James Mickens Mohan Dhawan Your web browser Our Claim Web browsers are a horrifying platform APIs are too complex Implementations are too brittle Writing robust apps is too hard Our Solution ID: 418528
Download Presentation The PPT/PDF document "Atlantis: Robust, Extensible Execution E..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Atlantis: Robust, Extensible Execution Environments for Web Applications
James Mickens
Mohan DhawanSlide2
Your web browserSlide3
Our Claim
Web browsers are a horrifying platform!
APIs are too complex
Implementations are too brittleWriting robust apps is too hard
Our Solution
HTML
CSS
JavaScript
Monolithic browser
HTML/CSS parser
DOM tree
Layout/rendering
Scripting runtime
Atlantis
exokernel
HTML/CSS parser
DOM tree
Layout/rendering
Scripting runtime
HTML
CSS
JavaScript
Pages manage their own complexity!Slide4
Why Do We Need Another Browser?Slide5
The “Web Protocol”
HTML
CSS
Core JavaScript
DOM Storage
Web workers
Silverlight
PDF
<video> tag
Web sockets
Java
HTTPS
HTTP
JavaScript DOM Bindings
<canvas> tag
file://
JSON
Data URIs
Quicktime
Flash
Which version
does the browser use?Slide6
No Single Browser Will Ever Get It Right
Theory
PracticeSlide7
Each Browser Will Fail In Different Ways
Monster
Other
Monster
Firefox
IESlide8
Outline
The Adversarial Web Browser: Case StudiesAtlantis: Design and ImplementationEvaluationRelated WorkSlide9
Let Me Teach You About Life
Web browsers are
terrible and buggy.
Bah! I use JS libraries like
jQuery
to hide the complexity.
You are foolish and hysterical.Slide10
What You Think
Your Web App
jQuery
Nice, browser-neutral interface
Largely tolerable browser APIs
BrowsersSlide11
What You Think
Your Web App
jQuery
Nice, browser-neutral interface
Browsers
What Is
Largely tolerable browser APIsSlide12
Your Web App
jQuery
Partially browser-neutral interface
Browsers
What Is
Flaky, semi-consistent APIsSlide13
Why the Suicide Rate for Web Developers
is 89%Slide14
James Mickens vs. Browsers:Event Handling
<html>
<div>
<button>
Click me!
</button>
</div>
</html>
<html>
<div>
<button>
captureHandler
(
evt
)
bubbleHandler
(
evt
)
targetHandler
(
evt
)
“Official” event model
1) Capture phase2) Target phase3) Bubble phase
Event
I’d like support for the official three-phase model.
Ok!
Ok!
I WILL NOT SUPPORT
THE CAPTURE PHASE.
Lolz
.
9
8-Slide15
Problem: Different browsers have different DOM tree implementations!Slide16
James Mickens vs. Browsers:Event Handling, Part 2
I’d like you to fire a blur event when the input focus changes.
Enter your name:
j
a
m
e
s
Focus!
Blur!
Ok!
Sometimes I’ll fire the event,
but sometimes I won’t.
Rofl
.
I’ll generate
multiple
events for
each
blur.Slide17
!=Slide18
James Mickens vs. Browsers:Layout and Rendering
I’d like to specify an element’s size
as a
percentage of the enclosing element.
<html>
<div width=“49.5%”>
</div>
<div width=“50.5%”>
</div>
</html>Slide19
James Mickens vs. Browsers:
Layout and Rendering
I’d like to specify an element’s size
as a
percentage of the enclosing element.
<html>
<div width=“49.5%”>
</div>
<div width=“50.5%”>
</div>
</html>Slide20
Problem: HTML/CSS parsing and layout engine are completely opaque to the web page!
?
Markup parser +
layout engine
<html>
<head>
<body>
<title>
<div>
<div>
HTML
CSSSlide21
James Mickens vs. Browsers:Extending the
JavaScript Runtime
I’d like to introspect/extend objects
without the crippling fear that I’ll wedge my browser.Help me help myself.
This “should” “work”.
Except when it won’t.
Also, I’m dating your mom.
