Eratosthenes: Radically Refactoring the Web

Web browsers ostensibly provide strong isolation for the client-side components of web applications. Unfortunately, this isolation is weak in practice; as browsers add increasingly rich APIs to please developers, these complex interfaces bloat the trusted computing base and erode cross-app isolation boundaries. We reenvision the web interface based on the notion of a pico-datacenter, the client-side version of a shared server datacenter. Mutually untrusting vendors run their code on the user’s computer in low-level native code containers that communicate with the outside world only via IP. Just as in the cloud datacenter, the simple semantics makes isolation tractable, yet native code gives vendors the freedom to run any software stack. Since the datacenter model is designed to be robust to malicious tenants, it is never dangerous for the user to click a link and invite a possibly-hostile party onto the client.

[1]  Helen J. Wang,et al.  User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems , 2012, 2012 IEEE Symposium on Security and Privacy.

[2]  James W. Mickens,et al.  Atlantis: robust, extensible execution environments for web applications , 2011, SOSP '11.

[3]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[4]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[5]  Iain D. Craig,et al.  Virtual machines , 2005 .

[6]  Helen J. Wang,et al.  MashupOS: Operating System Abstractions for Client Mashups , 2007, HotOS.

[7]  Ralph C. Merkle,et al.  A Certified Digital Signature , 1989, CRYPTO.

[8]  Pat Hanrahan,et al.  Brook for GPUs: stream computing on graphics hardware , 2004, SIGGRAPH 2004.

[9]  Jacob R. Lorch,et al.  TrInc: Small Trusted Hardware for Large Distributed Systems , 2009, NSDI.

[10]  Spyros Antonatos,et al.  Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure , 2008, TSEC.

[11]  Steven D. Gribble,et al.  A safety-oriented platform for Web applications , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[12]  Nick Feamster,et al.  Accountable internet protocol (aip) , 2008, SIGCOMM '08.

[13]  Mike Houston,et al.  A closer look at GPUs , 2008, Commun. ACM.

[14]  George Varghese,et al.  Difference engine , 2010, OSDI.

[15]  Michael Walfish,et al.  The web interface should be radically refactored , 2011, HotNets-X.

[16]  Samuel T. King,et al.  Trust and Protection in the Illinois Browser Operating System , 2010, OSDI.

[17]  Samuel T. King,et al.  Secure Web Browsing with the OP Web Browser , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[18]  J. Doug Tygar,et al.  The battle against phishing: Dynamic Security Skins , 2005, SOUPS '05.

[19]  Bixia Zheng,et al.  Twin Peaks: A Software Platform for Heterogeneous Computing on General-Purpose and Graphics Processors , 2010, 2010 19th International Conference on Parallel Architectures and Compilation Techniques (PACT).

[20]  Collin Jackson,et al.  Robust defenses for cross-site request forgery , 2008, CCS.

[21]  Ted Krovetz,et al.  UMAC: Message Authentication Code using Universal Hashing , 2006, RFC.

[22]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[23]  Jon Howell,et al.  Leveraging Legacy Code to Deploy Desktop Applications on the Web , 2008, OSDI.

[24]  Donald E. Porter,et al.  Rethinking the library OS from the top down , 2011, ASPLOS XVI.

[25]  Behdad Esfahbod,et al.  Preload — An Adaptive Prefetching Daemon , 2006 .

[26]  Dongseok Jang,et al.  Analyzing the Crossdomain Policies of Flash Applications , 2011 .

[27]  Sean W. Smith,et al.  Trusted paths for browsers , 2002, TSEC.

[28]  Norman Feske,et al.  Design of the Bastei OS Architecture , 2012 .

[29]  Pat Hanrahan,et al.  Brook for GPUs: stream computing on graphics hardware , 2004, ACM Trans. Graph..

[30]  XiaoFeng Wang,et al.  Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services , 2012, 2012 IEEE Symposium on Security and Privacy.

[31]  Zachary Weinberg,et al.  I Still Know What You Visited Last Summer: Leaking Browsing History via User Interaction and Side Channel Attacks , 2011, 2011 IEEE Symposium on Security and Privacy.

[32]  Helen J. Wang,et al.  The Multi-Principal OS Construction of the Gazelle Web Browser , 2009, USENIX Security Symposium.

[33]  Helen J. Wang,et al.  Resource Management for Web Applications in ServiceOS , 2010 .

[34]  Helen J. Wang,et al.  Content-Based Isolation: Rethinking Isolation Policy in Modern Client Systems , 2012 .

[35]  Neha Narula,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, IEEE Symposium on Security and Privacy.

[36]  Chris Lattner,et al.  LLVM: AN INFRASTRUCTURE FOR MULTI-STAGE OPTIMIZATION , 2000 .

[37]  Norman Feske,et al.  A Nitpicker’s guide to a minimal-complexity secure GUI , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[38]  Helen J. Wang,et al.  Protection and communication abstractions for web browsers in MashupOS , 2007, SOSP.

[39]  Christian S. Collberg,et al.  SLINKY: Static Linking Reloaded , 2005, USENIX Annual Technical Conference, General Track.

[40]  Helen J. Wang,et al.  Convergence of desktop and web applications on a multi-service OS , 2009 .

[41]  Jonathan S. Shapiro,et al.  Design of the EROS Trusted Window System , 2004, USENIX Security Symposium.

[42]  Ratul Mahajan,et al.  Eat All You Can in an All-you-can-eat Buffet: A Case for Aggressive Resource Usage , 2008, HotNets.

[43]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[44]  Thomas Stagliano,et al.  Consumerization of IT , 2013 .

[45]  Jochen Liedtke,et al.  The performance of μ-kernel-based systems , 1997, SOSP.

[46]  Jonathan M. McCune,et al.  Memoir: Practical State Continuity for Protected Modules , 2011, 2011 IEEE Symposium on Security and Privacy.

[47]  Robert Grimm,et al.  Application performance and flexibility on exokernel systems , 1997, SOSP.