interposechrome18

TreeHouse:JavaScriptsandboxestohelpWebdevelopershelpthemselvesLonIngramandMichaelWalshTheUniversityofTexasatAustinWaterfallMobileAbstractManyWebapplications(meaningsitesthatemployJavaScript)incorporatethird-partycodeand,forreasonsrootedintoday'sWebecosystem,arevulnerabletobugsormaliceinthatcode.
OurgoalistogiveWebdevel-opersamechanismthat(a)containsincludedcode,lim-iting(oreliminating)itsinuenceasappropriate;and(b)isdeployabletoday,orveryshortly.
Whilethegoalofcontainmentisfarfromnew,therequirementofde-ployabilityleadsustoanewdesignpoint,onethatap-pliestheOSideasofsandboxingandvirtualizationtotheJavaScriptcontext.
Ourapproach,calledTreeHouse,sandboxesJavaScriptcodebyrepurposingafeatureofcurrentbrowsers(namelyWebWorkers).
TreeHousevir-tualizesthebrowser'sAPItothesandboxedcode(al-lowingthecodetorunwithfewornomodications)andgivestheapplicationauthorne-grainedcontroloverthatcode.
OurimplementationandevaluationofTree-Houseshowthatitsoverheadismodestenoughtohandleperformance-sensitiveapplicationsandthatsandboxingexistingcodeisnotdifcult.
1IntroductionThispaperisaboutTreeHouse,asystemthatallowsWebapplicationstosafelyinclude—inthecodedeliveredtothebrowser—third-partymodulesthatareunaudited,un-trusted,andunmodied.
ByWebapplication,wemeananyWebsitethatincludesJavaScript.
Manyoftoday'sWebapplicationsarecloselyinte-gratedwiththird-partycodeandinfactdependonthecorrectnessofthatcode.
Forexample,frameworksarenowinwideuse;theseareJavaScriptlibrariesthatserveasapplicationplatformsbyabstractingmessyaspectsofthebrowser'sinterface[13,19,30,45,63,67].
Asan-otherexample,sitessellingadvertisingspacetodayin-cludescriptssuppliedbyadnetworks;thesescriptsareonlysupposedtodisplaycontentfromtheadnetworks,buttheycanhinderorharmtheenclosingpage(evenifrunninginaframe,asweexplainbelowandinSec-tion2.
3).
Athirdexampleiswidgets:codesuppliedbyanoff-siteservicetoinvokethatveryservice(forexam-ple,[7,56]).
Toperformitsfunction,thewidgetneedsreadandwriteaccesstotheenclosingpage.
Addingtothehelplessnessofapplications,thethird-partycodecanchangeunilaterally.
Applicationsoftenincludeframeworksbyhyperlinkingelsewhere:forlowlatency,someframeworks'codeishostedbyContentDistributionNetworks(CDNs).
1Similarly,applicationsincludeadscriptsandwidgetscriptsbyhyperlinkingtotheadnetworkorwidgetimplementer.
Allofthesecasesareanalogoustoadesktopapplicationthatdynamicallylinkstoamodulerunningonsomeoneelse'scomputer!
Webapplications,then,aretakingtheriskofaddinglarge,opaque,third-partycodetotheirtrustedcomput-ingbase[12].
Whetherfrommaliceorbugs,thiscodecancompromisetheprivacyofdata[8],theintegrityoftheenclosingpage[26,57],andtheavailabilityoftheap-plication[8,52](forinstance,thescriptcanmakemanyHTTPrequests,slowingthepage'sloadtime).
Giventhissituation,ourhigh-levelgoalisamecha-nismbywhichWebdeveloperscancontainandcontrolincludedcode,whetherwrittenbyathird-partyortheWebdevelopersthemselves.
Thequestionthatwemustansweris:whatinterfaceshouldthismechanismexpose,andhowshouldweimplementitOfcourse,thisquestionisnotnew(notevenintheWebcontext);ourpointofdepartureisinadoptingthefollowingtworequirements:Makeitworktoday(orfailingtoday,shortly).
Pre-viousprojectsaremoretastefulthanours;indeedtheirprincipleshaveinspiredthispaper.
Butrealizingthoseprincipleshasrequireddeployabilitycompro-misesthatwehopetoavoid.
Specically,wewishtominimize(a)browsermodication[10,14,29,33,37,38,43,59,62]orredesign[5,9,16,24,39,47,53,60],astheserequirechangesintheentireWebecosystem;(b)development-timecodechanges[11,20,35,41],astheseoftenimposeaperformancecostandalwaysre-quireframeworkauthorstorewritetheircode;(c)run-timecodechanges[44,46],astheseeithersacricetheperformancebenetofhostingframeworkcodeinaCDN,orelseincuralargeperformancecostinthebrowser(Section7explainsfurther);and(d)serverconguration,suchasdomainnamesforeachtrustdo-main[28,31,32,64],asthisimpairsdeployability.
Allowcontrolled,congurableinuence.
Themecha-nismshouldallowonlytheaccessandgrantonlytheresourcesneededforthecontainedscripttodoitsjob:frameworksshouldbegivenaccesstoallelementsintheenclosingpage,widgetsshouldbegivenaccessonlytotheportionsofthepagetheyareconcernedwith,andadsshouldhavenoinuenceontheenclos-1Unfortunately,applicationcodecannotevencomparethehyperlink'stargettoaknowncontenthash,owingtothesame-originpolicy(§2.
1).
1ingpage.
Wenotethatbrowsers'iframemechanismfailsthisrequirementsincecodeinaframecanstillleakdataorconsumescarcebrowserresourcesownedbytheapplication(seeSection2.
3formoredetail).
TreeHouse'shigh-levelapproachistoprovideasand-boxinwhichaWebapplicationcanrunguestJavaScriptcode.
Sandboxing(orjailing)onhosts[21,22,36,49,51,58]andinbrowsers[15,61]isanelegantwaytorunlegacycodeinsideagivencontextwhilegivingthatcodelittle(orcongurablylimited)inuenceonthatcon-text.
Theseworksrestrictthemachinecodeandsystemcallsthatthesandboxedcodeexecutes.
Ourscenario,however,callsforcongurablecontrolovercodethathasbeenprogrammedtothebrowser'sJavaScriptinter-face.
Thus,weborrowthetop-levelideaofsandboxingbutneedaninterpositionmechanismthatunderstandsJavaScriptandthebrowser'sAPI.
Unlikeotherworkthatprovidessuchinterposition[10,14,33,37,38,43],TreeHouserequiresnobrowserchanges:itisimplementedinJavaScriptusingbrowsers'currentfunctionality.
Specically,itrepurposesWebWorkers(afeatureinrecentbrowsersinwhichapagecanrunascriptinaseparatethread)ascontainerstorunguestcode.
Itavoidsmodicationinthatcodebyvirtu-alizingtheprincipalinterfacetothebrowser(knownastheDocumentObjectModelorDOM;seeSection2.
1).
2TreeHouseexertscongurablecontroloverguestcodeusinganapproachanalogoustotrap-and-emulateinthevirtualmachinescontext[4]:itinterposesonprivilegedoperations,permittingthemasappropriate.
WehaveimplementedandevaluatedaprototypeofTreeHouse.
Weportedabenchmarksuite[1],aTetrisclone[50],andtwoframeworks[45,67]toTreeHouse.
UsingexistingcodewithTreeHouserequiresmodestef-fort.
TreeHouse'srelativeoverheadforDOMoperationsishigh,butitsabsolutecostsaretolerable(tohumanusers).
Withasmallamountofengineeringwork,ourprototypecouldbemadereadyforactualproductionuse.
TreeHousehasanumberoflimitations.
First,itstrustedcomputingbase(TCB)includesthebrowserandthusisnotsmall(thoughtheTCBexposesaminimalin-terface,namelyavirtualizedinterfacetoWebWorkers;seeSection3).
Second,despiteourbestefforts,theguestcodesometimesneedsminorrestructuring;however,therequiredcodechangesarefewandeasytomake(seeSec-tion6).
Third,whileWebWorkersareavailableinrecentbrowsersandexpectedtobecomeubiquitous,wearecur-rentlyinatransitionperiod(seeSection2.
4).
Thereisalotofrelatedwork,andwecoveritindetailinSection7.
Fornow,wejustnotethatnootherworkthatweareawareofvirtualizesthebrowserinabackward2Othershavevirtualizedthisinterface,inthebrowser[14,20,32,40,41]andontheserver[3,17],butwithgoalsdifferentfromours(§7).
compatibleway,requiresnoserverordomaincongu-ration,andprotectsagainstresourceexhaustionattacks.
Thecontributionsofthiswork,then,areasfollows:Applyingtheoperatingsystemsideasofsandboxing,virtualizing,andresourcemanagementtoJavaScript.
ThedesignofTreeHouse,whichinstantiatestheseOSideaswithoutbrowsermodication.
TheimplementationandevaluationofTreeHouse.
2BackgroundThissectionexplainstheaspectsoftheWebbrowserecosystemthatarerelevanttoTreeHouse.
2.
1SomedetailsofmodernWebbrowsersAWebpageisadocumentcomposedofHTMLmarkup,CSSstyles,andJavaScript(JS)code.