//Application code
obj.f
= function(){return 42;};
//Third-party diagnostic code
//[e.g.,
Mugshot@NSDI
2010] might
//do something like this . . .
oldF
=
obj.f
;
obj.f
= function(){
mugshot.logCall
(oldF); return
oldF(); };Slide22
Problem: Opaque dependencies between C++ objects in browser and reflected versions in JavaScript!
function
addEventListener
(
eName
, callback){
nativeInvoke
([“__
addListener
”,
evtName
,
callback
]);
}__addListener(e,c
){
//C++ code}
JavaScript (“user” layer)
C++(“kernel” layer)
DOMnode
Unfathomable
browserSlide23
Problem: Opaque dependencies between C++ objects in browser and reflected versions in JavaScript!
function
addEventListener
(
eName
, callback){
nativeInvoke
([“__
addListener
”,
evtName
,
callback
]);
}JavaScript (“user” layer)C++
(“kernel” layer)
DOMnode
Unfathomable
browser
__
addListener
(
e,c
){ //
C++ code
}Slide24
How do we fix all of this?Slide25
Outline
The Adversarial Web Browser: Case StudiesAtlantis: Design and ImplementationEvaluationRelated WorkSlide26
Monolithic BrowserSlide27
OP (Oakland 08)
Rhino
KHTML
No change in extensibilitySlide28
Atlantis
Per-instance kernel
Defined by web page!
Executes
Syphon
code
1 process w/
3 C#
AppDomainsSlide29
Atlantis: Defining the Web Stack
Load foo.html.
It shall be done.
HTMLSlide30
Atlantis: Defining the Web Stack
Load foo.html.
It shall be done.
HTMLSlide31
Atlantis: Defining the Web Stack
<environment>
<compiler=‘http://foo/compiler.syp’>
<markupParser=‘http://bar/mParser.js’> <runtime=‘http://baz/runtime.js’>
</environment>
Syphon Interpreter
compiler.syp
mParser.syp
runtime.syp
mParser.js
High-level application runtime
DOM tree
AJAX library
Layout and
Rendering
Atlantis kernel
Bitmap rendering
Frame creation and destruction
Cross-frame messaging
Low-level GUI events
Blocking/non-blocking
HTTP socketsSlide32
Atlantis: Defining the Web Stack
Syphon Interpreter
<html>
.
.
.
</html>
JScompiler.syp
HTML+CSSparser.syp
DOM.syp
By default, thy gets a
backwards-compatible
stack.
I cannot
findeth
an
<environment> tag.Slide33
Atlantis: Defining the Web Stack
Syphon Interpreter
<html>
.
.
.
</html>
JScompiler.syp
HTML+CSSparser.syp
DOM.syp
By default, thy gets a backwards compatible stack.
It’s all made of JavaScript!Slide34
Common case: You don’t write
the (extensible!) web stackSlide35
Facebook
Microsoft
jQuerySlide36
Outline
The Adversarial Web Browser: Case StudiesAtlantis: Design and ImplementationEvaluationRelated WorkSlide37
Extensibility
DOM nodes have an
innerHTML
propertyAssign a string to dynamically update DOM treeAllows for cross-site scripting attacks!Want: Ability to shim innerHTML and automatically install a sanitizer
var
comment = document.getElementById(“commentBox”);var
contentParent
=
document.getElementById
(“parent”);
contentParent.innerHtml
=
comment.value
; //What if this is
//JavaScript source?Slide38
DON’T WORRY ATLANTIS CAN HELP YOUSlide39
In Atlantis, to change the DOM tree implementation:YOU JUST DO ITThe entire implementation belongs to you!
Don’t have to wait on browser vendors!
ExtensibilitySlide40
Page Load TimesSlide41
MicrobenchmarksSlide42
Outline
The Adversarial Web Browser: Case StudiesAtlantis: Design and ImplementationEvaluationRelated WorkSlide43
Microkernel browsers: OP, Gazelle, ServiceOS
Isolate commodity JS engines, HTML renderers, etc.Better security . . .. . . but same extensibility, robustness
Related WorkSlide44
JavaScript abstraction frameworksJavaScript libraries:
jQuery, mooTools, PrototypeCompile-to-JavaScript: GWT, Script#Extremely useful!
However, they can’t . . .Hide all browser quirksMake black-box components introspectable
Related WorkSlide45
Conclusions
Web browsers have a lot of potential . . .Slide46
Conclusions
The aggregate “web protocol” is big and complex!No individual browser can get it all rightDifferent browsers will fail in different waysSlide47
Conclusions
Atlantis: an exokernel browserKernel handles low-level networking, GUI events, bitmap rendering
Application defines higher-level abstractionsAdvantagesStrong securityPowerful extensibilitySlide48Slide49
Primary Atlantis Kernel CallsSlide50
Atlantis: Advantages over Gazelle
SecurityAtlantis provides better isolation w/per-instance kernelsAtlantis isolates intra-domain components
ExtensibilityGazelle uses IE to provide a web stack; default Atlantis stack written in pure JavaScriptAtlantis lets pages dynamically define new runtimes without user interventionSyphon
interpreter provides new isolation abstractionsSlide51
Let’s Just Use Java And Wash Our Hands of the Entire Sordid Affair™Slide52
DISASTERSlide53