FineFineFine---- Grained JavaScript Execution Isolation...
1
Fine Fine Grained JavaScript Execution Isolation Using Script Spaces Grained JavaScript Execution Isolation Using Script Spaces Fine Fine-Grained JavaScript Execution Isolation Using Script Spaces Grained JavaScript Execution Isolation Using Script Spaces Fine Fine-Grained JavaScript Execution Isolation Using Script Spaces Grained JavaScript Execution Isolation Using Script Spaces Fine Fine Grained JavaScript Execution Isolation Using Script Spaces Grained JavaScript Execution Isolation Using Script Spaces C C C Amarjyoti Deka Godmar Back C Amarjyoti Deka Godmar Back Amarjyoti Deka Godmar Back Acision Inc Department of Computer Science Virginia Tech Acision, Inc. Department of Computer Science, Virginia Tech amar deka@gmail com gback@cs vt edu [email protected] [email protected] M i i Motivation bd Motivation <body> di l "SS 1“ ¾ Many emerging web/in‐the‐cloud applications rely on increasingly complex <div class="SS_1“ > i tt "b tt " li k " li kh dl A()" l "Cli k !" \ ¾ Many emerging web/in the cloud applications rely on increasingly complex <input type="button" onclick="clickhandlerA()" value="Click me !" \> di id "A" C t /di JavaScript components coexisting within one page: <div id = "A" >Counter</div> </di > JavaScript components coexisting within one page: </div> Rich Internet Application (RIA) <div class="SS 2“ > Rich Internet Application (RIA) <div class= SS_2 > <input type="button" onclick="clickhandlerB()" value="Click me!" \> frameworks; heavy use of JS libraries; <input type= button onclick= clickhandlerB() value= Click me! \> <div id = "B" >Counter</div> frameworks; heavy use of JS libraries; <div id = B >Counter</div> </div> third party ready to include </div> third‐party ready‐to‐include </body> ` id t’ </body> `widgets’ ¾ Client‐side extensions (content scripts) C ¾ Client‐side extensions (content scripts) C interact with arbitrary pages C interact with arbitrary pages C C ¾ C tJ S it i t l k C C ¾ Current JavaScript environments lack C C ¾ Current JavaScript environments lack f l d C C namespace separation, fault and resource C namespace separation, fault and resource isolation; malfunctioning or malicious isolation; malfunctioning or malicious components affect entire page/tab and/or components affect entire page/tab and/or browser browser ¾ N df b t ti i t ¾ Need for robust execution environment ¾ Need for robust execution environment ¾ Multi‐process browsers provide partial solution: do not provide isolation ¾ Multi‐process browsers provide partial solution: do not provide isolation below the level of individual tabs/pages and move resource management below the level of individual tabs/pages and move resource management problem to underlying OS which often lacks information about appropriate Script Spaces/DOM Relationship: Mash‐Up Example: problem to underlying OS, which often lacks information about appropriate Script Spaces/DOM Relationship: Mash‐Up Example: tt t i By default each page executes within its own Script Space but Script Spaces This iGoogle mash‐up includes a CPU bound gadget (Fibonacci); using Script Spaces the resource management strategies By default, each page executes within its own Script Space, but Script Spaces This iGoogle mash up includes a CPU bound gadget (Fibonacci); using Script Spaces, the may also be created for portions of a page corresponding to sub trees of the page remains responsive and other gadgets remain functional even when it is run may also be created for portions of a page corresponding to sub trees of the page remains responsive and other gadgets remain functional even when it is run. DOM tree DOM tree. I l t ti Gecko Layout Execution Network S i tS Implementation Gecko Layout Execution Network Script Spaces Implementation E i Environment Layer Script Spaces ¾ b d Engine Environment Layer ¾ ¾ Prototype based on Engine ¾ Provide an abstraction for separate execution of JavaScript code ¾ Prototype based on / ¾ Provide an abstraction for separate execution of JavaScript code Firefox 3 0b2 codebase/ Content Model JavaScript Engine Async I/O components Firefox 3.0b2 codebase/ JavaScript Engine Support components Spidermonkey VM Support ¾ K f t Spidermonkey VM Rendering ¾ Key features: ¾ U SM t tt Rendering Security ¾ Key features: ¾ Uses SM contexts to Data Caching Unit of isolation lti l Unit of isolation manage multiple XML Parser ScriptSpace M C fi bl manage multiple S i i Management Configurable namespace JavaScript execution DNS/HTTP/FTP/Fil JavaScript execution Event Processing