Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
A safety-Oriented Platform for Web Applications Author: Richard S. Cox, Jacob Gorm Hansen, Steven D. Gribble, Henry M. Levy Presenter: Jun Tao Overview • • • • Introduction Architecture Implementation Evaluation Introduction • Nascent Web – Hypertext document system – Fetched and presented simple static content • Modern Web – Provides access to an enormous number of service and resources – Download and execute programs – A de facto operating system for executing clientside components of Web Applications Introduction • Current browsers are vulnerable – Drive-by downloads can cause spyware infections – Trusted plug-ins may have security holes – Browsers fails to provide isolation Introduction • A new browsing system architecture : Tahoma – Three key principles • Web Application should not be trusted • Web browsers should not be trusted • Users should be able to identify and manage downloaded Web application – Web applications are isolated in their own private virtual machine – A prototype of the Tahoma browsing system using Linux and the Xen virtual machine monitor is implemented Architecture • Tahoma’s six key features – Defines a new trusted system layer, the browser operating system (BOS) – Provides explicit support for Web application • Browser instance • Web service – Enforces isolation between Web applications – Enforces policies defined by the Web service • Manifest – Supports an enhanced window interface – Provides resource support Architecture Architecture • Web Applications – The execution environment as viewed by browser instance Architecture • Web Applications (continued) – Users accessing a Web application for the first time must approve its installation – Advantages of the VM environment • Web application is safe from interference by other application • Local effects can be easily removed • Increases flexibility for the programming of Web applications Architecture • Web applications (continued) – Manifest • Used by Web service to specify the characteristics of its application • Can be retrieved by BOS when it first accesses the service • Presents a digital signature • Specifies the code that will run in the browser instance • Specifies Internet access policies – Web sites or URLs that are allowed to access – Protect the Web application from compromised browsers Architecture • The Browser Operating System (BOS) – Trusted computing base for the Tahoma browsing system – Instantiates and manages the collection of browser instances • Multiplex the virtual screens • Store long-term state associated with browser instance • Enforce the network policies Architecture Architecture • The Browser Operating System (continued) – Provides users with control panel and bookmark management tools – Mediates all network interactions between a browser instance and remote Web sites – Different choices of implementation • Running in its own virtual machine with browser instances running in separate virtual machine • Implemented as a virtual machine monitor running directly on the physical hardware, with browser instances running in VMs above it Implementation Implementation • Three main BOS processes – BOS kernel: manages browser instances and the durable storage of the system – Network proxy: a reverse firewall – Windows Manager: aggregates browser instance windows into the physical screen Implementation • Communications between BOS and Browser instances – Interface: libraries linked into the browser • BOS system functions (libBOS) • Graphics functions (libQT) – Using browser-calls and upcalls • Implemented as XML-formatted remote procedure calls • Carried over a TCP connection on a point-to-point virtual network Implementation • Inter-browser communication paths – fork browser-calls • Include the target URL – BinStore and BinFetch browser-calls • BOS implements private holding bin for each browser instance • Transfer between the holding bin and the host OS must be initiated by a user through a trusted Tahoma tool Implementation • Xen and the Browser Instance – Each Xen VM executing a browser instance • A read-only root disk contains the base file system for the browser instance • A writable data disk provides storage for any data the browser instance needs to durably store • Persistent changes made by the application are applied the virtual data disk on the guest OS Implementation • Manifest – Includes • • • • • • A network policy A browser policy A digital signature A human-readable Web Application name A machine-readable manifest name A globally unique identifier for the application Implementation • Manifest (continued) – Location • HTTP header extension in a web object indicate the manifest name and where it can be download • Per-server manifest files • Local database of manually supplied manifest files – Authentication • Web servers sign manifests using the private key • Tahoma uses public-key certificates to authenticate Web applications to clients • Rely on traditional PKI certification authorities Implementation • The Windows Manager – Implements the user interface – Runs in domain 0 – Provides a virtual screen abstraction to each browser instance • Within the virtual screen, browser can create and position one or more rectangular sprites • Each sprite consists of a grid of tiles • Each tile is backed by a 4KB page in virtual memory • Can be implemented in several different ways Implementation Implementation • Browser – Needs to be modified to run on Tahoma • Linking to libQT to access the Tahoma graphics subsystem • Using a browser-call to access remote services, rather than accessing the network directly through a virtual device • Using browser-calls for new functions, such as forking a new browser instance and interacting with the holding bin Evaluation Evaluation Evaluation Evaluation Evaluation Conclusions • Each Web application is isolated within its own virtual machine sandbox, removing the need to trust Web browsers and Web services • A new trusted software layer (BOS) is introduced to manages Web applications and their virtual machine sandbox • Network policies and browser policies are enforced Questions?