• Xen and the Browser Instance
– Each Xen VM executing a browser instance
• A read-only root disk contains the base file system for
the browser instance
• A writable data disk provides storage for any data the
browser instance needs to durably store
• Persistent changes made by the application are applied
the virtual data disk on the guest OS
Implementation
• Manifest
– Includes
•
•
•
•
•
•
A network policy
A browser policy
A digital signature
A human-readable Web Application name
A machine-readable manifest name
A globally unique identifier for the application
Implementation
• Manifest (continued)
– Location
• HTTP header extension in a web object indicate the
manifest name and where it can be download
• Per-server manifest files
• Local database of manually supplied manifest files
– Authentication
• Web servers sign manifests using the private key
• Tahoma uses public-key certificates to authenticate
Web applications to clients
• Rely on traditional PKI certification authorities
Implementation
• The Windows Manager
– Implements the user interface
– Runs in domain 0
– Provides a virtual screen abstraction to each
browser instance
• Within the virtual screen, browser can create and
position one or more rectangular sprites
• Each sprite consists of a grid of tiles
• Each tile is backed by a 4KB page in virtual memory
• Can be implemented in several different ways
Implementation
Implementation
• Browser
– Needs to be modified to run on Tahoma
• Linking to libQT to access the Tahoma graphics subsystem
• Using a browser-call to access remote services, rather
than accessing the network directly through a virtual
device
• Using browser-calls for new functions, such as forking a
new browser instance and interacting with the holding
bin
Evaluation
Evaluation
Evaluation
Evaluation
Evaluation
Conclusions
• Each Web application is isolated within its
own virtual machine sandbox, removing the
need to trust Web browsers and Web services
• A new trusted software layer (BOS) is
introduced to manages Web applications and
their virtual machine sandbox
• Network policies and browser policies are
enforced
Questions?