HTMLdescribesthestructureandcontentofthedocument,CSSdescribesitsvisualpresentation,andJavaScript[18]addsdynamicbehavior.
BrowsersprovideanAPIthroughJavaScript,calledtheDocumentObjectModel(DOM),whichrep-resentsthepageasatreeofnodeswithmethodsandproperties.
ScriptswithinaWebpageusetheDOMtoexamineandchangethepage.
ThebrowseralsoexposesanAPIthroughJavaScriptthatprovidesnetworkaccess,multimediacapabilities,leaccess,asynchronousinterrupts,andlocalstorage.
AnotableclassinthisAPIisXMLHttpRequest(XHR),whichallowsascripttomakeanHTTPrequest.
Thebrowserrestrictssuchrequests,allowingthemonlytothedocument'sorigin,atupleof(scheme,domain,port).
3ThisrestrictionispartoftheSameOriginPolicy(SOP),whosepurposeistocontaininformationleaks.
Considerauserwiththeauthoritytogetdatafromare-strictedsite.
IfsuchauservisitsasitewithmaliciousscriptsthatissueXHRsastheusertotherestrictedsite,then,intheabsenceoftheSOP,thebrowserwouldper-mittheXHRs;thescriptscouldthuswronglyextractdataandsendittothemalicioussite.
TheSOPpreventssuchleaksbyregardingeachoriginasaseparatesecurityprin-cipalandthenpreventingthebrowserfrombecomingachannelthatleaksinformationamongprincipals.
Becauseofthismodel,scriptsindocumentsfromthesameoriginmayaccesstheDOMsofeachother'sdoc-umentsbutnottheDOMsofdocumentsfromanyotherorigin.
Perhapsconfusingly,theSOPincludesexceptionstothisruleforsometypesofcontent.
Forexample,adoc-umentispermittedtoincludeandexecutescriptsfromotherorigins.
However,theoriginthatthecross-originscriptisassignedbythebrowseristheoriginofthein-cludingdocument,nottheoriginfromwhichthescript3Thistupleisdrawnfromthedocument'sURL;forexample,theori-gincorrespondingtohttps://www.
example.
com:1234/foo/bar.
htmlis(https,www.
example.
com,1234).
2wasdownloaded.
Forexample,ifapagefromfoo.
comincludesascriptfrombar.
com,thebrowserallowsthescripttoaccesscontentfromfoo.
combutnotbar.
com.
2.
2JavaScriptThefollowingpropertiesofJavaScripthelpTreeHouseinitsgoalofisolatingscripts.
First,ascriptcannotcreateareferencetoanarbitrarymemorylocation:ascriptcanaccessonlyobjectsthatitcreatesitselfandobjectsthatthebrowserhandstoit.
Second,JavaScriptasalanguageprovidesnofacilitiesforI/O,meaningthat,withtheex-ceptionofcovertchannels,scriptscancommunicateout-sidetheirenvironmentonlybyusingthebrowser'sAPI.
Finally,asofversion5.
1ofJavaScript,scriptscanfreezepropertiesofobjects.
Onceapropertyisfrozen,furtherattemptstoassignordeleteitsvaluehavenoeffect.
2.
3FramesBrowsersshipwithamechanismcallediframesthatareintendedtocreatealogicallyseparateentitywithinanenclosingpage.
However,iframesdonotprovidetheisolationthatonemightwant.
First,iframesruninthesamethreadastheirenclosingpage.
Ifcodeblocksinaniframe,thewholepageblocks.
Second,iframescancon-sumeresourcebudgetsthatthebrowserimposesontheentirepage.
Forexample,browserslimitthenumberofin-ightXHRs(toanyoriginandintotal),andmisbehav-ingcodecanexhaustthislimit(ashasbeenobserved[8]).
2.
4WebWorkersJavaScriptissingle-threadedanddoesnotsupportpre-emption.
Absentfurthermechanism,then,ascriptmustbreakupcompute-boundtasks,periodicallyreturningcontroltothebrowser'seventloop,orelsethepagebe-comesunresponsive.
ThislimitationhasmotivatedWebWorkers,arecent4browserfeaturethatletsdocumentsrunscriptsina"separateparallelexecutionenviron-ment"[2].
Inallcasesthatweareawareof(desktops,smartphones,etc.
),theseseparateenvironmentsarepre-emptivelyscheduledprocessesorthreads,asprovidedbytheunderlyingoperatingsystem.
Forcomputationsthatadmitparallelism,then,WebWorkersallowapplicationdeveloperstowritecodeinathreadedstyle.
Webpagescancreateanarbitrarynumberofworkers;eachgetsitsownJavaScriptenvironment.
Theoriginas-signedbythebrowsertothoseworkersistheoriginofthedocumentthatcreatedtheworker,calledtheparentdocument.
Aworkeranditsparentcommunicateusinganasynchronousmessage-passingfacilityprovidedby4WebWorkersarepartoftheHTML5specication[2]andaresup-portedbythelatestversionsofallmajorbrowsers.
InternetExplorer(IE)isaspecialcase.
Asofthispaper'spublication,IE10.
0,whichsupportsWebWorkers,isinbetaandexpectedtoshipin2012;whenitdoes,IE'sdominanceissuchthatWebWorkerswillquicklybeonalargemajorityofdesktops.
thebrowser(calledpostMessage).
Scriptsareotherwiseisolated:ascriptinaworkercannotimportareferencetoanobjectoutsidetheworkerorexportareferencetoanobjectinsidetheworker.
WorkersalsodonothaveaccesstotheDOMormostotherbrowserresources.
However,theycanimportscriptsbyURL,createchildworkers,andissueXHRs.
ThegoalofWebWorkerswasconcurrency,butTree-Houserepurposesthem,asdescribedinthenextsection.
3DesignofTreeHouse3.
1ThreatmodelandrequirementsThreatmodel.
OurthreatmodelassumesthatanhonestuserinteractswithaWebapplicationusinganuncom-promisedandcorrectbrowser.
Theapplicationiswrittenbyanhonestauthor.
WewillassumethatthefollowingcontentiscorrectandservedfromuncompromisedWebserversthatarepartoftheauthor'strustdomain:adis-tinguishedHTMLpage(calledthehostpage),adistin-guishedsetofJavaScript,andanyCSSandJavaScriptdirectlyincludedinthehostpage.
TheadversarycancontrolthecontentsofanyJavaScript,HTMLorCSSthatisdownloadedfromaservernotundertheauthor'scontrol(forexample,theadversarycansupplytheadorframeworkcode);thiscontentisuntrustedbytheauthor,meaningthatneithertheauthornorTreeHousecande-pendonthecorrectnessofthiscontent.
Forprudence,anauthorawareofhisimperfections(Dr.
Jekyll)maywishtoregardcodethathehimselfwroteasbeingsuppliedbytheadversary(Mr.
Hyde),trustingonlyaminimalhostpageandthedistinguishedJavaScript.
Requirements.
ThedesignofTreeHouseisdrivenbythefollowingrequirements.
Isolateuntrustedcontent.
Beforeanythingelse,Tree-Houseneedsamechanismforisolatingcontent.
(Wemakethisnotionmoreprecisebelow.
)SuchcontentwouldideallyhavenoimpactontheexecutionofTree-Houseorontherestoftheapplication,andlimitedimpactontheirperformance.
Interposeonuntrustedcontent.
ItisnotsufcientforTreeHousesimplytoisolatecontent.
Toperformusefulwork,contentneedstocommunicatewiththeapplication,toaffectthebrowser,andtoconsumebrowserresources.
Thatis,theuntrustedcontentmayneedtointeractwiththedocument'sDOM,togainac-cesstocookiesorles,tocreateWebWorkers,andtoconsumeoutboundnetworkrequestsandlocalstorage.
However,thisimpactneedstobecontrolled.
Thus,TreeHousemustinterposeonattemptsbyuntrustedcontenttodousefulwork,todecidewhichattemptsarepermissible.
ThiswillallowTreeHousetopro-tectintegrity(forexample,byforbiddingunauthorized3Figure1—ArchitectureofTreeHouse.
Shadedportionsareun-trustedbytheapplication.
modicationstotheDOM),availability(forexample,bydisallowingscriptsfromover-consumingrequiredlocalstorage),andprivacy(forexample,bydisallow-ingascriptfromconsuminganoutboundnetworkre-questtoanotherorigin,sinceitcouldusesuchare-questtoleakdata).
Manageresourcesatnegrain.
TreeHousemustpro-videawayforapplicationauthorstoexpresswhataccessispermissiblebyguests,andwhatresourcesguestsmayconsume.
Consistentwiththeprincipleofleastprivilege[48],thegranularityofpermissionsshouldbeasneaspossible.
3.
2OverviewofTreeHouseFigure1depictsTreeHouse.
Forisolation,TreeHouserunsuntrustedcodeinWebWorkers(§2.
4);oncethecodeisrunningunderTreeHouseintheWebWorker,wecallitguestcodeorsandboxedcode.
Forinterpo-sition,TreeHouseinstallsabrokerineachworkerthatvirtualizesthebrowser'sresources.
