atlantis: robust, extensible execution environments for web applications james mickens mohan dhawan
TRANSCRIPT
Atlantis: Robust, Extensible Execution Environments for Web Applications
James Mickens Mohan Dhawan
Your web browser
Our Claim• Web browsers are a
horrifying platform!
– APIs are too complex– Implementations are
too brittle– Writing robust apps is
too hard
Our Solution
HTMLCSS
JavaScript
Monolithic browser
HTML/CSS parser
DOM tree
Layout/rendering
Scripting runtime
Atlantisexokernel
HTML/CSS parser
DOM tree
Layout/rendering
Scripting runtime
HTMLCSS
JavaScript
Pages manage their own complexity!
Why Do We Need Another Browser?
The “Web Protocol”
HTML
CSS
Core JavaScript
DOM Storage
Web workers
SilverlightPDF
<video> tag
Web sockets
Java
HTTPSHTTP
JavaScript DOM Bindings
<canvas> tag
file://JSON
Data URIs
QuicktimeFlash
Which version does the
browser use?
No Single Browser Will Ever Get It Right
Theory Practice
Each Browser Will Fail In Different Ways
Monster Other Monster
Firefox IE
Outline
• The Adversarial Web Browser: Case Studies• Atlantis: Design and Implementation• Evaluation• Related Work
Let Me Teach You About Life
Web browsers areterrible and buggy.
Bah! I use JS libraries likejQuery to hide the complexity.You are foolish and hysterical.
What You ThinkYour Web App
jQuery
Nice, browser-neutral interface
Largely tolerable browser APIs
Browsers
What You ThinkYour Web App
jQuery
Nice, browser-neutral interface
Browsers
What Is
Largely tolerable browser APIs
Your Web App
jQuery
Partially browser-neutral interface
Browsers
What Is
Flaky, semi-consistent APIs
Why the Suicide Rate for Web Developers
is 89%
James Mickens vs. Browsers:Event Handling
<html> <div> <button> Click me! </button> </div></html>
<html>
<div>
<button>
captureHandler(evt)
bubbleHandler(evt)
targetHandler(evt)
“Official” event model
1) Capture phase2) Target phase3) Bubble phase
Event
I’d like support for the official three-phase model.
Ok!
Ok!
I WILL NOT SUPPORT THE CAPTURE PHASE. Lolz.
9
8-
Problem: Different browsers have different DOM tree implementations!
James Mickens vs. Browsers:Event Handling, Part 2
I’d like you to fire a blur event when the input focus changes.
Enter your name:
james
Focus!Blur!
Ok!
Sometimes I’ll fire the event, but sometimes I won’t. Rofl.
I’ll generate multiple events for each blur.
!=
James Mickens vs. Browsers:Layout and Rendering
I’d like to specify an element’s size as a percentage of the enclosing element.
<html> <div width=“49.5%”> </div> <div width=“50.5%”> </div></html>
James Mickens vs. Browsers:Layout and Rendering
I’d like to specify an element’s size as a percentage of the enclosing element.
<html> <div width=“49.5%”> </div> <div width=“50.5%”> </div></html>
Problem: HTML/CSS parsing and layout engine are completely opaque to the web page!
?
Markup parser + layout engine
<html>
<head> <body>
<title> <div> <div>
HTML
CSS
James Mickens vs. Browsers:Extending the JavaScript Runtime
I’d like to introspect/extend objects without the crippling fear that I’ll wedge my browser.Help me help myself.
This “should” “work”. Except when it won’t.Also, I’m dating your mom.
