chun
Uploaded by
14 SLIDES
273 VUES
140LIKES

Securing Web 2.0 Applications Through Replicated Execution: The Ripley Approach

DESCRIPTION

This paper explores the security of Web 2.0 applications through a method called replicated execution, highlighting the importance of not trusting client-side code to ensure data and code integrity. The authors discuss the challenges between security and performance, specifically addressing how the Ripley architecture allows for client-side computation without sacrificing computational integrity. Techniques such as capturing user events and comparing results between the server and client are examined, alongside practical applications such as shopping carts, games, and online quizzes.

1 / 14

Télécharger la présentation

Securing Web 2.0 Applications Through Replicated Execution: The Ripley Approach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Automatically securing web 2.0 applications through replicated execution K. Vikram, Abhishek Prateek, Ben Livshits

  2. Web Developer’s Mantra Thou shall not trust the client No data integrity No code integrity

  3. Security vs. Performance With Ripley, placing computation on the client does not reduce computational integrity • Web 1.0: • ASP.NET • PHP security Ripley • Web 2.0: • AJAX • Silverlight responsiveness

  4. The Volta Distributing Compiler .NET DLL Server IL-to-IL Client IL-to-JS JS http://volta/

  5. Volta Deployment Client Server Server Client

  6. Ripley Architecture

  7. Ripley Architecture m' • Keep a replica of the client code • Capture user events & transmit to server for replay • Compare server and client results Server Ripley checker m Replica Client e events = {key: ‘a’, id=‘name’; click: id=‘name’}

  8. Ripley Architecture m' • Keep a replica of the client code • Capture user events & transmit to server for replay • Compare server and client results Server Ripley checker • Client-side code instrumented • Rewrite event handlers • Capture “default” events • Buffer events for performance m Replica Client e button.onClick= functionbuttonHandler(e) { varobj = eventTrigger(e); varnotify = document.getElementById&& document.getElementById('notify'); notify.value = 'You clicked on '+ obj.value; return true; }; button.onClick= functionbuttonHandler(e) { ripleyEnqueue(e); // inserted by rewriting varobj = eventTrigger(e); varnotify = document.getElementById&& document.getElementById('notify'); notify.value= 'You clicked on '+ obj.value; return true; }; events = {key: ‘a’, id=‘name’; click: id=‘name’}

  9. Ripley Architecture m' • Keep a replica of the client code • Capture user events & transmit to server for replay • Compare server and client results Server Ripley checker • Run replica in a Ripley emulator • Run in .NET, not in JavaScript, 100x speed increase m Replica Client e events = {key: ‘a’, id=‘name’; click: id=‘name’}

  10. Experimental Evaluation

  11. Ripley Applications • Shopping cart • Sudoku • Blog • Speed typing • Online Quiz • Distributed online game http://ll-ripley/ripley-samples

  12. Performance Overhead Summary

  13. Ripley: Vision for the Future • Secure-by-construction Software + Services Web 2.0 App Ripley server farm

  14. The End.

More Related