Forexample,thebro-kerexportstotheworkeraVirtualDOM(VDOM)thatlookstoguestslikethebrowser'sAPI.
InterpositionalsorequiresamonitorthatrunsintheJavaScriptenviron-mentofthewindowortabinwhichtheuserloadedtheapplication.
Themonitorappliesguests'VDOMmodi-cationstotherealDOM,anddeliversDOMeventstoguests—ifpermitted.
Whatispermitted(regardingtheDOMandaccesstootherbrowserresources)isdecidedbytheapplicationauthor,andthedenitionofthispolicyistheonlyapplicationcustomization;themonitoristhesameacrossWebapplications.
Communicationbetweentheguestscriptandthemonitorishandledbythebroker,usingmessagepassing(§2.
4).
Forexample,thebrokertranslatesVDOMchangesintomessagestothemonitor.
Therestofthissectiondetailstheisolationmecha-nism(§3.
3),interpositionandvirtualization(§3.
4),andhowapplicationauthorsexpresspolicy(§3.
5).
3.
3IsolationWesaythatscriptBisisolatedfromscriptAif(1)Bcan-notpreventAfromrunning;and(2)BcannotaccessA'sJavaScriptenvironment.
TreeHouseappliesthisnotiontoisolateuntrustedscriptsfromthemonitorandotherap-plicationcode.
Intherestofthissection,wedescribehowTreeHouseenforces(1)and(2).
Inshort,TreeHouseusesWebWorkers,whichisperhapssurprising,sincetheywereintroducedforadifferentpurpose.
Forcondition(1),eachWebWorkerrunsinitsownpreemptivelyscheduledthread(§2.
4),sotheabilityofascriptinsideaworkertoaffectthelivenessofcodeout-sideitisrestrictedbytheschedulingpolicyoftheoperat-ingsystem.
Forexample,ifcodeintheworkerentersaninniteloop,theperformanceofthesystemdegradesbutnottothepointofpreventingapplicationcodeoutsidetheworkerfrommakingprogress.
Forcondition(2),wenotethatinabrowserthatcor-rectlyimplementsWebWorkers(asassumedbyourthreatmodel),eachworkerhasitsownJavaScriptenvi-ronment.
Moreover,JavaScriptcodecannotconstructareferencetoanobjectoutsideitsenvironment(§2.
2),andtheonlycommunicationmechanismavailabletoWebWorkers,postMessage(§2.
4),doesnotpassreferences.
Thus,toisolateascript,itissufcienttorunthatscriptinaworker;thisisolatesthescriptfromthemonitorandfromscriptsinotherworkers.
3.
4InterpositionandvirtualizationWenowmotivateanddescribeTreeHouse'sinterpositionmechanism.
Interpositionisneededfortworeasons.
Therstreasonisthatisolatingcodeinthesenseabovedoesnotpreventitfromdoingharm.
ConsideraWebapplicationthatallowsuserstouploadandre-trievephotos,andtosendandreceiveprivatemessages.
Assumeforillustrationthatthesetwofunctionsareim-plementedbytwologicalservicesattheapplication'sorigin.
Ifascriptintheapplicationis"supposed"toinvokeonlythephotosAPI,then,bytheprincipleofleastprivilege,thatscriptshouldinfactbelimitedtothephotosAPI.
However,amaliciousscript—evenifisolated—canstillinvokethemessagesAPIandthusforgemessagesfromtheuser.
Thescriptcanalsoleakmessages,asfollows.
Anyorigincanimportscriptsfromanyother(asdiscussedinSection2.
1inthecontextoftheSOP).
Ifthemaliciousscripthasgainedaccesstotheuser'sprivatemessagesbyinvokingthemessagesAPI,thescriptcanthenexltrateamessageby"importing"ascriptfromhttp://evil.
com/script.
jsprivate-message,therebyleakingtheprivate-messagetoevil.
com.
Topreventattacksliketheonesaboveandothers,TreeHouserequiressomelogicbetweentheisolatedcodeandtheoutsideworld.
Thisinterposinglogicmustpro-tectnotonlyprivacybutalsointegrity(bydisallowing4unauthorizedchangestothepageseenbytheuser)andavailability(bylimitingtheconsumptionofresources).
Thisbringsustothesecondreasonthatinterpositionisneeded:someofthethird-partyactionsneedaccesstoactualbrowserresources(theDOM,XHRs,etc.
)togetworkdone.
Thus,theinterposinglogicmustnotonlyinterceptvariousactionsbutalsodecidewhichofthemarepermissible.
Questionsofinterfaceandmechanism.
TherearenowthreeinterrelatedquestionsthatTreeHousemustanswer:(1)ThroughwhatinterfaceshouldguestcoderequestresourcesfromTreeHouse'sinterposinglogicThechallengehereisthatscripts'resourcerequestsneedtobecleartoTreeHouse(soitcandecidewhethertogranttherequest),yetthegoalofdeployability(§1)meansthatthescriptshouldnotbealteredtomakere-queststhroughanewinterface.
TreeHouse'sresponsetothischallengeisreminiscentoftrap-and-emulate[4]inthevirtualmachinescontext:TreeHousevirtualizesthebrowser'sAPIandarrangestobeinvokedwheneverascriptrequestsaccesstoabrowserresource,whetherthatresourceisoneinthemainapplicationorinaWebWorker.
Butwenowhaveasecondquestion:(2)Whatmechanism(s)shouldTreeHouseusetointer-poseandvirtualizeThechallengehereisthatJavaScripthasawideinterfacetothebrowser.
ThisinterfaceisnarrowerinWebWork-ersbutstillnotsoverynarrow.
WebWorkerscanac-cessinformationabouttheapplication(suchasitsURL),importscripts,makenetworkrequests,andcreatechildWebWorkers.
Insomebrowsers,workerscanuselocalstorageaswellasanylesthattheuserhaspermittedtheapplicationtoaccess.
Meanwhile,TreeHouseneedstointerposeonalloftheseactions.
Thisbringsustothethirdquestion:(3)HowshouldapplicationauthorsexpresspolicysothatTreeHousecandecidewhethertograntordenyagivenresourcerequestThechallengehereisensuringanaturalmapbetweenthelanguageinwhichapplicationauthorsexpressper-missionsandtheimplicitrequestsmadebyscripts.
Tree-House'sapproachhereistorequireapplicationauthorstoexpresspermissionsintermsofthebrowser'sAPI:theapplicationauthorexpresseswhichmethods(andtheargumentstothosemethods)guestcodecanuse.
Sec-tion3.
5providesthedetailsofpolicyexpression.
Therestofthissectiontakessuchapolicyasagivenandde-tailsTreeHouse'sresponsetoquestion(2).
Virtualizingthebrowser'sAPI.
RecallthatTree-House'sapproachisreminiscentoftrap-and-emulate.
WerstdescribehowTreeHousearrangesfortrapsandthenhowitperformsthe"emulate".
WhenTreeHousecreatesaworker,itloadsintotheworkerascript,calledabroker,whichispartofTree-House'strustedcomputingbase(seeFigure1).
Thebro-kermust(a)interposeoncallstothebrowser'sAPIthatareavailableinworkers(issuingXHRs,etc.
)and(b)createavirtualDOMandinterposeoninteractionswithit(theDOMitselfisnotavailableinworkers;seeSection2.
4).
For(a),beforetheguestcodeloads,thebrokermodiestheworker'senvironmenttowrapeachfunctioninthebrowser'sAPIwithanewim-plementationthatinterposesthebrokerwhenthefunc-tioniscalled.
Specically,thebrokerusesJavaScript'sObject.
definePropertyAPItoassociatethefunc-tionnamewithanewfunction,andtofreeze(§2.
2)theassociationbetweenthenameandthenewfunc-tion,whichpreventsguestcodefromundoingthisen-vironmentmanipulation.
For(b),thebrokerconstructsaVDOM(§3.
2),whichcontainssubtreesoftherealDOM(theapplicationdecideswhichsubtrees).
TheVDOMimplementationthatTreeHouseuses(§5)raiseseventswhentheguestmodiestheVDOM,andthebrokerreg-istersahandlerforsuchevents.
Forthe"emulate"piece,therearetwoowstocon-sider:guestinvocationsofthebrowserAPIandeventde-liveryfromthemainbrowsertotheguest.
Whenguestcodeinvokesthebrowser'sAPIormodiestheVDOM,thebroker,beinginterposed,rstappliestheapplica-tion'saccesscontrolpolicy,todecidewhethertheguestactionispermitted.
Ifitisnotpermitted,thebrokerter-minatestheguest.
Ifitispermitted,then,withtheexcep-tionofDOMchangesandasynchronousAPImethodsforwhichanativeimplementationisnotavailableinaWebWorker,thebrokercompletesthecallitself.
Wenotethatcompletingthecallmayinvolvefurtherinterposition—onthereturnvalue.
Forexample,ifthereturnvalueisanobjectwithmethods,thenthebrokerreplacesthosemethodswithfunctionsthatinterposethebroker.
