DOCSLIB.ORG

Optimizing for the Modern Web on the ARM Architecture

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Optimizing for the Modern Web on the ARM Architecture Evens Pan Strategic Software Alliance ARM 1 Question… What is the most popular Programing Language? Source: American art and American art collections; essays on artistic subjects by the best art writers. Volume 2. Boston, E.W. Walker & Co. 1889 Author Walter Montgomery 2 The 3 pillars of the modern Web . 4 Billion Web Pages in the World today . Or is that 4 Billion Web Apps? Creative Commons Attribution-Share Alike 3.0 Unported license. Author: Matthias Kabel 3 From Browser to OS Platform . Web Apps are now: . Offline first . Out of browser . Rich and immersive . >100,000 lines of JavaScript . Providing access to device peripherals 4 What Web App performance really means . Benchmarking is irrelevant!* . Neither Google or Mozilla care that much . What matters is end-user experience . Dropped frames are the currency of performance . https://wiki.mozilla.org/Project_Eideticker . http://jankfree.org/ * This is a systems integration perspective that assumes you have done your best with the components already 5 Building the new Smartphone OS' 云OS 6 JavaScript: The Assembly Language for the Web Mozilla Google Web Toolkit emscripten Java C/C++ Google GWT LLVM Compiler JavaScript JavaScript 7 JavaScript Improvements . Single Page Apps (SPA) exceed 100,000 lines of JavaScript . Google Web Apps spend 50-70% of their time in V8 JavaScript Engine . ARM working on Google V8 JavaScript Engine for 3 years . 2010: Cortex-A9 was 35% slower than Atom on V8 benchmark* . 2013: Cortex-A9 is 25% faster than Atom on V8 benchmark* . 2012-2013 JavaScript on Desktop improved 24% and 57% in Mobile+ . Cortex-A15 optimizations to V8 made this possible . ARM Team now has Commit Rights to V8 Java Script codebase *Clock-for- clock +Google IO 2013 8 Profiling JavaScript HTML5 Execution . ARM created an extension to Mozilla and Webkit Browsers . Developers can see hotspot analysis while specific JavaScript is executing . You can zero-in on key areas to optimize in your browser engine for web Apps . You can find bottlenecks in specific web Apps 9 Firefox Mobile OS: A True Web-based Platform . Firefox Mobile OS uses Android Kernel . ARM has integrated Streamline . Full profiling of Firefox Mobile OS from Web Apps to Kernel User Interface & APPS Mozilla Gecko Web Engine Standard API’s (Javascript) Contacts NFC Camera Bluetooth SMS Telephony Audio Loca on Se ngs OSAndroid Kernel (e.g Kernel., Android &Lin Deviceux, etc.) Driver Framework Device Hardware Improved performance from 5fps to 25fps 10 12/17/2013 10 LLVM for Native Web Apps C/C++ Code . Portable Native Client (PNaCl) . Compiles C/++ code to LLVM bitcode NaCl SDK . Some restrictions on constructs Bitcode is xlated on device native code PNaCL Cross Compiler . Runs in browser sandbox on device pexe portable executable Better than 80% of native performance HTML5 . (LLVM Bitcode) . PNaCl will hit the stable channel with Chrome 31 in a few weeks Internet Browser LLVM Backend Translator ARMv7 CPU (VFP, NEON) 11 Optimizing WebRTC via VP9 “WebRTC is a new front in the long war for an open and unencumbered Web.” Brendan Eich Mozilla CTO . Already supported by 1 Billion Browsers worldwide . DTMS Encrypted connection by default . Video, Voice and arbitrary reliable/unreliable low latency data . Peer-to-Peer as well as Peer-to-Server . Google Hangouts will use WebRTC in the future . WebRTC uses the VP9 video codec in the Chrome Browser . Linaro have optimized VP9 decoder