atlantis: robust, extensible execution environments for web applications james mickens mohan dhawan

Atlantis: Robust, Extensible Execution Environments for Web Applications

James Mickens Mohan Dhawan

Your web browser

Our Claim• Web browsers are a

horrifying platform!

– APIs are too complex– Implementations are

too brittle– Writing robust apps is

too hard

Our Solution

HTMLCSS

JavaScript

Monolithic browser

HTML/CSS parser

DOM tree

Layout/rendering

Scripting runtime

Atlantisexokernel

HTML/CSS parser

DOM tree

Layout/rendering

Scripting runtime

HTMLCSS

JavaScript

Pages manage their own complexity!

Why Do We Need Another Browser?

The “Web Protocol”

HTML

CSS

Core JavaScript

DOM Storage

Web workers

SilverlightPDF

<video> tag

Web sockets

Java

HTTPSHTTP

JavaScript DOM Bindings

<canvas> tag

file://JSON

Data URIs

QuicktimeFlash

Which version does the

browser use?

No Single Browser Will Ever Get It Right

Theory Practice

Each Browser Will Fail In Different Ways

Monster Other Monster

Firefox IE

Outline

• The Adversarial Web Browser: Case Studies• Atlantis: Design and Implementation• Evaluation• Related Work

Let Me Teach You About Life

Web browsers areterrible and buggy.

Bah! I use JS libraries likejQuery to hide the complexity.You are foolish and hysterical.

What You ThinkYour Web App

jQuery

Nice, browser-neutral interface

Largely tolerable browser APIs

Browsers

What You ThinkYour Web App

jQuery

Nice, browser-neutral interface

Browsers

What Is

Largely tolerable browser APIs

Your Web App

jQuery

Partially browser-neutral interface

Browsers

What Is

Flaky, semi-consistent APIs

Why the Suicide Rate for Web Developers

is 89%

James Mickens vs. Browsers:Event Handling

<html> <div> <button> Click me! </button> </div></html>

<html>

<div>

<button>

captureHandler(evt)

bubbleHandler(evt)

targetHandler(evt)

“Official” event model

1) Capture phase2) Target phase3) Bubble phase

Event

I’d like support for the official three-phase model.

Ok!

Ok!

I WILL NOT SUPPORT THE CAPTURE PHASE. Lolz.

9

8-

Problem: Different browsers have different DOM tree implementations!

James Mickens vs. Browsers:Event Handling, Part 2

I’d like you to fire a blur event when the input focus changes.

Enter your name:

james

Focus!Blur!

Ok!

Sometimes I’ll fire the event, but sometimes I won’t. Rofl.

I’ll generate multiple events for each blur.

!=

James Mickens vs. Browsers:Layout and Rendering

I’d like to specify an element’s size as a percentage of the enclosing element.

<html> <div width=“49.5%”> </div> <div width=“50.5%”> </div></html>

James Mickens vs. Browsers:Layout and Rendering

I’d like to specify an element’s size as a percentage of the enclosing element.

<html> <div width=“49.5%”> </div> <div width=“50.5%”> </div></html>

Problem: HTML/CSS parsing and layout engine are completely opaque to the web page!

?

Markup parser + layout engine

<html>

<head> <body>

<title> <div> <div>

HTML

CSS

James Mickens vs. Browsers:Extending the JavaScript Runtime

I’d like to introspect/extend objects without the crippling fear that I’ll wedge my browser.Help me help myself.

This “should” “work”. Except when it won’t.Also, I’m dating your mom.

