DOCSLIB.ORG

CONSCRIPT: Specifying and Enforcing Fine-Grained Security Policies for Javascript in the Browser

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
CONSCRIPT: Specifying and Enforcing Fine-Grained Security Policies for Javascript in the Browser CONSCRIPT: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo A. Meyerovich Benjamin Livshits University of California, Berkeley Microsoft Research [email protected] [email protected] Abstract—Much of the power of modern Web comes from the instance, an included library might perform a prototype ability of a Web page to combine content and JavaScript code hijacking attack [1], drastically redefining the behavior of from disparate servers on the same page. While the ability the remainder of the JavaScript code on the page. to create such mash-ups is attractive for both the user and the developer because of extra functionality, code inclusion CONSCRIPT, a browser-based aspect system for security effectively opens the hosting site up for attacks and poor proposed in this paper, focuses on empowering the hosting programming practices within every JavaScript library or API page to carefully constrain the code it executes. For ex- it chooses to use. In other words, expressiveness comes at the ample, the hosting page may restrict the use of eval to price of losing control. To regain the control, it is therefore JSON only, restrict cross-frame communication or cross- valuable to provide means for the hosting page to restrict the behavior of the code that the page may include. domain requests, allow only white-listed script to be loaded, This paper presents CONSCRIPT1, a client-side advice im- limit popup window construction, limit JavaScript access to plementation for security, built on top of Internet Explorer 8. cookies, disallow dynamic IFRAME creations, etc. These CONSCRIPT allows the hosting page to express fine-grained constraints take the form of fine-grained policies expressed application-specific security policies that are enforced at run- as JavaScript aspects that the hosting page can use to change time. In addition to presenting 17 widely-ranging security and reliability policies that CONSCRIPT enables, we also show how the behavior of subsequent code. In CONSCRIPT, this kind policies can be generated automatically through static analysis of behavior augmentation is done via the script include tag of server-side code or runtime analysis of client-side code. We to provide a policy as follows: also present a type system that helps ensure correctness of CONSCRIPT policies. <SCRIPT SRC="script.js" POLICY="function () {...}"> To show the practicality of CONSCRIPT in a range of settings, With CONSCRIPT, the first general browser-based policy we compare the overhead of CONSCRIPT enforcement and conclude that it is significantly lower than that of other systems enforcement mechanism for JavaScript to our knowledge, proposed in the literature, both on micro-benchmarks as well at a relatively low cost of several hundred lines of code as large, widely-used applications such as MSN, GMail, Google added to the JavaScript engine, we gain vast expressive Maps, and Live Desktop. power. This paper presents 17 widely-ranging security and Keywords-JavaScript; Web and client-side programming; reliability policies that CONSCRIPT enables. To collect these aspects; browsers; language security; security policies policies, we studied bugs and anti-patterns in both “raw” JavaScript as well as popular JavaScript libraries such as I. INTRODUCTION jQuery. We also found bugs in and have rewritten many of the policies previously published in the literature [2, Much of the power of modern Web comes from the ability 3] in CONSCRIPT. We discovered that in many cases a of a Web page to combine HTML and JavaScript code from few lines of policy code can be used instead of a new, disparate servers on the same page. For instance, a mash- specialized HTML tag. Our experience demonstrates that up such as a Yelp! page describing a restaurant may use CONSCRIPT provides a general enforcement mechanism for APIs from Google Maps to show the restaurant’s location, a wide range of application-level security policies. We also jQuery libraries to provide visual effects, and Yelp APIs show how classes of CONSCRIPT policies can be generated to obtain the actual review and rating information. While automatically, with static analysis of server-side code or the ability to create such client-side mash-ups within the runtime analysis of client-side code, removing the burden same page is attractive for both the user and the developer on the developer for specifying the right policy by hand. because of the extra functionality this provides, because Finally, we propose a type system that makes it considerably of including untrusted JavaScript code, the hosting page easier to avoid common errors in policies. effectively opens itself up to attacks and poor programming practices from