using NEON technology . Improved performance in some paths by up to 20% . http://www.webmproject.org/code/contribute 12 Performance Ping Pong Continues Graphics JavaScript 13 Improving Graphics - Optimizing the other 30%-50% . University of Szeged Webkit nullport aka GL2D port- research . Replacing everything below Graphics Context API with a new OpenGLES 2.0 libary GL2D Skia 14 Font rendering – a prototype of multi-core normalized time . A prototype test shows 1.4 the relationship between 1.2 performance increase 1 0.8 and the number of glyph single 24px 0.6 queries dual 24px 0.4 0.2 0 #of glyph queries 1 2 3 4 5 6 7 8 9 10 11 12 13 . Modification in chromium/skia also shows that we can get about 40% performance increase on a pure CJK text webpage on the first load . Most glyphs can be found in cache for European languages . Most glyphs can be found in cache if CJK text always displayed at the same size 15 Path filling – A patch for scanline by CPU multi-core = + + + • Case 1: Composite 4 complex polygons • Original: 2.22 ms • Patched (2 threads): 2.01 ms • Improvements: 10% . Case 2: Composite 4 polygons (large size) . Original: 5.6 ms . Patched (2 threads): 4.0 ms . Improvements: 40% 16 New Beginnings of Multicore Browsers . 2010-2012 Webkit . 2009-2011 Gecko . ARM & Szeged found limited . Electrolysis project to split into improvement threads . Codebase large . Improved stability . Limited SMP ability . Limited performance improvement . 2013 Google Announce . 2013 Mozilla Announce Servo <blink> . New experimental browser for . Webkit fork to underlie modern SoCs Chrome/Chromium . Designed for multicore . Focus on improvements for . Built with new language Rust modern SoC’s . Rust compiler uses LLVM 17 The 3 pillars of the modern browser Performance Critical Ingredient Technologies Skia Optimization, Stabilization, Improvement Creative Commons Attribution-Share Alike 3.0 Unported license. Author: Matthias Kabel 18 JIT Tooling for ARM Architecture V8 19 VIXL A64 dynamic code generation toolkit . Macro Assembler . Instruction generation with helpful macro assembler . Functions for abstracting eg. immediate generation . Disassembler . Disassembles everything supported by the assembler . Simulator: . High-speed AArch64 processor simulation on 64-bit platforms . Supports all instructions generated by the assembler . Debugger . Supports stepping, register and memory examination, breakpoints . Test suite . Functionality and disassembly tests for all supported instructions 20 VIXL Embedded in Virtual Machine PC Virtual Machine JIT Built for x86* ARM64 Runtime Assembler ARM64 ISA Simulator Debug Disassembler 21 Where to Use VIXL . JITs: JavaScript, Java, Python, other scripting languages . Dynamic code generation of optimized routines . Testing: . Random Instruction Stream (RIS) testing . Toolchain testing . ISA experimentation: try out features of the new A64 ISA . Benefits . A simple, fast, tested API . Integrated suite, ready to use on a new JIT project . Supported by ARM . Liberal 3 clause BSD license 22 Conclusion . The Web has become an important Software Platform and ARM understands this . The extensive R&D effort by ARM is delivering higher browser performance . More contributions and collaboration from ARM partners please . Try this at home - it’s all Open Source 23 Thank You The trademarks featured in this presentation are registered and/or unregistered trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved. Any other marks featured may be trademarks of their respective owners 24 .
Recommended publications
  • Differential Fuzzing the Webassembly