InthecaseofDOMchangesandasynchronousAPImethods,thebrokerdelegatestherequesttotheoriginalbrowserAPI;todoso,thebrokerserializestherequestandpassesittothemonitorusingpostMessage.
ThemonitorthenmakestheDOMmodicationorcompletestheAPIcall.
(WedescribebelowhowTreeHousehandlesthemismatchbetweenthesynchronousinterfacetotheVDOMandasynchronouspostMessages.
)Eventdeliveryissimilar.
Ifguestcodewishestoreg-istertobenotiedofaDOMevent,thenthebrokerre-ceivestheregistrationrequestandnotiesthemonitor.
Themonitorthenregistersitsowngenerichandlerintheapplication'sDOM;whentheeventres,themonitorno-tiesthebroker,whichre-raisestheeventintheVDOMonthehandlerregisteredbytheguest.
Asanaldetailconcerningvirtualization,wenotethatthebroker,wheninterposed,mustsometimesdomore5thancheckpermissions.
Asanexample,webrieycon-sidertheAPItocreateWebWorkers.
Iftheguest(itselfinaWebWorker)attempts(andispermitted)toconstructaWebWorker,thebrokerinvokesthebrowser'sAPItoconstructanewWebWorker,andreturnsanobjectthatwrapsthatnewworker.
Tomaintaininterpositioninthenewworker,thebroker,whichisnowaparentbroker,runsachildbrokerinthenewworker.
Thechildbrokerisidenticalinfunctiontotheparentexceptthat,bydefault,itvirtualizesonlytheinterfacethatbrowsersexposeinaWebWorker(noVDOM,etc.
),asthisiswhatascriptthatisintendedtoberuninaWebWorkerwouldexpect.
Theparentbrokerrelaysmessagesbetweenthechildbro-kerandthemonitor.
TreeHousevirtualizesoutboundnet-workrequests,leaccess,andlocalstoragesimilarly.
Async-vs-asyncmismatch,andsomelimitations.
TreeHouse'sapproachtovirtualizingthebrowser'sAPIsometimesrequiresthatthebrokerpresentablockinginterface;meanwhile,completingsuchafunctionormethodcallmayrequirethatthebrokersendanasyn-chronouspostMessagetothemonitor—andthatthebrokerthenreturntotheeventloopsothatitcanreceivethereplyevent(§2.
4).
Themismatchhereisbetweenasynchronousinterfaceandanevent-drivenimplementa-tion,andtherearetwobroadcases.
First,iftheguestcallcanbe"faked"bythebro-ker,thenthebrokercanpresentasynchronousinterfaceandcarryouttherequestasynchronously.
Forexample,thebrokerpresentsablockinginterfacetotheVDOMandpropagateschangestotheapplication'sDOMasyn-chronously.
However,nowTreeHousemusthandletheequivalentofconcurrentthreads(theworkers)sharingmemory(themainDOM),wherethethreadshavecachesofthatmemory(theVDOMsineachthread).
Forsim-plicity,TreeHouse'sresponseistopreventsharingalto-gether:themonitorguaranteesthataDOMnodeexistsinatmostoneVDOMatonce.
5Wedonotbelievethatthislimitationwillbeonerousforapplicationauthors.
Thesecondcaseiswhentheguestcallcannotbefakedbythebroker.
Asanexample,considerwindow.
alert,whichcreatesadialogboxthatblocksthecallingscript.
NoalertmethodisavailableinWebWorkers,soforthebrokertodisplayanalert,itwouldhavetosendarequesttothemonitorandthenreturntothebrowser'seventlooptoawaitthereply—whichconictswiththeguest'sex-pectationofablockingcall.
TreeHousedoesnothandlethiscase;ifguestcodecallssuchamethod,itfailswitharuntimeerror.
Fortunately,therearefewsuchmethods,andtheyarerarelyusedbythird-partycode.
5AnalternativeapproachwouldbetoallowresourcessuchasDOMnodesorcookiestoappearinworkerswitheitherexclusiveread-writeaccess,orsharedread-onlyaccess.
1'!
api':{2'XMLHttpRequest':{3'!
invoke':true,4'!
result':{5//permitonlyasynchronousXHRs6open:function(verb,url,async){7returnasync===true;8},910'*':true//defaultrule11}12}13}Figure2—TheportionofTreeHouse'sbaseaccesscontrolpol-icythatgovernsXHRs.
ThepolicyforbidssynchronousXHRs.
3.
5ResourcecontrolpolicyTheapplicationauthormanagestheguest'saccesstore-sourcesby(a)decidingwhichDOMelementstoplaceintheguest'sVDOMand(b)expressingpoliciesthatgov-erntheguest'sinteractionwiththebrowser'sAPI(in-cludingtheVDOM).
Thissectiondetailsthesecondas-pect;thenextsectiongivesexamplesofbothaspects.
Atahighlevel,theapplicationauthorexpressesac-cesscontrolpolicyintermsofthebrowser'sAPI:whatcallsarepermitted,andwhatargumentstothosecallsarepermitted.
Inmoredetail,theauthorcreatesaper-guestJavaScriptpolicyobjectandhandsthisobjecttoTree-House(seeSection5forthedetailsofthishand-off).
Tosimplifyslightly,thepolicyobjectimplementsakey-valuemapfrombrowserAPIelementstopermissions:thekeysnamebrowserAPIelements,6andthevaluesarerules.
ArulecanbeaBooleanvalue,afunction,oraregularexpression.
IftheruleistheBooleanvalueTrue,thentheguestispermittedtoinvokethegivenmethodorsetthegivenproperty.
Iftheruleisafunction,thebroker,atpermissionchecktime,executesthefunction(whichshouldevaluatetoaBoolean)todecidewhethertheactionispermitted.
Iftheruleisaregularexpression,thenitreferstoaproperty;inthiscase,theguestisper-mittedtosetthegivenpropertytoavaluevifvmatchestheregularexpression.
TreeHousehasabasepolicythatauthorsarenotsup-posedtooverride.
Thispolicyistherefortheirprotection(andTreeHouse's).
Forexample,asdepictedinFigure2,thebasepolicyspeciesthatguestsmustopenXHRs(§2.
1)asynchronously;otherwise,aguestcouldpreventthebrokerfromrunning.
Foragivenactionbyaguesttotakeplace,itmustbepermittedbyboththeper-guestpolicyandthebasepolicy.
6The"keys"arestructuredhierarchically(reectingthebrowserAPI'shierarchy),andcanincludewildcardcomponents.
Thisway,theau-thorcanuseoneruletorestricttheguest'suseofanentiresubtreeofthehierarchy(saymultipleAPIcallsorelements).
61varxhr=newXMLHttpRequest();23//initializearequesttogetalistofthe4//firsttenphotos5xhr.
open('GET',6'/api/photosstart=0&count=10',true);78//registeracallbacktobenotifiedwhen9//theXHRcompletes10xhr.
onreadystatechange=function(e){11if(xhr.
readyState===4){12if(xhr.
status===200){13console.
log(xhr.
responseText);14}else{15console.
log("Errorfetchingphotos");16}17}18};1920xhr.
send(null);//starttherequestFigure3—ExamplecodetoissueanXHR(§2.
1)toaWebser-vicethatdeliversphotos.
TreeHouseshipswithadefaultorreferencepolicy,whichwhitelistsunprivilegedoperationsbutdeniesev-erythingelse.
Forexample,thereferencepolicyforbidsopeningXHRs.
Thispolicyis355linesofcode,includ-ingcomments(andexcludingunnecessaryblacklistingfordocumentation).
Overridingthereferencepolicyneednotbecomplex;weexpectatypicalpolicytorequire10–100linesofcodeandnomorethanafewhoursofworkfromtheapplicationauthor(seeSection6).
4ExamplesInthissectionwegiveseveralexampleusesofTree-House.
Ourrstexampleillustrateshowaccesscontrolpoliciesinteract.
Wethendescribecontainingadvertise-mentsandcontainingthird-partywidgets.
Finally,weshowhowTreeHousecanprotectahypotheticalpluginarchitecture(forexample,bypreventingexltration).
Limitingnetworkaccess.
Consideranauthorwho—wishingtoemploytheprincipleofleastprivilegeinthedesignofherapplication—breaksitintomutuallydis-trustingcomponents,eachrunninginaTreeHousesand-box.
Onesuchcomponentisascriptthatdisplaysaslideshowwidget.
ThescriptobtainsalistofphotostodisplayfromaWebserviceexposedontheapplication'soriginandthenrenderstheslideshow.
Figure3showstheguest'scodeforobtainingthelistofphotos.
Becausethedefaultpolicyforbidsconstruct-inganXHRobject,thecodewouldfailatline1.
Thus,theauthormustoverridethedefaultpolicytogivetheguestcodelimitedpermission;Figure4depictsanex-ample.
NowwhenthebrokerinterceptstheXHRcon-1'!
api':{2'XMLHttpRequest':{3'!
invoke':true,4'!
result':{56//permitGETrequeststoresourceson7//theapplication'soriginwhoseURLs8//beginwith'/api/photos'9open:function(verb,url,async){10returnverb==='GET'&&11url.
indexOf('/api/photos')===0;12},1314'*':true//defaultrule15}16}17}Figure4—Policythatgiveslimitedpermission:guestcodecanissueXHRsfreelybutonlytoparticularservices.
structor,itseesthat!
api.
