Many services traditionally performed by stand-alone programs running on desktop computers are being migrated to ?Web 2.0? applications, remote services that reside ?in the cloud? and are that accessed through a browser. This migration process offers a unique opportunity to re-engineer the way that software is constructed, adding some extra capabilities that reduce the vulnerability of the global information infrastructure to problems such as viruses, cyber-attacks, loss of privacy, and integrity violations.
With this goal in mind, this project designs and implements a next-generation infrastructure for trustworthy web applications. It evolves the existing Web 2.0 technologies into a more trustworthy ?Web 2.Sec? version by introducing information-labeling and strong information-flow controls pervasively at the service provider, at the user?s end, and on all paths in between.
A key feature of the new Web 2.Sec architecture is that all application programs are executed on top of a virtual machine (VM) rather than directly on physical hardware. Hence the VM retains full control over the data at all times, allowing it to enforce information-flow policies that guarantee confidentiality and integrity. Even a malicious or faulty program running on top of the Web 2.Sec VM cannot cause any action that would violate these policies.
A strong educational component involving both graduate and undergraduate students rounds off the project.
There are few remaining differences between between traditional application programs that need to be installed on a computer's hard drive before they can be used, and "Web Applications" that are accessed inside of a browser window and work across the Internet. For example, the capabilities of web-based email programs such as Gmail are now practically on par with those of off-line email programs such as Outlook. The key to the expanded functionality inside of web browsers that enables them to emulate the functionality of traditional programs is a programming language called JavaScript. Behind every Web Application such as Gmail is a JavaScript program that is sent from the server to the browser and then executed inside of the browser, giving the browser the desired functionality. Unfortunately, with added functionality also come new ways of causing malice, and it hasn't taken long until cyber criminals have found ways of misusing JavaScript for their own purposes. For example, they have figured out how to "inject" their own JavaScript into legitimate Web Applications, changing the behavior of those Web Applications - in the worst case disclosing secrets such as Social Security Numbers, or performing undesired actions such as unauthorized electronic banking transactions. We have been researching techniques that stop some of these attacks altogether, and make others more difficult. Our approach is based on tracking where each piece of JavaScript comes from, and making sure that the JavaScript from one origin doesn't unduly influence the JavaScript from another origin. Unfortunately, this is not as simple as it sounds at first, because on one hand, some of these interactions are desired and perfectly legal, and on the other hand tracking can result in unacceptable slowdowns. Our research has resulted in new scientific insights on the topic of tracking the flow of information in JavaScript programs, and it has also resulted in a practical technique that has been transitioned into widespread practice. As a result of our collaborative research with Mozilla, the Firefox browser now keeps track of the web-site-origin of each JavaScript object, keeps objects from different origins separate from each other, and explicitly manages references between JavaScript objects that have different origins. Remarkably, we were able to institute this change without any slowdown at all.