    Differential Fuzzing the Webassembly

    Master’s Programme in Security and Cloud Computing Differential Fuzzing the WebAssembly Master’s Thesis Gilang Mentari Hamidy MASTER’S THESIS Aalto University - EURECOM MASTER’STHESIS 2020 Differential Fuzzing the WebAssembly Fuzzing Différentiel le WebAssembly Gilang Mentari Hamidy This thesis is a public document and does not contain any confidential information. Cette thèse est un document public et ne contient aucun information confidentielle. Thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in Technology. Antibes, 27 July 2020 Supervisor: Prof. Davide Balzarotti, EURECOM Co-Supervisor: Prof. Jan-Erik Ekberg, Aalto University Copyright © 2020 Gilang Mentari Hamidy Aalto University - School of Science EURECOM Master’s Programme in Security and Cloud Computing Abstract Author Gilang Mentari Hamidy Title Differential Fuzzing the WebAssembly School School of Science Degree programme Master of Science Major Security and Cloud Computing (SECCLO) Code SCI3084 Supervisor Prof. Davide Balzarotti, EURECOM Prof. Jan-Erik Ekberg, Aalto University Level Master’s thesis Date 27 July 2020 Pages 133 Language English Abstract WebAssembly, colloquially known as Wasm, is a specification for an intermediate representation that is suitable for the web environment, particularly in the client-side. It provides a machine abstraction and hardware-agnostic instruction sets, where a high-level programming language can target the compilation to the Wasm instead of specific hardware architecture. The JavaScript engine implements the Wasm specification and recompiles the Wasm instruction to the target machine instruction where the program is executed. Technically, Wasm is similar to a popular virtual machine bytecode, such as Java Virtual Machine (JVM) or Microsoft Intermediate Language (MSIL).
  • Oral History of Winifred Mitchell Baker

    Oral History of Winifred Mitchell Baker

    ........ Computer • History Museum Oral History of Winifred Mitchell Baker Interviewed by: Marc Weber Recorded: December 10, 2014 Mountain View, California CHM Reference number: X7311.2015 © 2015 Computer History Museum Oral History of Winifred Mitchell Baker Marc Weber: I'm Marc Weber of the Computer History Museum. And I'm here with Mitchell Baker, Chairwoman of Mozilla. Thank you so much for doing this interview. Winifred Mitchell Baker: Thanks, Marc. I'm happy to be here. The museum has been a bright spot for a long time, so I'm honored as well. Weber: Thank you. As am I. So start with a bit of your background. What is your full name? And when and where were you born? Baker: My full name is Winifred Mitchell Baker. My mom was a little eccentric though, and she never wanted me to use Winifred. So it's my first name. But in her mind, I was always Mitchell. So that's what I go by. And I was born in Berkeley in California in 1959. Weber: And tell me a little bit about your family and where you grew up. Baker: I grew up in Oakland, so the East Bay across from San Francisco. It borders Berkeley. My parents were born and raised on the East Coast and moved west, as people did in the '50s, where it seemed [like] starting a new life. They were each eccentric. And each had their own view of their world and really clear opinions. And I think some of that has rubbed off actually. Weber: So eccentric in what way? What did they do? Baker: Well, my dad was a classic entrepreneur.
  • Interaction Between Web Browsers and Script Engines

    Interaction Between Web Browsers and Script Engines

    IT 12 058 Examensarbete 45 hp November 2012 Interaction between web browsers and script engines Xiaoyu Zhuang Institutionen för informationsteknologi Department of Information Technology Abstract Interaction between web browser and the script engine Xiaoyu Zhuang Teknisk- naturvetenskaplig fakultet UTH-enheten Web browser plays an important part of internet experience and JavaScript is the most popular programming language as a client side script to build an active and Besöksadress: advance end user experience. The script engine which executes JavaScript needs to Ångströmlaboratoriet Lägerhyddsvägen 1 interact with web browser to get access to its DOM elements and other host objects. Hus 4, Plan 0 Browser from host side needs to initialize the script engine and dispatch script source code to the engine side. Postadress: This thesis studies the interaction between the script engine and its host browser. Box 536 751 21 Uppsala The shell where the engine address to make calls towards outside is called hosting layer. This report mainly discussed what operations could appear in this layer and Telefon: designed testing cases to validate if the browser is robust and reliable regarding 018 – 471 30 03 hosting operations. Telefax: 018 – 471 30 00 Hemsida: http://www.teknat.uu.se/student Handledare: Elena Boris Ämnesgranskare: Justin Pearson Examinator: Lisa Kaati IT 12 058 Tryckt av: Reprocentralen ITC Contents 1. Introduction................................................................................................................................
  • Extending Basic Block Versioning with Typed Object Shapes

