By Rob Knies, Managing Editor, Microsoft Research
Mashups have become one of the hallmarks of the Web 2.0 era. The practice of combining two sets of related yet disparate data from unrelated sources in one user-friendly, information-intensive collection has become commonplace in the past few years. Every day, millions of Internet users turn to such compelling creations for insights heretofore inaccessible—or decide to create one of their own.
Such imaginative concoctions, however, strain the very concept of the Web browser, originally devised for users to visit one Web site at a time. In the new, mashup-friendly environment, current browsers are either insufficiently flexible or overly permissive. Either way, problems ensue.
Helen Wang and Xiaofeng Fan plan to change all that. Members of the Systems and Networking group within Microsoft Research Redmond, they are working on a project called MashupOS that aims, in ingenious, deceptively simple fashion, to solve the protection and communication issues that plague today’s mashups.
“Today,” says Wang, a senior researcher, “there are only two ways for content from different sites to interact. Either you include the content from somebody else and this content cannot interact with your content, or you include other people’s content as a script, and that’s as if you’re taking other people’s code as your own code. You give all your resources to that code, and it can access your cookies, it can access your remote data store.”
Today’s increasingly rich mashups have begun to rival desktop PC applications in the features offered, but while PC applications run on sophisticated, multiprincipal operating systems, mashups run on browsers that have remained a single-principal operating system. That system is governed by the Same Origin Policy, an all-or-nothing trust model in which cross-domain interactions are not allowed and external scripts run with all the privileges of the enclosing page.
“We have a mismatch between the richness in the Web applications and the lack of support in the browsers,” Wang explains. “Web sites today either sacrifice security for functionality, or sacrifice functionality for security.”
The MashupOS project enables a browser to act as a multiprincipal operating system. In particular, it addresses the insufficiencies in the protection and communications aspects of such an operating system. Protection provides default isolation boundaries between pieces of Web content, and communications enable fine-grained, service-specific access control across the isolation boundaries.
“Essentially,” Wang says, “there are two key missing pieces in today’s Web browsers. One is allowing principals to communicate with one another, allowing different domains within the same page to have cross communication. It’s just like the U.S. and Mexico. There is a boundary, but you can get a passport, you can go through a visa process to get across.”
Another is that there’s no support in today’s Web for supporting third-party content. A key solution the researchers have devised is to implement a sandbox for third-party code, thereby enabling mashup programmers to keep that code away from private information within the host domain while the host page can interact with the third-party code the same as before. This asymmetric access pattern is novel and needed by today’s Web 2.0 client mashups.
“You directly invoke other people’s code, but you don’t want the code to access your own resources,” Wang says. “We explicitly call this third-party code ‘unauthorized.’ We allow Web services to label which content is third-party and make sure the browser will not let that third-party content access the host domain’s resources.
“This is our sandbox abstraction. We provide this protection abstraction for Web programmers to develop Web services in a more robust fashion, and with the sandbox abstraction, we can enable the same mashups while still retaining the ease of today’s mashup practices.”
There are significant benefits to this approach. Third-party code can be used without sacrificing security, because third-party script can be invoked but cannot reach out to access resources designated as off-limits. The result: more robust mashups.
Fan, a research software-design engineer who has implemented an Internet Explorer-based prototype for MashupOS, provides an effective analogy for how the project is designed to work.
“Let’s suppose you are a homeowner and you recruit a catering service to your house to make dinners for your guests,” he says. “You only want the cooks to work in the kitchen; you don’t want them upstairs in the bedrooms. So what do you do? You have to stand there watching them. But what if the house could provide an automatic monitoring system? The house could watch the cooks, so they couldn’t cross the line.
“Think of the browser as your house. Today’s browser has a monitoring system, but once you let anybody come into your house, they have access to every room in the house. The sandbox tag we are proposing is like building walls in your kitchen: special, one-way-mirror walls. You, as the house owner, can look through the walls and see what the cooks are doing or put additional cooking tools the chefs might need into the kitchen, but the cooks cannot see through those one-way mirrors.”
