Jon Howell, Bryan Parno, and John R. Douceur, Microsoft Research Awarded Best Paper!
Abstract:
Web browsers ostensibly provide strong isolation for the client-side components of web applications. Unfortunately, this isolation is weak in practice; as browsers add increasingly rich APIs to please developers, these complex interfaces bloat the trusted computing base and erode cross-app isolation boundaries.
We reenvision the web interface based on the notion of a pico-datacenter, the client-side version of a shared server datacenter. Mutually untrusting vendors run their code on the user’s computer in low-level native code containers that communicate with the outside world only via IP. Just as in the cloud datacenter, the simple semantics makes isolation tractable, yet native code gives vendors the freedom to run any software stack. Since the datacenter model is designed to be robust to malicious tenants, it is never dangerous for the user to click a link and invite a possibly-hostile party onto the client.
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
BibTeX
@inproceedings {180334,
author = {Jon Howell and Bryan Parno and John R. Douceur},
title = {Embassies: Radically Refactoring the Web},
booktitle = {10th USENIX Symposium on Networked Systems Design and Implementation (NSDI 13)},
year = {2013},
isbn = {978-1-931971-00-3},
address = {Lombard, IL},
pages = {529--545},
url = {https://www.usenix.org/conference/nsdi13/technical-sessions/presentation/howell},
publisher = {USENIX Association},
month = apr
}
The web is a platform everyone loves to hate. Over time, a layout engine for simple text markup has evolved into one of the most complex application platforms in existence. Modern browsers provide developers with IPC, process isolation, a component architecture, JIT compilation, filesystem, database, device, and networking APIs, and so on. The resulting complexity is barely manageable. Developers struggle to understand how to use isolation policies to secure their applications, and implementation bugs are common.
This paper argues for a radical refactoring of the web interface to fix these problems. The result, called Embassies, is an execution environment that separates isolation primitives from high-level APIs. Drawing inspiration from multi-tenancy in datacenters, each Embassies application is an opaque binary. The responsibilities of the runtime environment are minimal: IP-based communication, cryptographic verification of applications, and multiplexing the display. In the Embassies environment, the rich features of the web become just one of many libraries from which developers choose.
The goal of a small trusted interface and API flexibility is a familiar one, but where this paper shines is in its treatment of the subtle details and implications of making this work for the web. The authors have ported large portions of the web stack to Embassies as well as more traditional desktop environments, demonstrating the generality of the underlying APIs. Aggressive caching and transfer optimizations provide performance comparable to modern browsers.
At its core, this paper is premised on a deep and interesting opinion: the web should transfer control from browser vendors to application developers. This generated lengthy reviews discussing the essential properties of the web interface. Does the success of the web depend on incrementalism? browser control? high-level APIs? extensions? The authors tackle these questions head on in the paper, and it is telling that the most positive reviewers were often those who disagreed most strongly with the subjective positions of the authors. Contrary to its namesake, Embassies seems destined for plentiful, delightful controversy.
connect with us