    Extending Basic Block Versioning with Typed Object Shapes

    Extending Basic Block Versioning with Typed Object Shapes Maxime Chevalier-Boisvert Marc Feeley DIRO, Universite´ de Montreal,´ Quebec, Canada DIRO, Universite´ de Montreal,´ Quebec, Canada [email protected] [email protected] Categories and Subject Descriptors D.3.4 [Programming Lan- Basic Block Versioning (BBV) [7] is a Just-In-Time (JIT) com- guages]: Processors—compilers, optimization, code generation, pilation strategy which allows rapid and effective generation of run-time environments type-specialized machine code without a separate type analy- sis pass or complex speculative optimization and deoptimization Keywords Just-In-Time Compilation, Dynamic Language, Opti- strategies (Section 2.4). However, BBV, as previously introduced, mization, Object Oriented, JavaScript is inefficient in its handling of object property types. The first contribution of this paper is the extension of BBV with Abstract typed object shapes (Section 3.1), object descriptors which encode type information about object properties. Type meta-information Typical JavaScript (JS) programs feature a large number of object associated with object properties then becomes available at prop- property accesses. Hence, fast property reads and writes are cru- erty reads. This allows eliminating run-time type tests dependent on cial for good performance. Unfortunately, many (often redundant) object property accesses. The target of method calls is also known dynamic checks are implied in each property access and the seman- in most cases. tic complexity of JS makes it difficult to optimize away these tests The second contribution of this paper is a further extension through program analysis. of BBV with shape propagation (Section 3.3), the propagation We introduce two techniques to effectively eliminate a large and specialization of code based on object shapes.
  • Machine Learning in the Browser

    Machine Learning in the Browser

    Machine Learning in the Browser The Harvard community has made this article openly available. Please share how this access benefits you. Your story matters Citable link http://nrs.harvard.edu/urn-3:HUL.InstRepos:38811507 Terms of Use This article was downloaded from Harvard University’s DASH repository, and is made available under the terms and conditions applicable to Other Posted Material, as set forth at http:// nrs.harvard.edu/urn-3:HUL.InstRepos:dash.current.terms-of- use#LAA Machine Learning in the Browser a thesis presented by Tomas Reimers to The Department of Computer Science in partial fulfillment of the requirements for the degree of Bachelor of Arts in the subject of Computer Science Harvard University Cambridge, Massachusetts March 2017 Contents 1 Introduction 3 1.1 Background . .3 1.2 Motivation . .4 1.2.1 Privacy . .4 1.2.2 Unavailable Server . .4 1.2.3 Simple, Self-Contained Demos . .5 1.3 Challenges . .5 1.3.1 Performance . .5 1.3.2 Poor Generality . .7 1.3.3 Manual Implementation in JavaScript . .7 2 The TensorFlow Architecture 7 2.1 TensorFlow's API . .7 2.2 TensorFlow's Implementation . .9 2.3 Portability . .9 3 Compiling TensorFlow into JavaScript 10 3.1 Motivation to Compile . 10 3.2 Background on Emscripten . 10 3.2.1 Build Process . 12 3.2.2 Dependencies . 12 3.2.3 Bitness Assumptions . 13 3.2.4 Concurrency Model . 13 3.3 Experiences . 14 4 Results 15 4.1 Benchmarks . 15 4.2 Library Size . 16 4.3 WebAssembly . 17 5 Developer Experience 17 5.1 Universal Graph Runner .
  • Javascript API Deprecation in the Wild: a First Assessment

    Javascript API Deprecation in the Wild: a First Assessment

    JavaScript API Deprecation in the Wild: A First Assessment Romulo Nascimento, Aline Brito, Andre Hora, Eduardo Figueiredo Department of Computer Science Federal University of Minas Gerais, Brazil romulonascimento, alinebrito, andrehora,figueiredo @dcc.ufmg.br { } Abstract—Building an application using third-party libraries of our knowledge, there are no detailed studies regarding API is a common practice in software development. As any other deprecation in the JavaScript ecosystem. software system, code libraries and their APIs evolve over JavaScript has become extremely popular over the last years. time. In order to help version migration and ensure backward According to the Stack Overflow 2019 Developer Survey1, compatibility, a recommended practice during development is to deprecate API. Although studies have been conducted to JavaScript is the most popular programming language in this investigate deprecation in some programming languages, such as platform for the seventh consecutive year. GitHub also reports Java and C#, there are no detailed studies on API deprecation that JavaScript is the most popular language in terms of unique in the JavaScript ecosystem. This paper provides an initial contributors to both public and private repositories2. The npm assessment of API deprecation in JavaScript by analyzing 50 platform, the largest JavaScript package manager, states on popular software projects. Initial results suggest that the use of 3 deprecation mechanisms in JavaScript packages is low. However, their latest survey that 99% of JavaScript developers rely on wefindfive different ways that developers use to deprecate API npm to ease the management of their project dependencies. in the studied projects. Among these solutions, deprecation utility This survey also points out the massive growth in npm usage (i.e., any sort of function specially written to aid deprecation) and that started about 5 years ago.
  • Wireless Assistive Head Controlled Mouse with Eye-Blink Detection for Enhanced Actions

