{"id":307016,"date":"2008-04-21T11:00:36","date_gmt":"2008-04-21T18:00:36","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/research\/?p=307016"},"modified":"2016-10-17T14:48:46","modified_gmt":"2016-10-17T21:48:46","slug":"mashup-developers-get-chance-romp-sandbox","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/research\/blog\/mashup-developers-get-chance-romp-sandbox\/","title":{"rendered":"Mashup Developers Get Chance to Romp in Sandbox"},"content":{"rendered":"

By Rob Knies, Managing Editor, Microsoft Research<\/em><\/p>\n

Mashups have become one of the hallmarks of the Web 2.0 era. The practice of combining two sets of related yet disparate data from unrelated sources in one user-friendly, information-intensive collection has become commonplace in the past few years. Every day, millions of Internet users turn to such compelling creations for insights heretofore inaccessible\u2014or decide to create one of their own.<\/p>\n

Such imaginative concoctions, however, strain the very concept of the Web browser, originally devised for users to visit one Web site at a time. In the new, mashup-friendly environment, current browsers are either insufficiently flexible or overly permissive. Either way, problems ensue.<\/p>\n

Helen Wang<\/a> and Xiaofeng Fan plan to change all that. Members of the Systems and Networking group within Microsoft Research Redmond<\/a>, they are working on a project called MashupOS that aims, in ingenious, deceptively simple fashion, to solve the protection and communication issues that plague today\u2019s mashups.<\/p>\n

\"secure

Xiaofeng Fan (left) and Helen Wang have developed a new way to produce secure Web mashups.<\/p><\/div>\n

\u201cToday,\u201d says Wang, a senior researcher, \u201cthere are only two ways for content from different sites to interact. Either you include the content from somebody else and this content cannot interact with your content, or you include other people\u2019s content as a script, and that\u2019s as if you\u2019re taking other people\u2019s code as your own code. You give all your resources to that code, and it can access your cookies, it can access your remote data store.\u201d<\/p>\n

Today\u2019s increasingly rich mashups have begun to rival desktop PC applications in the features offered, but while PC applications run on sophisticated, multiprincipal operating systems, mashups run on browsers that have remained a single-principal operating system. That system is governed by the Same Origin Policy, an all-or-nothing trust model in which cross-domain interactions are not allowed and external scripts run with all the privileges of the enclosing page.<\/p>\n

\u201cWe have a mismatch between the richness in the Web applications and the lack of support in the browsers,\u201d Wang explains. \u201cWeb sites today either sacrifice security for functionality, or sacrifice functionality for security.\u201d<\/p>\n

The MashupOS project enables a browser to act as a multiprincipal operating system. In particular, it addresses the insufficiencies in the protection and communications aspects of such an operating system. Protection provides default isolation boundaries between pieces of Web content, and communications enable fine-grained, service-specific access control across the isolation boundaries.<\/p>\n

\u201cEssentially,\u201d Wang says, \u201cthere are two key missing pieces in today\u2019s Web browsers. One is allowing principals to communicate with one another, allowing different domains within the same page to have cross communication. It\u2019s just like the U.S. and Mexico. There is a boundary, but you can get a passport, you can go through a visa process to get across.\u201d<\/p>\n

Another is that there\u2019s no support in today\u2019s Web for supporting third-party content. A key solution the researchers have devised is to implement a sandbox for third-party code, thereby enabling mashup programmers to keep that code away from private information within the host domain while the host page can interact with the third-party code the same as before. This asymmetric access pattern is novel and needed by today\u2019s Web 2.0 client mashups.<\/p>\n

\u201cYou directly invoke other people\u2019s code, but you don\u2019t want the code to access your own resources,\u201d Wang says. \u201cWe explicitly call this third-party code \u2018unauthorized.\u2019 We allow Web services to label which content is third-party and make sure the browser will not let that third-party content access the host domain\u2019s resources.<\/p>\n

\u201cThis is our sandbox abstraction. We provide this protection abstraction for Web programmers to develop Web services in a more robust fashion, and with the sandbox abstraction, we can enable the same mashups while still retaining the ease of today\u2019s mashup practices.\u201d<\/p>\n

There are significant benefits to this approach. Third-party code can be used without sacrificing security, because third-party script can be invoked but cannot reach out to access resources designated as off-limits. The result: more robust mashups.<\/p>\n