XMLHttpRequest.
!
invokeisTrueinboththeguestpolicyandthebasepolicy.
ThebrokerthuspermitstheconstructionandreturnsawrappedXHR,asdescribedinSection3.
4.
WhenthescriptcallsthewrappedXHR'sopenmethod(lines5and6ofFigure3),thatcallsucceeds,sincetherelevantpoliciespermittheargumentstoopen.
Inmoredetail,whenthescriptcallsxhr.
open,thebro-kerchecksthe!
api.
XMLHttpRequest.
!
result.
openpropertyintheguest'spolicyobject.
Thevalueofthatpropertyisafunction(lines9–12ofFigure4),andTree-Housecallsitwiththeargumentsprovidedbytheguestscript.
ThefunctionreturnsTrue(becausetheURLispolicy-appropriate),soTreeHousethenchecksthebasepolicy(lines6–8ofFigure2),whichalsoreturnsTrue(becausetheguesthasspeciedanasyncXHR).
Theguestcanalsosetonreadystatechangeandcallsend(lines10and20ofFigure3)becausetheguestandbasepoliciesallowthisthroughtheirdefaultruleof!
api.
XMLHttpRequest.
!
result.
*.
Ofcourse,theauthorcouldexertmorene-grainedcontrolbycreatingrulesforpropertiesandmethodsindividually.
Containingadvertisements.
Theprovenanceofadver-tisements(ads)isoftenmurky:sitesgenerallydisplayadsbydelegatingapieceoftheirpagetoanadnet-work,whichmaypopulatethespaceorredirecttoan-otheradnetwork,andsoon.
Indeed,adsroutinelymis-behave[8,57].
Forthesereasons,thebestpracticeforasitesellingspaceistoisolateanad.
Unfortunately,to-day'smechanismforsuchisolation,theiframe,doesnoteliminateattacksonavailability(seeSection2.
3).
Un-derTreeHouse,incontrast,theapplicationauthorcanscheduleandlimitXHRs.
Forexample,theauthorcanassociate!
api.
XMLHttpRequest.
!
result.
openwith716Figure5—Examplescripttag.
Thedepictedblockspeciesthattetris.
jsshouldruninaTreeHousesandboxandthattetris-policy.
jsisthesandbox'spolicy.
afunctionthatpermitsthemethodcallonlyifthenumberofoutstandingXHRsfromtheworkerisbelowagiventhreshold.
Or,givensuitablehooksintothewrappingma-chinery,theapplicationauthorcanqueuetheopencalls,sendingthemoneatatime.
Containingwidgets.
Considerasetofwidgets,eachofwhichdisplaysaone-tove-starratingnexttoanen-tryinaproductlist(e.
g.
,[7]);suchwidgetsaretypicallydrivenbyasinglescriptthatrunsintheapplication'spage.
Forprudence,theapplicationdeveloperwouldliketolimitthewidgets'inuence.
(Thedevelopercannotrelyoniframesbecause,forreasonsoflayout,eachwid-getwouldbeinaseparateiframe.
Withnproductsandthusnwidgets,performancewouldsuffer.
)UnderTree-House,thedevelopersandboxesthewidgetscriptandsetsitsVDOMtoincludeonlythelocationsinthedoc-umentwherethescriptshoulddisplayratingswidgets.
ThisprunedDOMcanbeconstructedprogrammatically,usingJavaScriptfunctionsthatmanipulatetheDOM.
Avoidingexltration.
Considerawebmailservice,Ex-ampleMail,whoseauthorswanttoallowthird-partyde-veloperstocreateplugins.
Inthestatusquo,suchpluginswouldbeanunacceptablesecurityrisk,asthepluginswouldbeabletoreadmailandthenexltrateit.
UnderTreeHouse,ExampleMail'sauthorscansandboxaplu-ginandgrantitlimitedaccesstothetextofemails,whilepreventingitfromexltratingemail.
Take,forinstance,apluginthatdisplaysthewordcountofthecurrentlyse-lectedmessageintheuser'sinbox.
ThispluginreceivesaVDOMthatincludestheemailthattheuserisviewingtogetherwithadisplayelement,wherethepluginauthorwilldisplaythewordcount.
Theapplication'spolicypre-ventsnetworkaccess(bydisallowingaccesstoXHRs,WebSockets,andthoseattributesofDOMnodesthatcanhaveaURLastheirvalue,suchassrc)andrejectsDOMchangesunlessthechangeistoanodethatdescendsfromthedisplayelement.
Atthatpoint,thepluginhasaccesstothecurrentmessageandcandisplaythewordcount,butitcannotexltrateoralterthemessage.
methoddescriptionstart()startthesandboxterminate()terminatethesandboxaddChild(node)addanodetotheVDOMremoveChild(node)removeachildfromtheVDOMaddEventListener(type,function)handleeventsfromthesandboxpostMessage(message)sendamessagetothesandboxjsonrpcCall(method,args.
.
.
)makeRPCcalljsonrpcNotify(method,args.
.
.
)makeRPCcall(noreturnvalue)onPolicyViolation(function)handlepolicyviolationssetPolicy(policy)settheaccesscontrolpolicyFigure6—APIformanagingTreeHousesandboxes.
componentlinesofJavaScriptMonitor350Broker349Sharedbymonitorandbroker369Accesscontrolpolicy794jsdom[17]127,652Figure7—LinesofcodeinTreeHouse.
5IntegrationandimplementationTointegrateTreeHouseintoaWebapplication,theauthorincludestheTreeHousemonitorastraditionalJavaScriptinsidetheapplicationpage.
Therearetwowaystosandboxascript.
First,theauthorcanincludeascripttagoftypetext/x-treehouse-javascriptintheapplication'sHTML,asillustratedinFigure5.
Inthiscase,thebrowsercreatesanodeforthescriptintheDOMbutdoesnotexecuteit(becauseitdoesnotrecog-nizethescripttype).
Whenthebrowserloadsthepage,themonitorndsallsuchtagsandcreatessandboxesasappropriate.
Inthiscase,theauthorspeciesthecong-urationoptionsasattributesofthescripttag;theseop-tionsincludewhichDOMsubtreesthescriptmayaccess,whichworkertoloadthescriptinto,andwhichpolicyap-pliestothescript.
Theauthor'sotherchoiceistoinvokeanAPIprovidedbyTreeHouse,allowingtheauthortoexplicitlycreateasandbox,setpolicy,etc.
ThisAPIisdepictedinFigure6.
WehaverunTreeHousesuccessfullyonChrome,Sa-fari,Firefox,andIE10.
Itisimplementedin1862linesofJavaScriptplus127,652forjsdom[17].
Jsdomisaserver-sideDOMimplementationthatwemodied(withseveralhundredlinesofcode)toimplementtheVDOM.
Figure7givesthebreakdown(accordingto[42]).
Be-sidesjsdom,weusetheunderscore(v1.
1.
7)andRe-quireJS(v0.
26.
0)librariesforJavaScriptutilities.
WehavenotcompletedcookievirtualizationorVDOMim-plementationsofthenewelementsandAPImethodsthattherecentHTML5standardintroduces;thisisfuturework.
8TreeHouseslowdown(*)benchmarkChromeFirefoxIESafaridom-attr32399—dom-modify157221120dom-query26008000780—dom-traverse714112Figure8—TreeHouseoverheadonDromaeoDOMbench-marksreportedasthegeometricmean,overallbenchmarksinacategory,ofTreeHouse'sspeedasamultipleofthebaseline's.
Emptyentriesresultfrombrowserincompatibilitiesorbugs.
TreeHouseaddsconsiderablerelativeoverheadforDOMoper-ations,buttheabsolutenumbersarenothigh;seetext.
6EvaluationToevaluateTreeHouse,weanswertwoquestions:(1)WhatisthelatencyoverheadfromTreeHouseand(2)HoweasyisittoincorporateTreeHouseintoanap-plicationWeanswerbothquestionsbyexperimentingwithvariousbenchmarksandWebapplications.
OurexperimentsrunonaMacBookProwitha2.
66GHzIntelCore2Duoprocessorand4GBofRAM,runningChrome18.
0.
1025.
168,Firefox10.
0.
2,IE10.
0.
8250.
0,andSafari5.
1.
5(7534.
55.
3).
WerunIn-ternetExplorerinaWindows8ConsumerPreview(build8250)guestonVirtualBox4.
1.
12.
Benchmarks.
TheDromaeobenchmarksuite[1]islarge(188benchmarks)anddiverse.
Itsbenchmarksei-therdonotaccesstheDOM(non-DOMbenchmarks)orelsehammerit(DOMbenchmarks).
Weexpectthatthenon-DOMbenchmarkswouldnotexperiencesig-nicantslowdownunderTreeHousewhereastheDOMbenchmarkswouldrunslower(becauseTreeHousein-terceptsonlyDOMmodication).
Toexperiment,werunthesuitewithandwithoutTreeHouse(whichre-quiresminorchangestoDromaeo,toreportresultsviapostMessage),performing10runsforeachoftheafore-mentionedbrowsers.