    Wireless Assistive Head Controlled Mouse with Eye-Blink Detection for Enhanced Actions

    Turkish Journal of Physiotherapy and Rehabilitation; 32(2) ISSN 2651-4451 | e-ISSN 2651-446X WIRELESS ASSISTIVE HEAD CONTROLLED MOUSE WITH EYE-BLINK DETECTION FOR ENHANCED ACTIONS ALAN FRANCIS CHEERAMVELIL1, ARJUN ALOSHIOUS2, N. DHARANIDEVI3, S. VARUN4, ABEY ABRAHAM5 5Assistant Professor, Department of Information Technology, Rajagiri School of Engineering & Technology, Kerala, India- 682039 1,2,3,4Student, Department of Information Technology, Rajagiri School of Engineering & Technology, Kerala, India-682039 [email protected], [email protected], [email protected], [email protected], [email protected] ABSTRACT The Wireless Assistive Head Controlled Mouse with Eye-Blink Detection for enhanced actions is an assistive Human Interface Device aimed at quadriplegic people. The current pandemic has made the world more reliant on digital means of communications than ever before and people with motor disability have no means to access these resources. A majority of them have good head movement but no torso movement. The proposed device uses a Gyroscope sensor to accurately map the user’s head movements to the corresponding mouse coordinates. The device works with Bluetooth Low Energy technology enabling the user to control the digital devices at a comfortable range without the hassle of wires. The plug-N-play feature allows the use of the device without additional drivers. For more sophisticated usage scenarios, the user can choose between the various traditional mouse operations using a desktop software with the help of the eye-blink detection using image processing. Keywords— Assistive technologies; Persons with disability; Gyroscope sensor; Human Computer Interaction; Eye-blink Detection; I. INTRODUCTION According to the Census conducted in 2011, persons with disability (PwD) constitute 2.21% of the total population in India.
  • What Is Dart?

    What Is Dart?

    1 Dart in Action By Chris Buckett As a language on its own, Dart might be just another language, but when you take into account the whole Dart ecosystem, Dart represents an exciting prospect in the world of web development. In this green paper based on Dart in Action, author Chris Buckett explains how Dart, with its ability to either run natively or be converted to JavaScript and coupled with HTML5 is an ideal solution for building web applications that do not need external plugins to provide all the features. You may also be interested in… What is Dart? The quick answer to the question of what Dart is that it is an open-source structured programming language for creating complex browser based web applications. You can run applications created in Dart by either using a browser that directly supports Dart code, or by converting your Dart code to JavaScript (which happens seamlessly). It is class based, optionally typed, and single threaded (but supports multiple threads through a mechanism called isolates) and has a familiar syntax. In addition to running in browsers, you can also run Dart code on the server, hosted in the Dart virtual machine. The language itself is very similar to Java, C#, and JavaScript. One of the primary goals of the Dart developers is that the language seems familiar. This is a tiny dart script: main() { #A var d = “Dart”; #B String w = “World”; #C print(“Hello ${d} ${w}”); #D } #A Single entry point function main() executes when the script is fully loaded #B Optional typing (no type specified) #C Static typing (String type specified) #D Outputs “Hello Dart World” to the browser console or stdout This script can be embedded within <script type=“application/dart”> tags and run in the Dartium experimental browser, converted to JavaScript using the Frog tool and run in all modern browsers, or saved to a .dart file and run directly on the server using the dart virtual machine executable.
  • Maelstrom Web Browser Free Download