And then there’s the communications analogy.
“When the cooks have a dish ready,” Fan continues, “they need to call you, because the food is ready to be served. So we create a kind of walkie-talkie, so the cooks inside the kitchen can send a message across the wall, and you, as the host, can receive it.”
If the concept—and the analogy—sound simple, well, Wang says, that’s good.
“That’s evidence that we have the correct design,” she states. “It’s very challenging, how you balance security and functionality. When you design a set of abstractions, sometimes it’s almost like an art. You want to offer enough abstractions while not making it complicated. There are many alternative design spaces, but providing the minimum, that’s the solution.
“In this area, system-security research, hindsight is 20/20. We are happy to be the first group to discover the fundamental problem in the browser. In fact, we would anticipate browsers will have these kinds of communication primitives coming pretty soon. But the sandbox is still something that’s very much needed, and we are advocating for all browsers to embrace it.”
There are additional benefits to lure them into doing so, such as battling Web spam and blocking cross-site scripting attacks.
“If I have a home page and I want people who search to find my home page first,” Wang says, “how do I manipulate search engines to do that? I go to social-networking sites and create many, many profiles that include hyperlinks pointing to my home page. I go to blog-hosting sites to create many blogs and have them point to me. This is how people do Web spam. It’s very common, and search engines really want to fight against this.
“It would be really desirable for social-networking sites or blog-hosting sites to indicate what is third-party content. The sandbox is a perfect way of doing that.”
The sandbox tag also would frustrate those nefarious sorts who would like to inject malicious code into Web pages that accept user input.
“What is a cross-site scripting attack?” Wang asks rhetorically. “It’s when a piece of user input is generated within a page without being properly contained: The user inputs something, and the Web site generates a page including the user input. Unfortunately, that user input can contain malicious code that runs with the privilege of the page and can access other display elements, cookies, and the like.
“By putting the user input into the sandbox, it can be as rich as possible. It can run scripts, but when it runs, it will not be able to access the enclosing page’s resources.”
Wang started thinking about the MashupOS approach in the summer of 2006, brainstorming about the implications of the burgeoning concept of software as a service.
“The browser is the platform, right?” she says. “This is what triggered me to think, ‘If this is a platform, what kind of platform do we have?’ We have code from different principals, from different sites running that makes the browser look like an operating system. We need a browser that’s much more sophisticated.”
The results of that musing appeared in a paper entitled Protection and Communication Abstractions for Web Browsers in MashupOS, written by Wang, Fan, Microsoft Research colleague Jon Howell, and Stanford University’s Collin Jackson, that was presented in October 2007 during the Association for Computing Machinery’s 21st Symposium on Operating Systems Principles.
The goal, as envisioned, was to devise a solution that was easy to adopt and had no unintended consequences.
“Another very, very important thing,” Wang says, “of the right design is backward compatibility. We want to be compatible with today’s Web, and we want new content and existing abstractions to play well with each other.
“These are some of the intricacies in the design, to make it backward-compatible and with no unintended behaviors with the existing design.”
Fan, meanwhile, got to work on a prototype.
“Our prototype is based on IE, and we put ourselves between IE’s rendering engine and its scripting engine,” Fan says. “We’re sitting in the middle, and we intercept all calls in both directions.”
Having figured out an elegant solution to a challenging problem, Wang and Fan now are working or refinements. Resource management is one area of interest. Handling browser extensions is another, as is robust implementation of the MashupOS security model.
But as the project is being polished, Wang and Fan believe they already have given Web mashups to come the potential to be more robust and more secure.
“We have connected the browser, the Web world, with the operating-system world,” Fan says. “And now, we have a very powerful platform. We have the power of standing between the rendering engine and the scripting engine, and I think that’s a very cool developer platform.”
Not only cool, Wang adds, but game-changing.
“I think we can change the world of Web 2.0,” she smiles, “and as big as the Web is, I think that’s really significant.”