Ourexpectationsaboutthenon-DOMbenchmarksmostlyhold:somebenchmarksrunslower(2–7*,dependingonthebenchmarkandthebrowser)withTreeHouse,andsomerunfaster,thoughwearestillinvestigatingtounderstandtheslowdownandthespeedup.
FortheDOMbenchmarks,ourexpectationsalsohold;wenowdelveintothoseresults.
ToorganizetheDOMbenchmarks,wedividethemintofourcategories:dom-attr,whichstressessettingat-tributesonDOMelements;dom-modify,whichstressesinsertingandremovingDOMelements;dom-query,whichstressesDOMsearches;anddom-traverse,whichstressesDOMtreetraversals.
Figure8reportstheresults,intermsofthegeometricmeanofeachcategory'sover-head.
Asexpected,TreeHouseimposessignicantover-headonDOMoperations.
Thelargestoverhead(byfar)isinDOMqueries,andthisoverheadisstaggering.
However,theoperationsthatTreeHousehasblown(σ)pageloadlatency(ms)ExperimentChromeFirefoxIESafariDOMTRIS,baseline24(8)12(1)6(3)5(1)DOMTRIS,TreeHouse361(46)181(4)405(18)166(34)118KBpage,baseline25(3)5(1)11(5)22(5)118KBpage,TreeHouse976(38)880(18)1229(66)779(12)SandboxbutnoVDOM350(53)136(3)323(13)132(4)Figure9—Pageloadlatency,withandwithoutTreeHouse.
TreeHouse'ssetupcostsincludeaxedcostfromsandboxingandacostforVDOMpopulationthatvarieswithVDOMsize.
uparenotexpensiveinabsolutetermsorlikelytobeexecutedoften.
Forexample,dependingonthebrowser,TreeHouseimposesoverheadof13,000–120,000ongetElementsByTagName(whichreturnsallDOMnodesofaparticulartype,suchasIMG)whensearchingforanon-existenttype.
Yetevenaftertheblowup,eachcalltogetElementsByTagNametakesslightlylessthan1ms.
Moreover,abestpracticeinWebapplicationdevelopmentistoavoidDOMqueries(bycaching).
WeexpectapplicationsthatfollowthispracticenottobesignicantlyslowedunderTreeHouse.
Ofcourse,applicationsthatdonotfollowthispracticewouldneedchangestorunefcientlyunderTreeHouse.
Latencyofpageload.
TreeHousehastwosetupcosts:sandboxsetup(loadingtheguestintoaworker,in-terposingthebroker,etc.
)andVDOMpopulation.
Toassessbothcosts,wemeasurepageloadlatencyforDOMTRIS[50](aJavaScriptTetrisclonethatusestheDOMtorenderthegameandhandleuserinput;thechoiceofapplicationisborrowedfrom[40])andalargeWebpage,withandwithoutTreeHouse.
Tomeasurethepageloadlatency,weincludetwoscripts,oneinthepage'sheaderandoneattheendofitsbody,measuringthetimeelapsedbetweeneach.
WhenwemeasureunderTreeHouse,thesecondscriptwaitsforamessagefromtheguest,indicatingthatVDOMpopu-lationiscomplete.
ThisapproachexploitsthefactthatthebrowserguaranteestoexecutethesecondscriptonlyaftertheentireDOMisparsed.
Weperform10runsineachbrowser,collectingtimingdatafromJavaScript'sDate.
now(),whichreportstimeinmilliseconds.
Figure9reportstheresultswithandwithoutTree-House.
ForDOMTRIS,theaverageoverheadofTree-House(TreeHouserowminusbaselinerow)is161–399ms,dependingonthebrowser(hereandbelow,therangereectstheminimumandmaximumoverthefourbrowsersinourexperiments).
ForthelargeWebpage,theaverageoverheadofTreeHouseis757–1218ms.
WehypothesizethatthelargeroverheadinthiscasederivesfromthesizeoftheWebpage'sVDOM,whichtranslatestohigherVDOMpopulationcosts.
TotrytoseparatethesandboxingandVDOMcosts,werunanexperimentthat9startsaTreeHousesandboxwithnoVDOM;theaveragecostis132–350ms.
TreeHouse'sremainingcostscomefromapplicationoverheadandpopulatingtheVDOM.
7Usabilityfordevelopers.
TreeHouserequirestwokindsofeffortfromdevelopers:portingtoTreeHouseandwrit-ingpolicies.
Webrieyassesseach.
ToportDOMTRIStoTreeHouse,wehadtochangeonly28linesofcodeinDOMTRIS.
WearealsointheprocessofportingseveralframeworkstoTreeHouse;thiseffortbothenhancesTreeHouse'susability(bylettingdevelopersrunexistingframework-basedapplicationsinTreeHouse)andgivesasenseoftheworkrequiredtoportacomplexapplicationtoTreeHouse.
Sofar,with2extralinesofcodeintheZeptoframework[67],allbutthreeoftheDromaeobenchmarksthattargetZepto'sin-terface(consistingof28microbenchmarks)runsuccess-fullyagainstZepto-in-TreeHouseinChromeandSafari.
Withchangesto18linesofcodeinthePrototypeframe-work[45],allbutthreeoftheDromaeobenchmarksthattargetthePrototypeinterface(consistingof29mi-crobenchmarks)runsuccessfullyagainstPrototype-in-TreeHouseinChrome,IE,andSafari.
Toevaluatetheeffortrequiredtowriterealpolicies,wedesignedasamplepolicyfortheExampleMailplugindescribedinSection4.
Thepolicycontains41linesofcodeandtookapproximately30minutestowrite.
Summary.
TreeHouseimposessignicantoverheadfor"privilegedoperations",but,unlesstheapplicationspendsmostofitstimeinsuchoperations,totaloverheadshouldbefarlower.
TreeHousealsoaddstoinitialpageloadlatency,particularlywhentheVDOMislarge.
Port-ingapplicationstoTreeHouseappearstorequireonlymodesteffort,asdoeswritinganon-trivialpolicy.
7RelatedworkWesurveyrelatedworkbycoveringcurrentbrowsers,isolationbyframes,browsermodicationandredesign,language-basedapproaches,andrelatedmechanisms.
Currentbrowsers.
TheOPbrowser[24]createsanewprocessforeachdocument.
TheChromebrowser,basedontheChromiumproject[5,47],andInternetEx-plorer[65,66]implementsimilarformsofisolation.
Thesemechanisms,sometimesreferredtoasprocess-per-tab,allowthebrowsertocontainsitecrashesandcontinuerunning.
ThesemechanismsareorthogonaltoTreeHouse:theyisolateWebapplicationsfromeachotherbutdonotisolatescriptswithinaWebapplication.
7OurexperimentsdonotletusdeterminetheVDOMpopulationcostsprecisely.
WewanttosolveforVinT=B+S+V,whereTistheTreeHouseresults,Bisthebaselineresults,andSisthesandboxingcost.
Unfortunately,weobserveTandBbutnotS.
Instead,ourex-perimentobservesS+E,whereEincludescoststhatBalsoincludes.
ThusonecanderivearangeforV,byvaryingEbetween0andB.
Frameisolation.
SomeschemesisolateJavaScriptbyusingtwobrowserfeatures:theSameOriginPolicy(§2.
1)andiframes(§2.
3).
Forexample,SMash[31],Subspace[28],andOMOS[64]isolatescriptsandcom-ponentsbyrunningtheminiframesservedfromdifferentoriginsandthenprovideamechanismfortheiframestocommunicate.
AdJail[32]runsuntrustedadvertisementcodeinaniframeandthenreplicateschangestothatiframe'sDOMbacktothemainpage.
AlloftheseschemescontrastwithTreeHouseasfol-lows.
First,unlikeTreeHouse,theyrequiretheapplica-tiontohaveauniqueoriginperisolatedcomponent.
Sec-ond,asmentionedinSection2.
3,scriptsinaniframecaninterferewiththeapplication'sliveness,bygoingintoaninnitelooporconsumingresources;TreeHouse,incon-trast,toleratesthesecases(seeSection3.
3).
Third,thesesystemsdonotpreventthekindofinformationleaksde-tailedinSection3.
4(theiriframescancontinueto"im-port"contentfromarbitrarylocations).
Browsermodicationandredesign.
Werstsumma-rizeworkthatproposesbrowserre-architectureormodi-cationandthenexplainwhyweavoidedsuchchanges.
TheAtlantisbrowser[39]letsWebsitesdenetheirownlayout,rendering,andscriptingengines.
Atlantisde-nesasmallsetofprimitivesandexposesthemtosites.
ApplicationscanuseAtlantis'sprimitivestoachieveTreeHouse'sgoal:sandboxingscripts.
Incontrast,otherproposalsfornewbrowsersprotectWebsitesfromeachotherbutdonotisolatescriptswithinasite.
Asexamples,theTahomabrowser[9]isolatesWebapplicationsinvirtualmachines,theIlli-noisBrowserOperatingSystem(IBOS)[53]proposesanoperatingsystemandbrowserthatmapbrowserabstractionstohardwareabstractions,andtheGazellebrowser[60]treatsoriginsasprincipalsinamulti-principaloperatingsystem,isolatingtheircontentinre-strictedorsandboxedOSprocesses.