    Maelstrom Web Browser Free Download

    maelstrom web browser free download 11 Interesting Web Browsers (That Aren’t Chrome) Whether it’s to peruse GitHub, send the odd tweetstorm or catch-up on the latest Netflix hit — Chrome’s the one . But when was the last time you actually considered any alternative? It’s close to three decades since the first browser arrived; chances are it’s been several years since you even looked beyond Chrome. There’s never been more choice and variety in what you use to build sites and surf the web (the 90s are back, right?) . So, here’s a run-down of 11 browsers that may be worth a look, for a variety of reasons . Brave: Stopping the trackers. Brave is an open-source browser, co-founded by Brendan Eich of Mozilla and JavaScript fame. It’s hoping it can ‘save the web’ . Available for a variety of desktop and mobile operating systems, Brave touts itself as a ‘faster and safer’ web browser. It achieves this, somewhat controversially, by automatically blocking ads and trackers. “Brave is the only approach to the Web that puts users first in ownership and control of their browsing data by blocking trackers by default, with no exceptions.” — Brendan Eich. Brave’s goal is to provide an alternative to the current system publishers employ of providing free content to users supported by advertising revenue. Developers are encouraged to contribute to the project on GitHub, and publishers are invited to become a partner in order to work towards an alternative way to earn from their content. Ghost: Multi-session browsing.
  • User Manual Introduction

    User Manual Introduction

    Item No. 8015 User Manual Introduction Congratulations on choosing the Robosapien Blue™, a sophisticated fusion of technology and personality. With a full range of dynamic motion, interactive sensors and a unique personality, Robosapien Blue™ is more than a mechanical companion; he’s a multi-functional, thinking, feeling robot with attitude! Explore Robosapien Blue™ ’s vast array of functions and programs. Mold his behavior any way you like. Be sure to read this manual carefully for a complete understanding of the many features of your new robot buddy. Product Contents: Robosapien Blue™ x1 Infra-red Remote Controller x1 Pick Up Accessory x1 THUMP SWEEP SWEEP THUMP TALK BACKPICK UP LEAN PICK UP HIGH 5 STRIKE 1 STRIKE 1 LEAN THROW WHISTLE THROW BURP SLEEP LISTEN STRIKE 2 STRIKE 2 B U LL P D E O T Z S E R R E S E T P TU E R T N S S N T R E U P T STRIKE 3 R E S E R T A O R STRIKE 3 B A C K S S P T O E O P SELECT RIGHT T LEF SONIC DANCE D EM 2 EXECUTE O O 1 DEM EXECUTE ALL DEMO WAKE UP POWER OFF Robosapien Blue™ Remote Pick Up Controller Accessory For more information visit: www.wowwee.com P. 1 Content Introduction & Contents P.1-2 Battery Details P.3 Robosapien Blue™ Overview P.4 Robosapien Blue™ Operation Overview P.5 Controller Index P.6 RED Commands - Upper Controller P.7 RED Commands - Middle & Lower Controller P.8 GREEN Commands - Upper Controller P.9 GREEN Commands - Middle & Lower Controller P.10 ORANGE Commands - Upper Controller P.11 ORANGE Commands - Middle & Lower Controller P.12 Programming Mode - Touch Sensors P.13 Programming Mode - Sonic Sensor P.14 Programming Mode - Master Command P.15 Troubleshooting Guide P.16 Warranty P.17 App Functionality P.19 P.
  • TIBCO Activematrix® BPM Web Client Developer's Guide Software Release 4.3 April 2019 2

    TIBCO Activematrix® BPM Web Client Developer's Guide Software Release 4.3 April 2019 2