//Application codeobj.f = function(){return 42;};
//Third-party diagnostic code//[e.g., Mugshot@NSDI 2010] might//do something like this . . .oldF = obj.f;obj.f = function(){ mugshot.logCall(oldF); return oldF(); };
Problem: Opaque dependencies between C++ objects in browser and reflected versions in JavaScript!
function addEventListener(eName, callback){ nativeInvoke([“__addListener”, evtName, callback]);}
__addListener(e,c){ //C++ code}
JavaScript (“user” layer)
C++(“kernel” layer)
DOMnodeUnfathomable
browser
Problem: Opaque dependencies between C++ objects in browser and reflected versions in JavaScript!
function addEventListener(eName, callback){ nativeInvoke([“__addListener”, evtName, callback]);} JavaScript
(“user” layer)C++
(“kernel” layer)
DOMnodeUnfathomable
browser
__addListener(e,c){ //C++ code}
How do we fix all of this?
Outline
• The Adversarial Web Browser: Case Studies• Atlantis: Design and Implementation• Evaluation• Related Work
Monolithic Browser
OP (Oakland 08)
RhinoKHTMLNo change in
extensibility
Atlantis
Per-instance kernel
Defined by web page!
Executes Syphon code
1 process w/3 C# AppDomains
Atlantis: Defining the Web Stack
Load foo.html. It shall be done.
HTML
Atlantis: Defining the Web Stack
Load foo.html. It shall be done.
HTML
Atlantis: Defining the Web Stack
<environment> <compiler=‘http://foo/compiler.syp’> <markupParser=‘http://bar/mParser.js’> <runtime=‘http://baz/runtime.js’></environment>
Syphon Interpreter
compiler.syp mParser.syp runtime.syp
mParser.js
High-level application runtime
DOM tree AJAX libraryLayout andRendering
Atlantis kernel– Bitmap rendering– Frame creation and
destruction– Cross-frame messaging– Low-level GUI events– Blocking/non-blocking HTTP sockets
Atlantis: Defining the Web Stack
Syphon Interpreter
<html> . . .</html>
JScompiler.syp HTML+CSSparser.syp DOM.syp
By default, thy gets a backwards-compatible stack.
I cannot findeth an<environment> tag.
Atlantis: Defining the Web Stack
Syphon Interpreter
<html> . . .</html>
JScompiler.syp HTML+CSSparser.syp DOM.syp
By default, thy gets a backwards compatible stack.
It’s all made of JavaScript!
Common case: You don’t write the (extensible!) web stack
Microsoft
jQuery
Outline
• The Adversarial Web Browser: Case Studies• Atlantis: Design and Implementation• Evaluation• Related Work
Extensibility• DOM nodes have an innerHTML property– Assign a string to dynamically update DOM tree– Allows for cross-site scripting attacks!
• Want: Ability to shim innerHTML and automatically install a sanitizer
var comment = document.getElementById(“commentBox”);var contentParent = document.getElementById(“parent”);contentParent.innerHtml = comment.value; //What if this is //JavaScript source?
DON’T WORRY ATLANTIS CAN HELP YOU
• In Atlantis, to change the DOM tree implementation:– YOU JUST DO IT– The entire implementation belongs to you!– Don’t have to wait on browser vendors!
Extensibility
Page Load Times
Outline
• The Adversarial Web Browser: Case Studies• Atlantis: Design and Implementation• Evaluation• Related Work
• Microkernel browsers: OP, Gazelle, ServiceOS– Isolate commodity JS engines, HTML renderers, etc.– Better security . . .– . . . but same extensibility, robustness
Related Work
• JavaScript abstraction frameworks– JavaScript libraries: jQuery, mooTools, Prototype– Compile-to-JavaScript: GWT, Script#
• Extremely useful!• However, they can’t . . .– Hide all browser quirks– Make black-box components introspectable
Related Work
Conclusions
• Web browsers have a lot of potential . . .
Conclusions• The aggregate “web protocol” is big and complex!– No individual browser can get it all right– Different browsers will fail in different ways
Conclusions
• Atlantis: an exokernel browser– Kernel handles low-level
networking, GUI events, bitmap rendering
– Application defines higher-level abstractions
• Advantages– Strong security– Powerful extensibility