SomebrowserextensionshavegoalsthatoverlapwiththoseofTreeHouse.
MashupOS[59]makesthebrowseramulti-principaloperatingsystemforWebap-plications.
BEEP[29]letsWebsitesrestrictthescriptsthatrunineachoftheirpages.
ConScript[38]enforcesapplication-speciedsecuritypolicies.
OMash[10]re-strictscommunicationtopublicinterfacesdeclaredbyeachpage.
BFlow[62]addsinformationowtrackingtothebrowser,allowinguntrustedJavaScripttooperateonprivatedatawithoutcompromisingcondentiality.
TheaboveprojectspartiallyinspireTreeHouse.
How-ever,theyrequirebrowserchanges.
Meanwhile,ifabrowserchangerequiresapplicationchanges(andalloftheaboveproposalsdo),authorsmusteitherwaitforallsupportedbrowserstomakethechangeormaintaintwoversionsoftheirapplication.
Andanauthorwhosupports10anenhancementavailableinoneortwobrowsersbeforeitisadoptedelsewheretakestheriskthatotherbrowservendorschoosenottoaddthefeatureatall.
Thisriskisnotsmall:browservendorshavehistoricallybeenreluc-tanttoimplementnewsecurityfeatures[27].
Language-basedapproaches.
OnewaytoisolateJavaScriptistoconstrainittoasubsetofthelanguage.
Beforethiscodeissenttothebrowser,itpassesthroughaserver-sideverier.
Variousprojectsapplythishigh-levelapproach,includingCaja[41],FBJS[20],ADSafe[11],Browsershield[46],workbyMaffeisetal.
[34,35],andworkbyBarthetal.
[6].
JSReg[25]usesregularexpres-sionstorewriteuntrustedscripts.
Theprimarydisadvantageofarestrictedsubsetisthatfewlibrariesarewritteninthem.
Moreover,thesesubsetsprecludemanypopularJavaScriptidioms(e.
g.
,thethiskeyword),makingprogrammingmoredifcult.
Whilethedesignersoftheseapproacheshavegonetogreatlengthstoeasetheportingburden,theprocessoftrans-latingfromarbitraryJavaScripttotherestrictedsubsetstillrequiresmanualwork.
Language-basedapproacheshaveseveralotherdisad-vantages.
First,theapplicationmustservetheveriedcodefromaserverunderitscontrol.
Asaresult,appli-cationscannotgainfromtheperformanceadvantagesofcontentdistributionnetworks(CDNs),asmentionedintheIntroduction.
Second,manylanguageisolationtech-niquesemployruntimelogicthatinterposesonallobjectpropertyaccesses,whichimposesnon-trivialoverhead.
TreeHouse,bycontrast,canisolatescriptsfromanyori-ginandinterposesonlyonprivilegedoperations.
Relatedmechanisms.
SeveralprojectsuseWebWork-ers,virtualizetheDOM,orcreatecontainersforisolatedcode.
SomeoftheseprojectshaveinspiredTreeHouse,butnonesharesallofourgoals.
JSandbox[23]andBawks[55]prototypealow-levelIPCmechanismbywhichapplicationcodecanloadcodeintoaWebWorkerandallowcallbacks.
Theydonotpro-videvirtualization(§3.
4)orresourcecontrol(§3.
5).
TreeHouseborrowsDOMvirtualizationfrompreviousworkwithdifferentgoals.
Jsdom[17](whoseimplemen-tationTreeHouseuses)anddom.
js[3]aimtoprovideaconvenienttoolkitformanipulatingWebpages;theyaregearedtoenvironmentssuchasserver-sideJavaScript,wherethereisno"native"DOM.
Mugshot[40]virtu-alizespartoftheclient'sDOMbutdoessotocreateareplaysystem;itdoesnotisolatescripts.
AdSentry[14]isgearedtoisolationand,likeTreeHouse,itinterposesonDOMoperations,appliesaccesscontrolpolicies,anddelegatestothenativeDOM.
UnlikeTreeHouse,how-ever,AdSentryrequiresbrowsermodicationanddoesnotprotecttheapplication'sliveness:iftheadblocks,sodoestheapplication.
Inconcurrentwork,js.
js[54]takesadifferentapproachtosandboxing.
TheauthorsimplementaJavaScriptinterpreterinJavaScript;theinterpreterrunsuntrustedcodeandexposesnoprivilegedmethodsorpropertiesbydefault.
Whilejs.
jsandTreeHousesharesomegoals,theperformancecharacteristicsarediffer-ent:DOMchangesinjs.
jsrunat"nativespeed",butev-erythingelserunstwoordersofmagnitudeslowerthannative.
UnderTreeHouse,DOMchangesareexpensive,buteverythingelserunsroughlyatnativespeed.
Finally,TreeHouseisinspiredbyclassicapproachestoisolation.
Traditionalsandboxing[21,22,36,49,51,58],appliedtobrowsersbyNativeClient[61]andXax[15],containslegacyx86codethatexpectstointeractwiththesystemcallinterfaceormachineresources.
TreeHouse,however,containslegacyJavaScriptcodethatexpectstointeractwiththebrowser'sresources.
8DiscussionandconclusionWebrieyconsiderhowfuturehelpfrombrowserscouldaddressTreeHouse'slimitations.
First,theblocking-vs-event-drivenmismatchanditsconsequences(§3.
4)couldbeaddressedifbrowsersexposedawayforJavaScriptcodetoreceiveamessagesynchronously.
Second,Tree-Housereliesontheassumptionthataworkercannotac-cesstheapplication'sDOM;thus,itwouldbeaboontoTreeHouseifbrowsersstandardizedtheinterfacethatisvisiblewithinworkers.
Ofcourse,thestandardiza-tionthatwouldmostaddressTreeHouse'sperformanceandcompatibilitylimitationswouldbeincorporatingTreeHouse—orfunctionalitylikeit—intobrowsers.
Evenifbrowserstandardizationdoesnotcometopass,webelievethatTreeHouseispromising:itisapractical,deployable,andusablewaytogiveWebapplicationau-thorsne-grainedcontroloveruntrustedJavaScriptcode.
AcknowledgmentsInsightfulcommentsbyJohnHammond,DaveHerman,JonHowell,DonnaIngram,JamesMickens,EmmettWitchel,theanonymousreviewers,andourshepherd,SamKing,substan-tiallyimprovedthisdraft.
Thisresearchwaspartiallysup-portedbyAFOSRgrantFA9550-10-1-0073andbyNSFgrants1055057and1040083.
TreeHouseishousedathttps://github.
com/lawnsea/TreeHouse.
ThesiteincludesthecodethatimplementsTree-House,thepagesusedinourexperiments,anddemos.
References[1]Dromaeo:JavaScriptperformancetesting.
http://dromaeo.
com/.
[2]HTML5livingstandard.
http://www.
whatwg.
org/specs/web-apps/current-work/multipage/.
[3]A.
Galetal.
dom.
js.
https://github.
com/andreasgal/dom.
js.
[4]K.
AdamsandO.
Agesen.
Acomparisonofsoftwareandhardwaretechniquesforx86virtualization.
InASPLOS,2006.
11[5]A.
Barth,C.
Jackson,C.
Reis,andtheGoogleChromeTeam.
ThesecurityarchitectureoftheChromiumbrowser.
http://seclab.
stanford.
edu/websec/chromium/chromium-security-architecture.
pdf,2008.
[6]A.
Barth,J.
Weinberger,andD.
Song.
Cross-originJavaScriptcapabilityleaks:Detection,exploitation,anddefense.
InUSENIXSecurity,2009.
[7]http://www.
bazaarvoice.
com/.
[8]J.
Bixby.
Fourth-partycalls:Whatyoudon'tknowcanhurtyoursite.
.
.
andyourvisitors,July2011.
http://www.
webperformancetoday.
com/2011/07/14/fourth-party-calls-third-party-content/.
[9]R.
S.
Cox,S.
D.
Gribble,H.
M.
Levy,andJ.
G.
Hansen.
Asafety-orientedplatformforwebapplications.
InIEEESymp.
onSecurity&Privacy,2006.
[10]S.
Crites,F.
Hsu,andH.
Chen.
OMash:Enablingsecurewebmashupsviaobjectabstractions.
InACMCCS,2008.
[11]D.
Crockford.
ADsafe:MakingJavaScriptsafeforadvertising.
http://www.
adsafe.
org.
[12]DepartmentofDefense.
Trustedcomputersystemevaluationcriteria(orangebook),1985.
DoD5200.
28-STD.
[13]DojoTeam.
Dojotoolkit.
http://dojotoolkit.
org/.
[14]X.
Dong,M.
Tran,Z.
Liang,andX.
Jiang.
AdSentry:comprehensiveandexibleconnementofJavaScript-basedadvertisements.
InAnnualComputerSecurityApplicationsConference(ACSAC),2011.
[15]J.
R.
Douceur,J.
Elson,J.