every JavaScript library or API it uses. For We built CONSCRIPT by modifying the JavaScript inter- preter in the Internet Explorer 8 Web browser. This paper 1The name CONSCRIPT has been chosen to reflect our desire to restrict describes our implementation, correctness considerations malicious script. one has to take into account when writing CONSCRIPT policies, as well as the results of our evaluation on a results. Finally, Sections VIII and IX describe related work range of benchmarks, both small programs and large-scale and conclude. applications such as MSN, GMail, and Live Desktop. II. OVERVIEW A. Contributions This section presents an overview of the use of advice to This paper makes the following contributions. enforce security and reliability properties in a browser. Security aspects in the browser. We present a case for the use of aspects for enforcement of rich application-specific A. Browser Enforcement of Application Policies policies by the browser. Unlike previous fragile wrapper Many Web security policies are being proposed for both or rewriting aspect systems for the Web and dynamic lan- browsers and Web applications [4–6]. Similarly, correspond- guages, we advocate deep aspects that are directly supported ing enforcement mechanisms at the browser and script levels by the JavaScript and browser runtimes. Modifying the are also being advocated. These proposals highlight the JavaScript engine allows us to easily enforce properties that diverse nature of Web security policies and suggest that the are difficult or impossible to fully enforce otherwise. security concerns of a Web application are often orthogonal Correctness checking for aspects. CONSCRIPT proposes from those of the browser. static and runtime validation strategies that ensure that Currently, when determining how to enforce security aspects cannot be subverted through common attack vectors policies of a Web application by using browser-level or script found in the literature. rewriting and wrapping approaches, there are large trade- Policies. We present 17 wide-ranging security and reliability offs in granularity, performance, and correctness [7–9]. We policies. We show how to concisely express these policies propose to expose browser mechanisms and to make them in CONSCRIPT, often with only several lines of JavaScript accessible through an advice system. Doing so lowers perfor- code. These policies fall intro the broad categories of con- mance and code complexity barriers for current cross-cutting trolling script introduction, imposing communication restric- security policies (and those that have been too difficult or tions, limiting dangerous DOM interactions, and restricting onerous to implement). Furthermore, enabling applications API use. To our knowledge, this is the most comprehensive to deploy their own policies decreases the reliance upon catalog of application-level security policies for JavaScript browser upgrades to mitigate security threats. available to date. B. Motivating Policy Example in CONSCRIPT Automatic policy generation. To further ease the policy specification burden on developers, we advocate automatic We start our description of CONSCRIPT advice by show- policy generation. We demonstrate two examples of di- ing a motivating example of how it may be used in practice. rectly enforcing CONSCRIPT policies automatically gener- One feature of the JavaScript language that is often consid- ated through static or runtime analysis. ered undesirable for security is the eval construct. At the same time, because this construct is often used to de-serialize Evaluation. We implemented the techniques described in JSON strings, it is still commonly used. A na¨ıve approach this paper in the context of Internet Explorer 8. We assess to prevent unrestricted use of eval involves redefining eval the performance overhead of our client-side enforcement as follows: strategy on the overall program execution of real programs such as Google Maps and Live Desktop, as well as a set window.eval = function(){/ ∗ ...safe version... ∗ /}; of JavaScript micro-benchmarks previously used by other researchers. We conclude that CONSCRIPT results in runtime However, references to the native eval functions are dif- enforcement overheads that hover around 1% for most large ficult to hide fully. This is because window.eval and benchmarks, which is considerably smaller than both time window.parent.eval, for instance, are both aliases for and space overheads incurred by implementations previously the same function in the JavaScript interpreter. Are there proposed in the literature. other access paths specified by Web standards, or, perhaps, provided by some non-standard browser feature for a par- B. Paper Organization ticular release? Another issue is that some native JavaScript The rest of the paper
Load more

Recommended publications
  • Differential Fuzzing the Webassembly
