copyright © cs-tutorial.com. overview introduction architecture implementation evaluation
TRANSCRIPT
![Page 1: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/1.jpg)
Copyright © cs-tutorial.com
![Page 2: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/2.jpg)
OverviewIntroductionArchitectureImplementationEvaluation
![Page 3: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/3.jpg)
IntroductionNascent Web
Hypertext document systemFetched and presented simple static content
Modern WebProvides access to an enormous number of
service and resourcesDownload and execute programsA de facto operating system for executing
client-side components of Web Applications
![Page 4: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/4.jpg)
IntroductionCurrent browsers are vulnerable
Drive-by downloads can cause spyware infections
Trusted plug-ins may have security holesBrowsers fails to provide isolation
![Page 5: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/5.jpg)
IntroductionA new browsing system architecture : Tahoma
Three key principles Web Application should not be trusted Web browsers should not be trusted Users should be able to identify and manage
downloaded Web applicationWeb applications are isolated in their own private
virtual machine A prototype of the Tahoma browsing system using
Linux and the Xen virtual machine monitor is implemented
![Page 6: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/6.jpg)
ArchitectureTahoma’s six key features
Defines a new trusted system layer, the browser operating system (BOS)
Provides explicit support for Web application Browser instance Web service
Enforces isolation between Web applicationsEnforces policies defined by the Web service
ManifestSupports an enhanced window interfaceProvides resource support
![Page 7: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/7.jpg)
Architecture
![Page 8: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/8.jpg)
ArchitectureWeb Applications
The execution environment as viewed by browser instance
![Page 9: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/9.jpg)
ArchitectureWeb Applications (continued)
Users accessing a Web application for the first time must approve its installation
Advantages of the VM environment Web application is safe from interference by other
application Local effects can be easily removed Increases flexibility for the programming of Web
applications
![Page 10: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/10.jpg)
ArchitectureWeb applications (continued)
Manifest Used by Web service to specify the characteristics
of its application Can be retrieved by BOS when it first accesses the
service Presents a digital signature Specifies the code that will run in the browser
instance Specifies Internet access policies
Web sites or URLs that are allowed to access Protect the Web application from compromised
browsers
![Page 11: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/11.jpg)
ArchitectureThe Browser Operating System (BOS)
Trusted computing base for the Tahoma browsing system
Instantiates and manages the collection of browser instances Multiplex the virtual screens Store long-term state associated with browser
instance Enforce the network policies
![Page 12: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/12.jpg)
Architecture
![Page 13: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/13.jpg)
ArchitectureThe Browser Operating System (continued)
Provides users with control panel and bookmark management tools
Mediates all network interactions between a browser instance and remote Web sites
Different choices of implementation Running in its own virtual machine with browser
instances running in separate virtual machine Implemented as a virtual machine monitor running
directly on the physical hardware, with browser instances running in VMs above it
![Page 14: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/14.jpg)
Implementation
![Page 15: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/15.jpg)
ImplementationThree main BOS processes
BOS kernel: manages browser instances and the durable storage of the system
Network proxy: a reverse firewallWindows Manager: aggregates browser
instance windows into the physical screen
![Page 16: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/16.jpg)
ImplementationCommunications between BOS and Browser
instancesInterface: libraries linked into the browser
BOS system functions (libBOS) Graphics functions (libQT)
Using browser-calls and upcalls Implemented as XML-formatted remote procedure
calls Carried over a TCP connection on a point-to-point
virtual network
![Page 17: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/17.jpg)
ImplementationInter-browser communication paths
fork browser-calls Include the target URL
BinStore and BinFetch browser-calls BOS implements private holding bin for each
browser instance Transfer between the holding bin and the host OS
must be initiated by a user through a trusted Tahoma tool
![Page 18: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/18.jpg)
ImplementationXen and the Browser Instance
Each Xen VM executing a browser instance A read-only root disk contains the base file system
for the browser instance A writable data disk provides storage for any data
the browser instance needs to durably store Persistent changes made by the application are
applied the virtual data disk on the guest OS
![Page 19: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/19.jpg)
ImplementationManifest
Includes A network policy A browser policy A digital signature A human-readable Web Application name A machine-readable manifest name A globally unique identifier for the application
![Page 20: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/20.jpg)
ImplementationManifest (continued)
Location HTTP header extension in a web object indicate the
manifest name and where it can be download Per-server manifest files Local database of manually supplied manifest files
Authentication Web servers sign manifests using the private key Tahoma uses public-key certificates to authenticate
Web applications to clients Rely on traditional PKI certification authorities
![Page 21: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/21.jpg)
ImplementationThe Windows Manager
Implements the user interfaceRuns in domain 0Provides a virtual screen abstraction to each
browser instance Within the virtual screen, browser can create and
position one or more rectangular sprites Each sprite consists of a grid of tiles Each tile is backed by a 4KB page in virtual memory Can be implemented in several different ways
![Page 22: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/22.jpg)
Implementation
![Page 23: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/23.jpg)
ImplementationBrowser
Needs to be modified to run on Tahoma Linking to libQT to access the Tahoma graphics sub-
system Using a browser-call to access remote services,
rather than accessing the network directly through a virtual device
Using browser-calls for new functions, such as forking a new browser instance and interacting with the holding bin
![Page 24: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/24.jpg)
Evaluation
![Page 25: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/25.jpg)
Evaluation
![Page 26: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/26.jpg)
Evaluation
![Page 27: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/27.jpg)
Evaluation
![Page 28: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/28.jpg)
Evaluation
![Page 29: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/29.jpg)
ConclusionsEach Web application is isolated within its
own virtual machine sandbox, removing the need to trust Web browsers and Web services
A new trusted software layer (BOS) is introduced to manages Web applications and their virtual machine sandbox
Network policies and browser policies are enforced
![Page 30: Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c279fa/html5/thumbnails/30.jpg)
Thank You