1 / 14

Automatically securing web 2.0 applications through replicated execution

Automatically securing web 2.0 applications through replicated execution. K. Vikram, Abhishek Prateek, Ben Livshits. Web Developer’s Mantra. Thou shall not trust the client. No data integrity No code integrity. Security vs. Performance.

chun
Download Presentation

Automatically securing web 2.0 applications through replicated execution

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Automatically securing web 2.0 applications through replicated execution K. Vikram, Abhishek Prateek, Ben Livshits

  2. Web Developer’s Mantra Thou shall not trust the client No data integrity No code integrity

  3. Security vs. Performance With Ripley, placing computation on the client does not reduce computational integrity • Web 1.0: • ASP.NET • PHP security Ripley • Web 2.0: • AJAX • Silverlight responsiveness

  4. The Volta Distributing Compiler .NET DLL Server IL-to-IL Client IL-to-JS JS http://volta/

  5. Volta Deployment Client Server Server Client

  6. Ripley Architecture

  7. Ripley Architecture m' • Keep a replica of the client code • Capture user events & transmit to server for replay • Compare server and client results Server Ripley checker m Replica Client e events = {key: ‘a’, id=‘name’; click: id=‘name’}

  8. Ripley Architecture m' • Keep a replica of the client code • Capture user events & transmit to server for replay • Compare server and client results Server Ripley checker • Client-side code instrumented • Rewrite event handlers • Capture “default” events • Buffer events for performance m Replica Client e button.onClick= functionbuttonHandler(e) { varobj = eventTrigger(e); varnotify = document.getElementById&& document.getElementById('notify'); notify.value = 'You clicked on '+ obj.value; return true; }; button.onClick= functionbuttonHandler(e) { ripleyEnqueue(e); // inserted by rewriting varobj = eventTrigger(e); varnotify = document.getElementById&& document.getElementById('notify'); notify.value= 'You clicked on '+ obj.value; return true; }; events = {key: ‘a’, id=‘name’; click: id=‘name’}

  9. Ripley Architecture m' • Keep a replica of the client code • Capture user events & transmit to server for replay • Compare server and client results Server Ripley checker • Run replica in a Ripley emulator • Run in .NET, not in JavaScript, 100x speed increase m Replica Client e events = {key: ‘a’, id=‘name’; click: id=‘name’}

  10. Experimental Evaluation

  11. Ripley Applications • Shopping cart • Sudoku • Blog • Speed typing • Online Quiz • Distributed online game http://ll-ripley/ripley-samples

  12. Performance Overhead Summary

  13. Ripley: Vision for the Future • Secure-by-construction Software + Services Web 2.0 App Ripley server farm

  14. The End.

More Related