    Master’s Programme in Security and Cloud Computing Differential Fuzzing the WebAssembly Master’s Thesis Gilang Mentari Hamidy MASTER’S THESIS Aalto University - EURECOM MASTER’STHESIS 2020 Differential Fuzzing the WebAssembly Fuzzing Différentiel le WebAssembly Gilang Mentari Hamidy This thesis is a public document and does not contain any confidential information. Cette thèse est un document public et ne contient aucun information confidentielle. Thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in Technology. Antibes, 27 July 2020 Supervisor: Prof. Davide Balzarotti, EURECOM Co-Supervisor: Prof. Jan-Erik Ekberg, Aalto University Copyright © 2020 Gilang Mentari Hamidy Aalto University - School of Science EURECOM Master’s Programme in Security and Cloud Computing Abstract Author Gilang Mentari Hamidy Title Differential Fuzzing the WebAssembly School School of Science Degree programme Master of Science Major Security and Cloud Computing (SECCLO) Code SCI3084 Supervisor Prof. Davide Balzarotti, EURECOM Prof. Jan-Erik Ekberg, Aalto University Level Master’s thesis Date 27 July 2020 Pages 133 Language English Abstract WebAssembly, colloquially known as Wasm, is a specification for an intermediate representation that is suitable for the web environment, particularly in the client-side. It provides a machine abstraction and hardware-agnostic instruction sets, where a high-level programming language can target the compilation to the Wasm instead of specific hardware architecture. The JavaScript engine implements the Wasm specification and recompiles the Wasm instruction to the target machine instruction where the program is executed. Technically, Wasm is similar to a popular virtual machine bytecode, such as Java Virtual Machine (JVM) or Microsoft Intermediate Language (MSIL).
    [Show full text]
  • Interaction Between Web Browsers and Script Engines
    IT 12 058 Examensarbete 45 hp November 2012 Interaction between web browsers and script engines Xiaoyu Zhuang Institutionen för informationsteknologi Department of Information Technology Abstract Interaction between web browser and the script engine Xiaoyu Zhuang Teknisk- naturvetenskaplig fakultet UTH-enheten Web browser plays an important part of internet experience and JavaScript is the most popular programming language as a client side script to build an active and Besöksadress: advance end user experience. The script engine which executes JavaScript needs to Ångströmlaboratoriet Lägerhyddsvägen 1 interact with web browser to get access to its DOM elements and other host objects. Hus 4, Plan 0 Browser from host side needs to initialize the script engine and dispatch script source code to the engine side. Postadress: This thesis studies the interaction between the script engine and its host browser. Box 536 751 21 Uppsala The shell where the engine address to make calls towards outside is called hosting layer. This report mainly discussed what operations could appear in this layer and Telefon: designed testing cases to validate if the browser is robust and reliable regarding 018 – 471 30 03 hosting operations. Telefax: 018 – 471 30 00 Hemsida: http://www.teknat.uu.se/student Handledare: Elena Boris Ämnesgranskare: Justin Pearson Examinator: Lisa Kaati IT 12 058 Tryckt av: Reprocentralen ITC Contents 1. Introduction................................................................................................................................
    [Show full text]
  • Machine Learning in the Browser
    Machine Learning in the Browser The Harvard community has made this article openly available. Please share how this access benefits you. Your story matters Citable link http://nrs.harvard.edu/urn-3:HUL.InstRepos:38811507 Terms of Use This article was downloaded from Harvard University’s DASH repository, and is made available under the terms and conditions applicable to Other Posted Material, as set forth at http:// nrs.harvard.edu/urn-3:HUL.InstRepos:dash.current.terms-of- use#LAA Machine Learning in the Browser a thesis presented by Tomas Reimers to The Department of Computer Science in partial fulfillment of the requirements for the degree of Bachelor of Arts in the subject of Computer Science Harvard University Cambridge, Massachusetts March 2017 Contents 1 Introduction 3 1.1 Background . .3 1.2 Motivation . .4 1.2.1 Privacy . .4 1.2.2 Unavailable Server . .4 1.2.3 Simple, Self-Contained Demos . .5 1.3 Challenges . .5 1.3.1 Performance . .5 1.3.2 Poor Generality . .7 1.3.3 Manual Implementation in JavaScript . .7 2 The TensorFlow Architecture 7 2.1 TensorFlow's API . .7 2.2 TensorFlow's Implementation . .9 2.3 Portability . .9 3 Compiling TensorFlow into JavaScript 10 3.1 Motivation to Compile . 10 3.2 Background on Emscripten . 10 3.2.1 Build Process . 12 3.2.2 Dependencies . 12 3.2.3 Bitness Assumptions . 13 3.2.4 Concurrency Model . 13 3.3 Experiences . 14 4 Results 15 4.1 Benchmarks . 15 4.2 Library Size . 16 4.3 WebAssembly . 17 5 Developer Experience 17 5.1 Universal Graph Runner .