BVT Scheduler DNS/HTTP/FTP/File Separately schedulable contexts simultaneously Event Processing BVT Scheduler Separately schedulable contexts simultaneously S t t i ti ¾ No static binding Separate termination ¾ No static binding B If t t C t bt th d d C Base Infrastructure Components Separate resource accounting between threads and C Separate resource accounting it C Shared access to DOM script spaces C XPCOM NSPR XPConnect Shared access to DOM script spaces ¾ “Migrating threads” Backwards‐compatible (within each space a single‐threaded ¾ Migrating threads Backwards compatible (within each space, a single threaded enter and leave spaces environment; respects DOM event processing semantics) enter and leave spaces environment; respects DOM event processing semantics) based on event processing needs ¾ Rltd k based on event processing needs ¾ Related work: ¾ hdl h k (b h llb k) ¾ CPU scheduling via interpreter hook (branch callback) Orthogonal to work directed at improving security models or ¾ CPU scheduling via interpreter hook (branch callback) Orthogonal to work directed at improving security models or ¾ Implements Borrowed Virtual Time [Duda99] scheduler implementations (Caja ConScript etc ) ¾ Implements Borrowed Virtual Time [Duda99] scheduler implementations (Caja, ConScript, etc.) ¾ ld b d i f d f D i lt ti t lti dl ¾ Includes component‐based management interface and UI for user Design alternative to multi‐process model ¾ Includes component based management interface and UI for user / Script Space Manager: interaction/adjustment Complementary to emerging parallel browser implementations Script Space Manager: interaction/adjustment Complementary to emerging parallel browser implementations An extension displays existing script spaces and CPU consumption over time; users can ¾ Current limitations: not parallel; Firefox components aren’t thread safe; An extension displays existing script spaces and CPU consumption over time; users can ¾ Current limitations: not parallel; Firefox components aren t thread‐safe; adjust consumption of spaces or terminate them safely ti ti l td adjust consumption of spaces or terminate them safely. memory accounting not implemented hi k i ll C This work was partially C f d db NSF CAREER C funded by NSF CAREER C Award CISE/SHF #0845830 Award CISE/SHF #0845830
Transcript of FineFineFine---- Grained JavaScript Execution Isolation...
FineFine Grained JavaScript Execution Isolation Using Script SpacesGrained JavaScript Execution Isolation Using Script SpacesFineFine--Grained JavaScript Execution Isolation Using Script SpacesGrained JavaScript Execution Isolation Using Script SpacesFineFine--Grained JavaScript Execution Isolation Using Script SpacesGrained JavaScript Execution Isolation Using Script SpacesFineFine Grained JavaScript Execution Isolation Using Script SpacesGrained JavaScript Execution Isolation Using Script SpacesCCCAmarjyoti Deka Godmar BackCAmarjyoti Deka Godmar BackAmarjyoti Deka Godmar Backjy
Acision Inc Department of Computer Science Virginia TechAcision, Inc. Department of Computer Science, Virginia Tech, p f p , gamar deka@gmail com gback@cs vt [email protected] [email protected]@g g @
M i iMotivation b dMotivation <body>
di l "SS 1“Many emerging web/in‐the‐cloud applications rely on increasingly complex <div class="SS_1“ >i t t "b tt " li k " li kh dl A()" l "Cli k !" \Many emerging web/in the cloud applications rely on increasingly complex <input type="button" onclick="clickhandlerA()" value="Click me !" \>di id "A" C t /diJavaScript components coexisting within one page: <div id = "A" >Counter</div>
</di >JavaScript components coexisting within one page: </div>
Rich Internet Application (RIA) <div class="SS 2“ >Rich Internet Application (RIA) <div class= SS_2 ><input type="button" onclick="clickhandlerB()" value="Clickme!" \>
frameworks; heavy use of JS libraries;<input type= button onclick= clickhandlerB() value= Click me! \><div id = "B" >Counter</div>frameworks; heavy use of JS libraries; <div id = B >Counter</div></div>
ythird party ready to include
</div>
third‐party ready‐to‐include </body>p y y` id t ’
</body>
`widgets’gClient‐side extensions (content scripts) CClient‐side extensions (content scripts) Cinteract with arbitrary pages Cinteract with arbitrary pages C
CC t J S i t i t l k C CCurrent JavaScript environments lack C CCurrent JavaScript environments lackf l d C Cnamespace separation, fault and resource Cnamespace separation, fault and resource
isolation; malfunctioning or maliciousisolation; malfunctioning or maliciouscomponents affect entire page/tab and/orcomponents affect entire page/tab and/orbrowserbrowser
