Skip to main content
SpringerLink
Log in

WebC: toward a portable framework for deploying legacy code in web browsers

  • Research Paper
  • Published:
Science China Information Sciences Aims and scope Submit manuscript

Abstract

For security, most web applications are developed in some type-safe language, such as JavaScriptor Java. However, there is a huge amount of legacy codes developed in unsafe languages, which provide richfunctionality and are more efficient than their type-safe counterparts. To allow browsers to incorporate type-safecomponents in a secure way, previous approaches use the software-based fault isolation (SFI) to isolate untrustedlegacy code. The SFI approach performs machine-code transformation for security, but the downside is the lossof architecture independence. We propose WebC, a system that allows legacy code transmitted over the web viathe Low Level Virtual Machine (LLVM) bitcode format. The untrusted bitcode is transformed by WebC intocode in the WebC security language, which enforces both memory isolation and control-flow integrity. Comparedwith previous approaches, WebC is more portable, provides stronger security, and allows more flexible memorymanagement. Experimental results show that the average runtime overhead of WebC is modest.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Oeschger. API reference: netscape Gecko plugins 2.190 pgs. Netscape Communication, 2002

  2. Yee B, Sehr D, Dardyk G, et al. Native client: a sandbox for portable, untrusted x86 native code. In: Proceedings ofIEEE Symposium on Security and Privacy, Oakland 2009, 79–93

    Google Scholar 

  3. Douceur JR, Elson J, Howell J, et al. Leveraging legacy code to deploy desktop applications on the web. In:Proceedings of USENIX Symposium on Operating Systems Design and Implementation, San Diego 2008, 339–354

    Google Scholar 

  4. Wahbe R, Lucco S, Anderson T, et al. Efficient software-based fault isolation. In: Proceedings of ACM Symposiumon Operating Systems Principles, New York 1993, 203–216

    Google Scholar 

  5. McCamant S, Morrisett G. Evaluating SFI for a CISC architecture. In: Proceedings of USENIX Security Symposium,Vancouver 2006, 209–224

    Google Scholar 

  6. Sehr D, Muth R, Biffle C, et al. Adapting software fault isolation to contemporary CPU architectures. In: Proceedingsof USENIX Security Symposium, Washington DC 2010, 1–12

    Google Scholar 

  7. Erlingsson U, Abadi M, Vrable M, et al. XFI: software guards for system address spaces. In: Proceedings of the 7thSymposium on Operating Systems Design and Implementation, Seattle 2006, 75–88

    Google Scholar 

  8. Abadi M, Budiu M, Erlingsson U, et al. Control-flow integrity. In: Proceedings of the 12th ACM Conference onComputer and Communications Security, Alexandria 2005, 340–353

    Chapter  Google Scholar 

  9. Woo SC, Ohara M, Torrie E, et al. The SPLASH-2 programs: characterization and methodological considerations.In: Proceedings of International Symposium on Computer Architecture, Santa Margherita Ligure 1995, 24–36

    Google Scholar 

  10. Zeng B, Tan G, Morrisett G. Combining control-flow integrity and static analysis for efficient and validated datasandboxing. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, Chicago 2011,29–40

    Google Scholar 

  11. Jim T, Morrisett JG, Grossman D, et al. Cyclone: a safe dialect of C. In: Proceedings of USENIX Annual TechnicalConference, Monterey 2002, 275–288

    Google Scholar 

  12. Necula G. Proof-carrying code. In: Proceedings of the 24th ACM Symposium on Principles of Programming Languages,New York 1997, 106–119

    Google Scholar 

  13. Erlingsson U, Schneider FB. SASI enforcement of security policies: a retrospective. In: Proceedings of New SecurityParadigms Workshop, Ontario 1999, 87–95

    Google Scholar 

  14. Evans D, Twyman A. Flexible policy-directed code safety. In: Proceedings of IEEE Symposium on Security andPrivacy, Oakland 1999, 32–45

    Google Scholar 

  15. Erlingsson U, Schneider FB. IRM enforcement of Java stack inspection. In: Proceedings of IEEE Symposium onSecurity and Privacy, Oakland 2000, 246–255

    Google Scholar 

  16. Small C. A tool for constructing safe extensible C++ systems. In: Proceedings of the 3rd USENIX Conference onObject-Oriented Technologies and Systems, Portland 1997, 175–184

    Google Scholar 

  17. Ford B, Cox R. Vx32: lightweight user-level sandboxing on the x86. In: Proceedings of USENIX Annual TechnicalConference, Boston 2008, 293–306

    Google Scholar 

  18. Zeng B, Tan G, Erlingsson U. Strato: a retargetable framework for low-level inlined-reference monitors. In: Proceedingsof USENIX Security Symposium, Washington DC 2013, 369–382

    Google Scholar 

  19. Morrisett G, Tan G, Tassarotti J, et al. RockSalt: better, faster, stronger SFI for the x86. In: Proceedings of the 33rdACM SIGPLAN conference on Programming Language Design and Implementation, Beijing 2012, 395–404

    Chapter  Google Scholar 

  20. Dhurjati D, Kowshik S, Adve V. SAFECode: enforcing alias analysis for weakly typed languages. In: Proceedings ofthe ACM SIGPLAN 2006 Conference on Programming Language Design and Implementation, Ottawa, Ontario 2006,144–157

    Google Scholar 

  21. Dhurjati D, Adve V. Backwards-compatible array bounds checking for C with very low overhead. In: Proceedings ofthe 28th International Conference on Software Engineering, Shanghai 2006, 162–171

    Google Scholar 

  22. Nagarakatte S, Zhao J, Martin MM, et al. SoftBound: highly compatible and complete spatial memory safety for C. In: Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, Dublin,2009. 245–258

    Google Scholar 

  23. Howell J, Parno B, Douceur JR. How to run POSIX apps in a minimal picoprocess. In: Proceedings of the USENIXAnnual Technical Conference, San Jose 2013, 321–332

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Technology, Tsinghua University, Beijing, 100049, China

    Jie Yin, XiaoLong Bai & ShiMin Hu

  2. Department of Computer Science and Engineering, Lehigh University, Bethlehem, PA, 18015, USA

    Gang Tan

Authors
  1. Jie Yin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gang Tan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. XiaoLong Bai
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. ShiMin Hu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jie Yin.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Yin, J., Tan, G., Bai, X. et al. WebC: toward a portable framework for deploying legacy code in web browsers. Sci. China Inf. Sci. 58, 1–15 (2015). https://doi.org/10.1007/s11432-015-5285-y

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11432-015-5285-y

Keywords

Search

Navigation