    [Show full text]
  • Javascript API Deprecation in the Wild: a First Assessment
    JavaScript API Deprecation in the Wild: A First Assessment Romulo Nascimento, Aline Brito, Andre Hora, Eduardo Figueiredo Department of Computer Science Federal University of Minas Gerais, Brazil romulonascimento, alinebrito, andrehora,figueiredo @dcc.ufmg.br { } Abstract—Building an application using third-party libraries of our knowledge, there are no detailed studies regarding API is a common practice in software development. As any other deprecation in the JavaScript ecosystem. software system, code libraries and their APIs evolve over JavaScript has become extremely popular over the last years. time. In order to help version migration and ensure backward According to the Stack Overflow 2019 Developer Survey1, compatibility, a recommended practice during development is to deprecate API. Although studies have been conducted to JavaScript is the most popular programming language in this investigate deprecation in some programming languages, such as platform for the seventh consecutive year. GitHub also reports Java and C#, there are no detailed studies on API deprecation that JavaScript is the most popular language in terms of unique in the JavaScript ecosystem. This paper provides an initial contributors to both public and private repositories2. The npm assessment of API deprecation in JavaScript by analyzing 50 platform, the largest JavaScript package manager, states on popular software projects. Initial results suggest that the use of 3 deprecation mechanisms in JavaScript packages is low. However, their latest survey that 99% of JavaScript developers rely on wefindfive different ways that developers use to deprecate API npm to ease the management of their project dependencies. in the studied projects. Among these solutions, deprecation utility This survey also points out the massive growth in npm usage (i.e., any sort of function specially written to aid deprecation) and that started about 5 years ago.
    [Show full text]
  • What Is Dart?
    1 Dart in Action By Chris Buckett As a language on its own, Dart might be just another language, but when you take into account the whole Dart ecosystem, Dart represents an exciting prospect in the world of web development. In this green paper based on Dart in Action, author Chris Buckett explains how Dart, with its ability to either run natively or be converted to JavaScript and coupled with HTML5 is an ideal solution for building web applications that do not need external plugins to provide all the features. You may also be interested in… What is Dart? The quick answer to the question of what Dart is that it is an open-source structured programming language for creating complex browser based web applications. You can run applications created in Dart by either using a browser that directly supports Dart code, or by converting your Dart code to JavaScript (which happens seamlessly). It is class based, optionally typed, and single threaded (but supports multiple threads through a mechanism called isolates) and has a familiar syntax. In addition to running in browsers, you can also run Dart code on the server, hosted in the Dart virtual machine. The language itself is very similar to Java, C#, and JavaScript. One of the primary goals of the Dart developers is that the language seems familiar. This is a tiny dart script: main() { #A var d = “Dart”; #B String w = “World”; #C print(“Hello ${d} ${w}”); #D } #A Single entry point function main() executes when the script is fully loaded #B Optional typing (no type specified) #C Static typing (String type specified) #D Outputs “Hello Dart World” to the browser console or stdout This script can be embedded within <script type=“application/dart”> tags and run in the Dartium experimental browser, converted to JavaScript using the Frog tool and run in all modern browsers, or saved to a .dart file and run directly on the server using the dart virtual machine executable.