    TIBCO ActiveMatrix® BPM Web Client Developer's Guide Software Release 4.3 April 2019 2 Important Information SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED OR BUNDLED TIBCO SOFTWARE IS SOLELY TO ENABLE THE FUNCTIONALITY (OR PROVIDE LIMITED ADD-ON FUNCTIONALITY) OF THE LICENSED TIBCO SOFTWARE. THE EMBEDDED OR BUNDLED SOFTWARE IS NOT LICENSED TO BE USED OR ACCESSED BY ANY OTHER TIBCO SOFTWARE OR FOR ANY OTHER PURPOSE. USE OF TIBCO SOFTWARE AND THIS DOCUMENT IS SUBJECT TO THE TERMS AND CONDITIONS OF A LICENSE AGREEMENT FOUND IN EITHER A SEPARATELY EXECUTED SOFTWARE LICENSE AGREEMENT, OR, IF THERE IS NO SUCH SEPARATE AGREEMENT, THE CLICKWRAP END USER LICENSE AGREEMENT WHICH IS DISPLAYED DURING DOWNLOAD OR INSTALLATION OF THE SOFTWARE (AND WHICH IS DUPLICATED IN THE LICENSE FILE) OR IF THERE IS NO SUCH SOFTWARE LICENSE AGREEMENT OR CLICKWRAP END USER LICENSE AGREEMENT, THE LICENSE(S) LOCATED IN THE “LICENSE” FILE(S) OF THE SOFTWARE. USE OF THIS DOCUMENT IS SUBJECT TO THOSE TERMS AND CONDITIONS, AND YOUR USE HEREOF SHALL CONSTITUTE ACCEPTANCE OF AND AN AGREEMENT TO BE BOUND BY THE SAME. ANY SOFTWARE ITEM IDENTIFIED AS THIRD PARTY LIBRARY IS AVAILABLE UNDER SEPARATE SOFTWARE LICENSE TERMS AND IS NOT PART OF A TIBCO PRODUCT. AS SUCH, THESE SOFTWARE ITEMS ARE NOT COVERED BY THE TERMS OF YOUR AGREEMENT WITH TIBCO, INCLUDING ANY TERMS CONCERNING SUPPORT, MAINTENANCE, WARRANTIES, AND INDEMNITIES. DOWNLOAD AND USE OF THESE ITEMS IS SOLELY AT YOUR OWN DISCRETION AND SUBJECT TO THE LICENSE TERMS APPLICABLE TO THEM. BY PROCEEDING TO DOWNLOAD, INSTALL OR USE ANY OF THESE ITEMS, YOU ACKNOWLEDGE THE FOREGOING DISTINCTIONS BETWEEN THESE ITEMS AND TIBCO PRODUCTS.
  • Attacking AJAX Web Applications Vulns 2.0 for Web 2.0

    Attacking AJAX Web Applications Vulns 2.0 for Web 2.0

    Attacking AJAX Web Applications Vulns 2.0 for Web 2.0 Alex Stamos Zane Lackey [email protected] [email protected] Blackhat Japan October 5, 2006 Information Security Partners, LLC iSECPartners.com Information Security Partners, LLC www.isecpartners.com Agenda • Introduction – Who are we? – Why care about AJAX? • How does AJAX change Web Attacks? • AJAX Background and Technologies • Attacks Against AJAX – Discovery and Method Manipulation – XSS – Cross-Site Request Forgery • Security of Popular Frameworks – Microsoft ATLAS – Google GWT –Java DWR • Q&A 2 Information Security Partners, LLC www.isecpartners.com Introduction • Who are we? – Consultants for iSEC Partners – Application security consultants and researchers – Based in San Francisco • Why listen to this talk? – New technologies are making web app security much more complicated • This is obvious to anybody who reads the paper – MySpace – Yahoo – Worming of XSS – Our Goals for what you should walk away with: • Basic understanding of AJAX and different AJAX technologies • Knowledge of how AJAX changes web attacks • In-depth knowledge on XSS and XSRF in AJAX • An opinion on whether you can trust your AJAX framework to “take care of security” 3 Information Security Partners, LLC www.isecpartners.com Shameless Plug Slide • Special Thanks to: – Scott Stender, Jesse Burns, and Brad Hill of iSEC Partners – Amit Klein and Jeremiah Grossman for doing great work in this area – Rich Cannings at Google • Books by iSECer Himanshu Dwivedi – Securing Storage – Hackers’ Challenge 3 • We are