Fan, a research software-design engineer who has implemented an Internet Explorer-based prototype for MashupOS, provides an effective analogy for how the project is designed to work.<\/p>\n

\u201cLet\u2019s suppose you are a homeowner and you recruit a catering service to your house to make dinners for your guests,\u201d he says. \u201cYou only want the cooks to work in the kitchen; you don\u2019t want them upstairs in the bedrooms. So what do you do? You have to stand there watching them. But what if the house could provide an automatic monitoring system? The house could watch the cooks, so they couldn\u2019t cross the line.<\/p>\n

\u201cThink of the browser as your house. Today\u2019s browser has a monitoring system, but once you let anybody come into your house, they have access to every room in the house. The sandbox tag we are proposing is like building walls in your kitchen: special, one-way-mirror walls. You, as the house owner, can look through the walls and see what the cooks are doing or put additional cooking tools the chefs might need into the kitchen, but the cooks cannot see through those one-way mirrors.\u201d<\/p>\n

And then there\u2019s the communications analogy.<\/p>\n

\u201cWhen the cooks have a dish ready,\u201d Fan continues, \u201cthey need to call you, because the food is ready to be served. So we create a kind of walkie-talkie, so the cooks inside the kitchen can send a message across the wall, and you, as the host, can receive it.\u201d<\/p>\n

If the concept\u2014and the analogy\u2014sound simple, well, Wang says, that\u2019s good.<\/p>\n

\u201cThat\u2019s evidence that we have the correct design,\u201d she states. \u201cIt\u2019s very challenging, how you balance security and functionality. When you design a set of abstractions, sometimes it\u2019s almost like an art. You want to offer enough abstractions while not making it complicated. There are many alternative design spaces, but providing the minimum, that\u2019s the solution.<\/p>\n

\u201cIn this area, system-security research, hindsight is 20\/20. We are happy to be the first group to discover the fundamental problem in the browser. In fact, we would anticipate browsers will have these kinds of communication primitives coming pretty soon. But the sandbox is still something that\u2019s very much needed, and we are advocating for all browsers to embrace it.\u201d<\/p>\n

There are additional benefits to lure them into doing so, such as battling Web spam and blocking cross-site scripting attacks.<\/p>\n

\u201cIf I have a home page and I want people who search to find my home page first,\u201d Wang says, \u201chow do I manipulate search engines to do that? I go to social-networking sites and create many, many profiles that include hyperlinks pointing to my home page. I go to blog-hosting sites to create many blogs and have them point to me. This is how people do Web spam. It\u2019s very common, and search engines really want to fight against this.<\/p>\n

\u201cIt would be really desirable for social-networking sites or blog-hosting sites to indicate what is third-party content. The sandbox is a perfect way of doing that.\u201d<\/p>\n

The sandbox tag also would frustrate those nefarious sorts who would like to inject malicious code into Web pages that accept user input.<\/p>\n

\u201cWhat is a cross-site scripting attack?\u201d Wang asks rhetorically. \u201cIt\u2019s when a piece of user input is generated within a page without being properly contained: The user inputs something, and the Web site generates a page including the user input. Unfortunately, that user input can contain malicious code that runs with the privilege of the page and can access other display elements, cookies, and the like.<\/p>\n

\u201cBy putting the user input into the sandbox, it can be as rich as possible. It can run scripts, but when it runs, it will not be able to access the enclosing page\u2019s resources.\u201d<\/p>\n

Wang started thinking about the MashupOS approach in the summer of 2006, brainstorming about the implications of the burgeoning concept of software as a service.<\/p>\n

\u201cThe browser is the platform, right?\u201d she says. \u201cThis is what triggered me to think, \u2018If this is a platform, what kind of platform do we have?\u2019 We have code from different principals, from different sites running that makes the browser look like an operating system. We need a browser that\u2019s much more sophisticated.\u201d<\/p>\n

The results of that musing appeared in a paper entitled Protection and Communication Abstractions for Web Browsers in MashupOS<\/em><\/a>, written by Wang, Fan, Microsoft Research colleague Jon Howell, and Stanford University\u2019s Collin Jackson (opens in new tab)<\/span><\/a>, that was presented in October 2007 during the Association for Computing Machinery\u2019s 21st Symposium on Operating Systems Principles (opens in new tab)<\/span><\/a>.<\/p>\n

The goal, as envisioned, was to devise a solution that was easy to adopt and had no unintended consequences.<\/p>\n