    [Show full text]
  • TIBCO Activematrix® BPM Web Client Developer's Guide Software Release 4.3 April 2019 2
    TIBCO ActiveMatrix® BPM Web Client Developer's Guide Software Release 4.3 April 2019 2 Important Information SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED OR BUNDLED TIBCO SOFTWARE IS SOLELY TO ENABLE THE FUNCTIONALITY (OR PROVIDE LIMITED ADD-ON FUNCTIONALITY) OF THE LICENSED TIBCO SOFTWARE. THE EMBEDDED OR BUNDLED SOFTWARE IS NOT LICENSED TO BE USED OR ACCESSED BY ANY OTHER TIBCO SOFTWARE OR FOR ANY OTHER PURPOSE. USE OF TIBCO SOFTWARE AND THIS DOCUMENT IS SUBJECT TO THE TERMS AND CONDITIONS OF A LICENSE AGREEMENT FOUND IN EITHER A SEPARATELY EXECUTED SOFTWARE LICENSE AGREEMENT, OR, IF THERE IS NO SUCH SEPARATE AGREEMENT, THE CLICKWRAP END USER LICENSE AGREEMENT WHICH IS DISPLAYED DURING DOWNLOAD OR INSTALLATION OF THE SOFTWARE (AND WHICH IS DUPLICATED IN THE LICENSE FILE) OR IF THERE IS NO SUCH SOFTWARE LICENSE AGREEMENT OR CLICKWRAP END USER LICENSE AGREEMENT, THE LICENSE(S) LOCATED IN THE “LICENSE” FILE(S) OF THE SOFTWARE. USE OF THIS DOCUMENT IS SUBJECT TO THOSE TERMS AND CONDITIONS, AND YOUR USE HEREOF SHALL CONSTITUTE ACCEPTANCE OF AND AN AGREEMENT TO BE BOUND BY THE SAME. ANY SOFTWARE ITEM IDENTIFIED AS THIRD PARTY LIBRARY IS AVAILABLE UNDER SEPARATE SOFTWARE LICENSE TERMS AND IS NOT PART OF A TIBCO PRODUCT. AS SUCH, THESE SOFTWARE ITEMS ARE NOT COVERED BY THE TERMS OF YOUR AGREEMENT WITH TIBCO, INCLUDING ANY TERMS CONCERNING SUPPORT, MAINTENANCE, WARRANTIES, AND INDEMNITIES. DOWNLOAD AND USE OF THESE ITEMS IS SOLELY AT YOUR OWN DISCRETION AND SUBJECT TO THE LICENSE TERMS APPLICABLE TO THEM. BY PROCEEDING TO DOWNLOAD, INSTALL OR USE ANY OF THESE ITEMS, YOU ACKNOWLEDGE THE FOREGOING DISTINCTIONS BETWEEN THESE ITEMS AND TIBCO PRODUCTS.
    [Show full text]
  • Attacking AJAX Web Applications Vulns 2.0 for Web 2.0
    Attacking AJAX Web Applications Vulns 2.0 for Web 2.0 Alex Stamos Zane Lackey [email protected] [email protected] Blackhat Japan October 5, 2006 Information Security Partners, LLC iSECPartners.com Information Security Partners, LLC www.isecpartners.com Agenda • Introduction – Who are we? – Why care about AJAX? • How does AJAX change Web Attacks? • AJAX Background and Technologies • Attacks Against AJAX – Discovery and Method Manipulation – XSS – Cross-Site Request Forgery • Security of Popular Frameworks – Microsoft ATLAS – Google GWT –Java DWR • Q&A 2 Information Security Partners, LLC www.isecpartners.com Introduction • Who are we? – Consultants for iSEC Partners – Application security consultants and researchers – Based in San Francisco • Why listen to this talk? – New technologies are making web app security much more complicated • This is obvious to anybody who reads the paper – MySpace – Yahoo – Worming of XSS – Our Goals for what you should walk away with: • Basic understanding of AJAX and different AJAX technologies • Knowledge of how AJAX changes web attacks • In-depth knowledge on XSS and XSRF in AJAX • An opinion on whether you can trust your AJAX framework to “take care of security” 3 Information Security Partners, LLC www.isecpartners.com Shameless Plug Slide • Special Thanks to: – Scott Stender, Jesse Burns, and Brad Hill of iSEC Partners – Amit Klein and Jeremiah Grossman for doing great work in this area – Rich Cannings at Google • Books by iSECer Himanshu Dwivedi – Securing Storage – Hackers’ Challenge 3 • We are
    [Show full text]
  • Cliente Twitter Con Compresión De Datos