//Application codeobj.f = function(){return 42;};

//Third-party diagnostic code//[e.g., Mugshot@NSDI 2010] might//do something like this . . .oldF = obj.f;obj.f = function(){ mugshot.logCall(oldF); return oldF(); };

Problem: Opaque dependencies between C++ objects in browser and reflected versions in JavaScript!

function addEventListener(eName, callback){ nativeInvoke([“__addListener”, evtName, callback]);}

__addListener(e,c){ //C++ code}

JavaScript (“user” layer)

C++(“kernel” layer)

DOMnodeUnfathomable

browser

Problem: Opaque dependencies between C++ objects in browser and reflected versions in JavaScript!

function addEventListener(eName, callback){ nativeInvoke([“__addListener”, evtName, callback]);} JavaScript

(“user” layer)C++

(“kernel” layer)

DOMnodeUnfathomable

browser

__addListener(e,c){ //C++ code}

How do we fix all of this?

Outline

• The Adversarial Web Browser: Case Studies• Atlantis: Design and Implementation• Evaluation• Related Work

Monolithic Browser

OP (Oakland 08)

RhinoKHTMLNo change in

extensibility

Atlantis

Per-instance kernel

Defined by web page!

Executes Syphon code

1 process w/3 C# AppDomains

Atlantis: Defining the Web Stack

Load foo.html. It shall be done.

HTML

Atlantis: Defining the Web Stack

Load foo.html. It shall be done.

HTML

Atlantis: Defining the Web Stack

<environment> <compiler=‘http://foo/compiler.syp’> <markupParser=‘http://bar/mParser.js’> <runtime=‘http://baz/runtime.js’></environment>

Syphon Interpreter

compiler.syp mParser.syp runtime.syp

mParser.js

High-level application runtime

DOM tree AJAX libraryLayout andRendering

Atlantis kernel– Bitmap rendering– Frame creation and

destruction– Cross-frame messaging– Low-level GUI events– Blocking/non-blocking HTTP sockets

Atlantis: Defining the Web Stack

Syphon Interpreter

<html> . . .</html>

JScompiler.syp HTML+CSSparser.syp DOM.syp

By default, thy gets a backwards-compatible stack.

I cannot findeth an<environment> tag.

Atlantis: Defining the Web Stack

Syphon Interpreter

<html> . . .</html>

JScompiler.syp HTML+CSSparser.syp DOM.syp

By default, thy gets a backwards compatible stack.

It’s all made of JavaScript!

Common case: You don’t write the (extensible!) web stack

Facebook

Microsoft

jQuery

Outline

• The Adversarial Web Browser: Case Studies• Atlantis: Design and Implementation• Evaluation• Related Work

Extensibility• DOM nodes have an innerHTML property– Assign a string to dynamically update DOM tree– Allows for cross-site scripting attacks!

• Want: Ability to shim innerHTML and automatically install a sanitizer

var comment = document.getElementById(“commentBox”);var contentParent = document.getElementById(“parent”);contentParent.innerHtml = comment.value; //What if this is //JavaScript source?

DON’T WORRY ATLANTIS CAN HELP YOU

• In Atlantis, to change the DOM tree implementation:– YOU JUST DO IT– The entire implementation belongs to you!– Don’t have to wait on browser vendors!

Extensibility

Page Load Times

Outline

• The Adversarial Web Browser: Case Studies• Atlantis: Design and Implementation• Evaluation• Related Work

• Microkernel browsers: OP, Gazelle, ServiceOS– Isolate commodity JS engines, HTML renderers, etc.– Better security . . .– . . . but same extensibility, robustness

Related Work

• JavaScript abstraction frameworks– JavaScript libraries: jQuery, mooTools, Prototype– Compile-to-JavaScript: GWT, Script#

• Extremely useful!• However, they can’t . . .– Hide all browser quirks– Make black-box components introspectable

Related Work

Conclusions

• Web browsers have a lot of potential . . .

Conclusions• The aggregate “web protocol” is big and complex!– No individual browser can get it all right– Different browsers will fail in different ways

Conclusions

• Atlantis: an exokernel browser– Kernel handles low-level

networking, GUI events, bitmap rendering

– Application defines higher-level abstractions

• Advantages– Strong security– Powerful extensibility