\u201cAnother very, very important thing,\u201d Wang says, \u201cof the right design is backward compatibility. We want to be compatible with today\u2019s Web, and we want new content and existing abstractions to play well with each other.<\/p>\n

\u201cThese are some of the intricacies in the design, to make it backward-compatible and with no unintended behaviors with the existing design.\u201d<\/p>\n

Fan, meanwhile, got to work on a prototype.<\/p>\n

\u201cOur prototype is based on IE, and we put ourselves between IE\u2019s rendering engine and its scripting engine,\u201d Fan says. \u201cWe\u2019re sitting in the middle, and we intercept all calls in both directions.\u201d<\/p>\n

Having figured out an elegant solution to a challenging problem, Wang and Fan now are working or refinements. Resource management is one area of interest. Handling browser extensions is another, as is robust implementation of the MashupOS security model.<\/p>\n

But as the project is being polished, Wang and Fan believe they already have given Web mashups to come the potential to be more robust and more secure.<\/p>\n

\u201cWe have connected the browser, the Web world, with the operating-system world,\u201d Fan says. \u201cAnd now, we have a very powerful platform. We have the power of standing between the rendering engine and the scripting engine, and I think that\u2019s a very cool developer platform.\u201d<\/p>\n

Not only cool, Wang adds, but game-changing.<\/p>\n

\u201cI think we can change the world of Web 2.0,\u201d she smiles, \u201cand as big as the Web is, I think that\u2019s really significant.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"

By Rob Knies, Managing Editor, Microsoft Research Mashups have become one of the hallmarks of the Web 2.0 era. The practice of combining two sets of related yet disparate data from unrelated sources in one user-friendly, information-intensive collection has become commonplace in the past few years. Every day, millions of Internet users turn to such […]<\/p>\n","protected":false},"author":39507,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"msr-url-field":"","msr-podcast-episode":"","msrModifiedDate":"","msrModifiedDateEnabled":false,"ep_exclude_from_search":false,"_classifai_error":"","msr-author-ordering":[],"msr_hide_image_in_river":0,"footnotes":""},"categories":[194488,194489],"tags":[215072,215063,215069,186414,215051,215066],"research-area":[13560,13558],"msr-region":[],"msr-event-type":[],"msr-locale":[268875],"msr-post-option":[],"msr-impact-theme":[],"msr-promo-type":[],"msr-podcast-series":[],"class_list":["post-307016","post","type-post","status-publish","format-standard","hentry","category-program-languages-and-software-engineering","category-security","tag-functionality","tag-mashups","tag-same-origin-policy","tag-security","tag-web-applications","tag-web-browser","msr-research-area-programming-languages-software-engineering","msr-research-area-security-privacy-cryptography","msr-locale-en_us"],"msr_event_details":{"start":"","end":"","location":""},"podcast_url":"","podcast_episode":"","msr_research_lab":[199565],"msr_impact_theme":[],"related-publications":[],"related-downloads":[],"related-videos":[],"related-academic-programs":[],"related-groups":[],"related-projects":[],"related-events":[],"related-researchers":[],"msr_type":"Post","byline":"","formattedDate":"April 21, 2008","formattedExcerpt":"By Rob Knies, Managing Editor, Microsoft Research Mashups have become one of the hallmarks of the Web 2.0 era. The practice of combining two sets of related yet disparate data from unrelated sources in one user-friendly, information-intensive collection has become commonplace in the past few…","locale":{"slug":"en_us","name":"English","native":"","english":"English"},"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/posts\/307016","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/users\/39507"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/comments?post=307016"}],"version-history":[{"count":2,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/posts\/307016\/revisions"}],"predecessor-version":[{"id":307049,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/posts\/307016\/revisions\/307049"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/media?parent=307016"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/categories?post=307016"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/tags?post=307016"},{"taxonomy":"msr-research-area","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/research-area?post=307016"},{"taxonomy":"msr-region","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-region?post=307016"},{"taxonomy":"msr-event-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-event-type?post=307016"},{"taxonomy":"msr-locale","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-locale?post=307016"},{"taxonomy":"msr-post-option","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-post-option?post=307016"},{"taxonomy":"msr-impact-theme","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-impact-theme?post=307016"},{"taxonomy":"msr-promo-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-promo-type?post=307016"},{"taxonomy":"msr-podcast-series","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/research\/wp-json\/wp\/v2\/msr-podcast-series?post=307016"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}