    PROYECTO FIN DE GRADO GRADO EN INGENIERÍA INFROMÁTICA CLIENTE TWITTER CON COMPRESIÓN DE DATOS Autor: Plácido Fernández Declara Tutores: Luis Miguel Sánchez García Rafael Sotomayor Fernández Colmenarejo, Febrero de 2013 RESUMEN La popular red social Twitter es usada hoy en día en diversos lugares y momentos, gracias también a las redes móviles que nos proporcionan conexión a internet en casi cualquier lugar. Twitter permite publicar y mandar mensajes cortos de texto plano con un máximo de 140 caracteres, así como la lectura de estos mensajes cortos de otros usuarios a los que podemos seguir para tal propósito. Hacer uso de este servicio en zonas con buena cobertura, o cuando usamos Wi-fi no supone generalmente ningún problema. Es cuando nos encontramos en zonas de poca cobertura cuando vemos problemas para hacer uso de este servicio, ya que las velocidades de descarga pueden disminuir hasta el punto de necesitar decenas de segundos para disponer de los mensajes cortos, los “Tweets”. A esto hay que añadir que los planes de datos actuales están limitados de alguna forma (al alcanzar un número de Mb), por lo que la cantidad de Mb usada es hoy también un factor importante. Para ello esta aplicación ofrece la experiencia de un cliente Twitter sencillo en el que consultar los “Tweets” de a quien seguimos, así como publicar “Tweets”, haciendo uso de un Proxy que comprime estos datos considerablemente de forma que se reducen los tiempos de descarga para las zonas de poca cobertura y además se reduce el número de Mb consumidos por el dispositivo móvil. Índice de contenido RESUMEN .................................................................................................................................
    [Show full text]
  • Learning Javascript Design Patterns
    Learning JavaScript Design Patterns Addy Osmani Beijing • Cambridge • Farnham • Köln • Sebastopol • Tokyo Learning JavaScript Design Patterns by Addy Osmani Copyright © 2012 Addy Osmani. All rights reserved. Revision History for the : 2012-05-01 Early release revision 1 See http://oreilly.com/catalog/errata.csp?isbn=9781449331818 for release details. ISBN: 978-1-449-33181-8 1335906805 Table of Contents Preface ..................................................................... ix 1. Introduction ........................................................... 1 2. What is a Pattern? ...................................................... 3 We already use patterns everyday 4 3. 'Pattern'-ity Testing, Proto-Patterns & The Rule Of Three ...................... 7 4. The Structure Of A Design Pattern ......................................... 9 5. Writing Design Patterns ................................................. 11 6. Anti-Patterns ......................................................... 13 7. Categories Of Design Pattern ............................................ 15 Creational Design Patterns 15 Structural Design Patterns 16 Behavioral Design Patterns 16 8. Design Pattern Categorization ........................................... 17 A brief note on classes 17 9. JavaScript Design Patterns .............................................. 21 The Creational Pattern 22 The Constructor Pattern 23 Basic Constructors 23 Constructors With Prototypes 24 The Singleton Pattern 24 The Module Pattern 27 iii Modules 27 Object Literals 27 The Module Pattern
    [Show full text]
  • Ecmascript (Or ES)
    Lesson: Web Programming(1) Omid Jafarinezhad Sharif University of Technology Objective Covers languages, tools, and techniques for developing interactive and dynamic web pages. Topics include page styling, design, and layout; client and server side scripting; web security; and interacting with data sources such as databases Web development can range from developing the simplest static single page of plain text to the most complex web apps (such as electronic businesses, and social network services) ● HTTP, JavaScript, CSS, HTML5, ReactJs, Flow, Progressive Web App ● Golang, NodeJs, MongoDB, PostgreSQL, Redis ● Docker, Git, YUIDoc, Jest, Materials WebPack, Gulp, Browserify, Locust ● (Optional/Research) Kubernetes, InfluxDB, RabbitMQ, gRPC, Ansible Grading Big Picture Internal or external Content Delivery Email/SMS/... services; may be Network (CDN) Service developed in different language Win HTTP, gRPC HTTP Linux WebSocket front-end back-end Data storage Mac JavaScript, Html, NodeJs, mongoDB, CSS, Ajax, GoLang, cache postgreSQL, WebRTC, ReactJs, C#, Java, InfluxDB, ... Mobile AngularJs,... Dart, ... Redis, AMQP, ... Memcached, ... logs queue Logstash, RabitMQ, Fluentd, ... ZeroMQ, ... back-end 1 Load front-end back-end 2 balancing kubernetes cluster, HAProxy, Docker Swarm, ... back-end 3 Git repository Test, Continuous deployment, Code coverage, Merge, Review Build automation, Deployment automation Development Staging Production Bug User feedback, Crash report,... Continuous ... Continuous Integration basically just means that the developer's