Howell,andJ.
R.
Lorch.
Leveraginglegacycodetodeploydesktopapplicationsontheweb.
InOSDI,2008.
[16]J.
R.
Douceur,J.
Howell,B.
Parno,M.
Walsh,andX.
Xiong.
TheWebinterfaceshouldberadicallyrefactored.
InACMWorkshoponHotTopicsinNetworks(HotNets),2011.
[17]E.
Insuaetal.
jsdom.
https://github.
com/tmpvar/jsdom.
[18]ECMA.
ECMA-262:ECMAScriptLanguageSpecication,5.
1edition,June2011.
[19]ExtJSTeam.
ExtJS.
http://www.
sencha.
com/products/extjs.
[20]FacebookTeam.
FBJS.
http://developers.
facebook.
com/docs/fbjs/.
[21]B.
FordandR.
Cox.
Vx32:Lightweightuser-levelsandboxingonthex86.
InUSENIXAnnualTechnicalConference,2008.
[22]T.
Garnkel,B.
Pfaff,andM.
Rosenblum.
Ostia:Adelegatingarchitectureforsecuresystemcallinterposition.
InNDSS,2003.
[23]E.
Grey.
JSandbox.
https://github.
com/eligrey/jsandbox.
[24]C.
Grier,S.
Tang,andS.
T.
King.
SecurewebbrowsingwiththeOPwebbrowser.
InIEEESymp.
onSecurity&Privacy,2008.
[25]G.
Heyes.
JSReg:JavaScriptregularexpressionbasedsandbox.
http://code.
google.
com/p/jsreg/.
[26]W.
Huang.
"HDDPlus"malwarespreadthroughmajoradnetworks,usingmalvertisinganddrive-bydownload,Dec.
2010.
http://blog.
armorize.
com/2010/12/hdd-plus-malware-spread-through.
html.
[27]C.
Jackson.
Crossingthechasm:Pitchingsecurityresearchtomainstreambrowservendors.
http://www.
usenix.
org/events/sec11/stream/jackson/index.
html.
[28]C.
JacksonandH.
J.
Wang.
Subspace:Securecross-domaincommunicationforwebmashups.
InWWW,2007.
[29]T.
Jim,N.
Swamy,andM.
Hicks.
Defeatingscriptinjectionattackswithbrowser-enforcedembeddedpolicies.
InWWW,2007.
[30]jQueryTeam.
jQuery.
http://jquery.
com/.
[31]F.
D.
Keukelaere,S.
Bhola,M.
Steiner,S.
Chari,andS.
Yoshihama.
SMash:Securecomponentmodelforcross-domainmashupsonunmodiedbrowsers.
InWWW,2008.
[32]M.
T.
Louw,K.
T.
Ganesh,andV.
N.
Venkatakrishnan.
AdJail:Practicalenforcementofcondentialityandintegritypoliciesonwebadvertisements.
InUSENIXSecurity,2010.
[33]T.
LuoandW.
Du.
Contego:Capability-basedaccesscontrolforwebbrowsers.
InInternationalConferenceonTrustandTrustworthyComputing,2011.
[34]S.
Maffeis,J.
Mitchell,andA.
Taly.
Objectcapabilitiesandisolationofuntrustedwebapplications.
InIEEESymp.
onSecurity&Privacy,2010.
[35]S.
Maffeis,J.
C.
Mitchell,andA.
Taly.
IsolatingJavaScriptwithlters,rewriting,andwrappers.
InEuropeanConferenceonResearchinComputerSecurity,2009.
[36]S.
McCamantandG.
Morrisett.
EvaluatingSFIforaCISCarchitecture.
InUSENIXSecurity,2006.
[37]L.
A.
Meyerovich,A.
P.
Felt,andM.
S.
Miller.
Objectviews:Fine-grainedsharinginbrowsers.
InWWW,2010.
[38]L.
A.
MeyerovichandB.
Livshits.
ConScript:Specifyingandenforcingne-grainedsecuritypoliciesforJavaScriptinthebrowser.
InIEEESymp.
onSecurity&Privacy,2010.
[39]J.
MickensandM.
Dhawan.
Atlantis:Robust,extensibleexecutionenvironmentsforwebapplications.
InSOSP,2011.
[40]J.
Mickens,J.
Elson,andJ.
Howell.
Mugshot:DeterministiccaptureandreplayforJavaScriptapplications.
InNSDI,2010.
[41]M.
S.
Miller,M.
Samuel,B.
Laurie,I.
Awad,andM.
Stay.
Caja:SafeactivecontentinsanitizedJavaScript,Jan.
2008.
http://google-caja.
googlecode.
com/files/caja-spec-2008-01-15.
pdf.
[42]CLOC:CountLinesofCode.
http://cloc.
sourceforge.
net/.
[43]K.
Patil,X.
Dong,X.
Li,Z.
Liang,andX.
Jiang.
Towardsne-grainedaccesscontrolinJavaScriptcontexts.
InIntl.
ConferenceonDistributedComputingSystems(ICDCS),2011.
[44]J.
G.
Politz,S.
A.
Eliopoulos,A.
Guha,andS.
Krishnamurthi.
ADsafety:Type-basedvericationofJavaScriptsandboxing.
InUSENIXSecurity,2011.
[45]PrototypeTeam.
Prototype.
http://www.
prototypejs.
org/.
[46]C.
Reis,J.
Dunagan,H.
J.
Wang,O.
Dubrovsky,andS.
Esmeir.
BrowserShield:Vulnerability-drivenlteringofdynamicHTML.
InOSDI,2006.
[47]C.
ReisandS.
D.
Gribble.
Isolatingwebprogramsinmodernbrowserarchitectures.
InEuroSys,2009.
[48]J.
H.
SaltzerandM.
D.
Schroeder.
Theprotectionofinformationincomputersystems.
Proc.
IEEE,63(9):1278–1308,Sept.
1975.
[49]M.
Seaborn.
Plash:toolsforpracticalleastprivilege.
http://plash.
beasts.
org/index.
html.
[50]J.
Seidelin.
DOMTRIS:ADHTMLTetrisclone.
http://www.
nihilogic.
dk/labs/tetris/.
[51]C.
SmallandM.
Seltzer.
MiSFIT:Constructingsafeextensiblesystems.
IEEEConcurrency,6(3):34–41,1998.
[52]S.
Souders.
Performanceof3rdpartycontent,Feb.
2010.
http://www.
stevesouders.
com/blog/2010/02/17/performance-of-3rd-party-content/.
[53]S.
Tang,H.
Mai,andS.
T.
King.
TrustandprotectionintheIllinoisbrowseroperatingsystem.
InOSDI,2010.
[54]J.
Terrace,S.
R.
Beard,andN.
P.
K.
Katta.
JavaScriptinJavaScript(js.
js):Sandboxingthird-partyscripts.
InUSENIXWebApps,2012.
[55]P.
Theriault.
BawksJavaScriptsandbox.
http://bawks.
creativemisuse.
com/.
[56]https://twitter.
com/about/resources/widgets.
[57]A.
Vance.
Timeswebadsshowsecuritybreach.
TheNewYorkTimes,pageB5,Sept.
2009.
http://www.
nytimes.
com/2009/09/15/technology/internet/15adco.
html.
[58]R.
Wahbe,S.
Lucco,T.
E.
Anderson,andS.
L.
Graham.
Efcientsoftware-basedfaultisolation.
InSOSP,1993.
[59]H.
J.
Wang,X.
Fan,J.
Howell,andC.
Jackson.
ProtectionandcommunicationabstractionsforWebbrowsersinMashupOS.
InSOSP,2007.
[60]H.
J.
Wang,C.
Grier,A.
Moshchuk,S.
T.
King,P.
Choudhury,andH.
Venter.
Themulti-principalOSconstructionoftheGazelleWebbrowser.
InUSENIXSecurity,2009.
[61]B.
Yee,D.
Sehr,G.
Dardyk,J.
B.
Chen,R.
Muth,T.
Ormandy,S.
Okasaka,N.
Narula,andN.
Fullagar.
NativeClient:Asandboxforportable,untrustedx86nativecode.
InIEEESymp.
onSecurity&Privacy,2009.
[62]A.
Yip,N.
Narula,M.
Krohn,andR.
Morris.
Privacy-preservingbrowser-sidescriptingwithBFlow.
InEuroSys,2009.
[63]YUITeam.
YUI.
http://yuilibrary.
com/.
[64]S.
Zarandioon,D.
D.
Yao,andV.
Ganapathy.
OMOS:Aframeworkforsecurecommunicationinmashupapplications.
InAnnualComputerSecurityApplicationsConference(ACSAC),2008.
[65]A.
Zeigler.
IE8andloosely-coupledIE(LCIE),2008.
http://blogs.
msdn.
com/b/ie/archive/2008/03/11/ie8-and-loosely-coupled-ie-lcie.
aspx.
[66]A.
Zeigler.
Tabisolation,2010.
http://blogs.
msdn.
com/b/ie/archive/2010/03/04/tab-isolation.
aspx.
[67]Zepto.
jsTeam.
Zepto.
js.
http://zeptojs.
com/.
12