N d f b t ti i tNeed for robust execution environmentNeed for robust execution environmentMulti‐process browsers provide partial solution: do not provide isolationMulti‐process browsers provide partial solution: do not provide isolation
below the level of individual tabs/pages and move resource managementbelow the level of individual tabs/pages and move resource management problem to underlying OS which often lacks information about appropriate Script Spaces/DOM Relationship: Mash‐Up Example:problem to underlying OS, which often lacks information about appropriate Script Spaces/DOM Relationship: Mash‐Up Example: p y g , pp p
t t t i By default each page executes within its own Script Space but Script Spaces This iGoogle mash‐up includes a CPU bound gadget (Fibonacci); using Script Spaces theresource management strategies By default, each page executes within its own Script Space, but Script Spaces This iGoogle mash up includes a CPU bound gadget (Fibonacci); using Script Spaces, the g gmay also be created for portions of a page corresponding to sub trees of the page remains responsive and other gadgets remain functional even when it is runmay also be created for portions of a page corresponding to sub trees of the page remains responsive and other gadgets remain functional even when it is run.DOM treeDOM tree.
I l t ti Gecko Layout Execution NetworkS i t S Implementation Gecko Layout Execution NetworkScript Spaces ImplementationE i Environment Layer
Script Spacesb d
Engine Environment LayerPrototype based on
EngineProvide an abstraction for separate execution of JavaScript code Prototype based on
/Provide an abstraction for separate execution of JavaScript code
Firefox 3 0b2 codebase/ Content Model JavaScript Engine Async I/Ocomponents Firefox 3.0b2 codebase/ JavaScript EngineSupport
componentsSpidermonkey VM
Support
K f t Spidermonkey VMRenderingKey features:
U SM t t tRendering Security
Key features:Uses SM contexts to Data CachingUnit of isolation
lti lData CachingUnit of isolation
manage multiple XML Parser ScriptSpaceMC fi bl manage multiple
S i iManagementConfigurable namespace
JavaScript execution DNS/HTTP/FTP/Fil
g pJavaScript execution
Event Processing BVT SchedulerDNS/HTTP/FTP/FileSeparately schedulable contexts simultaneously
Event Processing BVT SchedulerSeparately schedulable contexts simultaneouslyS t t i ti No static bindingSeparate termination No static binding
B I f t t C tp g
b t th d d CBase Infrastructure ComponentsSeparate resource accounting between threads and CpSeparate resource accountingi t CShared access to DOM script spaces C
XPCOM NSPRXPConnectShared access to DOM script spaces“Migrating threads”Backwards‐compatible (within each space a single‐threaded Migrating threads Backwards compatible (within each space, a single threaded
enter and leave spacesenvironment; respects DOM event processing semantics) enter and leave spaces environment; respects DOM event processing semantics)based on event processing needsR l t d k based on event processing needsRelated work: p g
h d l h k (b h llb k)CPU scheduling via interpreter hook (branch callback)Orthogonal to work directed at improving security models or CPU scheduling via interpreter hook (branch callback)Orthogonal to work directed at improving security models or Implements Borrowed Virtual Time [Duda99] schedulerimplementations (Caja ConScript etc ) Implements Borrowed Virtual Time [Duda99] schedulerimplementations (Caja, ConScript, etc.)
l d b d i f d fD i lt ti t lti d l Includes component‐based management interface and UI for userDesign alternative to multi‐process model Includes component based management interface and UI for user /
g pScript Space Manager:interaction/adjustmentComplementary to emerging parallel browser implementations Script Space Manager:interaction/adjustmentComplementary to emerging parallel browser implementationsAn extension displays existing script spaces and CPU consumption over time; users can
Current limitations: not parallel; Firefox components aren’t thread safe;An extension displays existing script spaces and CPU consumption over time; users can
Current limitations: not parallel; Firefox components aren t thread‐safe; adjust consumption of spaces or terminate them safelyp pti t i l t d
adjust consumption of spaces or terminate them safely.memory accounting not implemented y g p
hi k i llC This work was partially C s o as pa t a yf d d b NSF CAREER
C
funded by NSF CAREER
C
yAward CISE/SHF #0845830Award CISE/SHF #0845830