    [Show full text]
  • Towards Secure and Reusable Web Applications
    Mashups and Modularity: Towards Secure and Reusable Web Applications Antero Taivalsaari Tommi Mikkonen Sun Microsystems Laboratories [email protected] http://research.sun.com/projects/lively 2 Evolution of the Web 1) Simple pages with text and static images only (e.g., http://www.google.com) 2) Animated pages with plug-ins (e.g., http://www.cadillac.com) 3) Rich Internet Applications (e.g., docs.google.com) What's Next? 3 Web Applications – Implications • Web-based software will dramatically change the way people develop, deploy and use software. • No more installations! > Applications will simply run off the Web. • No more upgrades! > Always run the latest application version. • Instant worldwide deployment! > No middlemen or distributors needed. • No CPU dependencies, OS dependencies, ... > The Web is the Platform. 4 Unfortunately... • The web browser was not designed for running real applications. > It was designed in the early 1990s for viewing documents, forms and other page-structured artifacts – not applications. > Programming capabilities on the web were an afterthought, not something inherent in the design of the browser. • Various Rich Internet Application (RIA) technologies have been introduced recently to retrofit application execution capabilities into the web browser. 5 Web Development vs. Conventional Software The Impedance Mismatch Web Development Conventional SW Development - Documents - Applications - Page / form oriented interaction - Direct manipulation - Managed graphics, static layout - Directly drawn, dynamic
    [Show full text]
  • Diseño De Un Sistema De Monitorización De Dispositivos Móviles
    Departamento de Informática PROYECTO FIN DE GRADO DISEÑO DE UN SISTEMA DE MONITORIZACIÓN DE DISPOSITIVOS MÓVILES Autor: Antonio Becerra López Tutor: Luis Miguel Sánchez García Colmenarejo, Septiembre de 2012 1 Diseño de un sistema de monitorización de dispositivos móviles Título: Diseño de un sistema de monitorización de dispositivos móviles Autor: Antonio Becerra López Director: EL TRIBUNAL Presidente: Vocal: Secretario: Realizado el acto de defensa y lectura del Proyecto Fin de Carrera el día __ de _______ de 20__ en Leganés, en la Escuela Politécnica Superior de la Universidad Carlos III de Madrid, acuerda otorgarle la CALIFICACIÓN de VOCAL SECRETARIO PRESIDENTE 1 2 Diseño de un sistema de monitorización de dispositivos móviles Resumen AndroidMonitor es un sistema cuya finalidad consiste en monitorizar distribuidamente dispositivos móviles con el sistema operativo Android. Los teléfonos móviles en la actualidad son un elemento indispensable más de las personas junto con las llaves de casa y la cartera con los documentos personales. En el año 2011, la población total de la Tierra superaba la asombrosa cantidad de siete mil millones de personas. En ese mismo año, se calculaba que el número de teléfonos móviles en el mundo era superior a los 5.600 millones. Los dispositivos móviles cuentan con gran variedad de sensores: acelerómetro, sensor de luz, sensor de temperatura, barómetro, sensor de gravedad, sensor de presión; Sensores que recopilan información de su entorno que puede ser utilizada para comprar la situación del terminal. El objetivo de este proyecto es el análisis, el diseño y el desarrollo de un sistema para monitorizar remotamente los valores de los sensores de dispositivos móviles.
    [Show full text]