Atlantis: Robust, extensible execution environments for web applications

SOSP'11 - Proceedings of the 23rd ACM Symposium on Operating Systems Principles

Volumn , Issue , 2011, Pages 217-231

  Mickens, James ^a   Dhawan, Mohan ^b  

^a MICROSOFT RESEARCH   (United States)

^b RUTGERS UNIVERSITY   (United States)

Author keywords

exokernels; microkernels; web browsers

Indexed keywords

ATLANTIS; BLACK BOXES; BROWSING SYSTEMS; EXECUTION ENVIRONMENTS; EXOKERNEL; EXOKERNELS; MICRO KERNEL; NETWORK DATA; RUNTIMES; SCRIPTING LANGUAGES; USER INPUT; WEB APPLICATION; WEB PAGE;

CODES (SYMBOLS); JAVA PROGRAMMING LANGUAGE; WORLD WIDE WEB;

WEB BROWSERS;

EID: 82655162790     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2043556.2043577     Document Type: Conference Paper

References (56)

1. A. Aho, M. Lam, R. Sethi, and J. Ullman. Compilers: Principles, Techniques, and Tools. Addison-Wesley, 2nd edition, 2007.
2. J. Albahari and B. Albahari. C# 3.0 in a Nutshell. O'Reilly Publishing, O'Reilly Media, Inc., 3rd edition, 2007.
3. Anonymous. Paper title blinded. In submission.
4. M. Bebenita, F. Brandner, M. Fahndrich, F. Logozzo, W. Schulte, N. Tillmann, and H. Venter. SPUR: A Trace-Based JIT Compiler for CIL. Microsoft Research Tech Report MSR-TR-2010-27, March 25, 2010.
5. J. Chaffer and K. Swedberg. jQuery 1.4 Reference Guide. Packt Publishing, Birmingham, United Kingdom, 2010.
6. S. Chen, D. Ross, and Y.-M. Wang. An Analysis of Browser Domain-Isolation Bugs and A Light-Weight Transparent Defense Mechanism. In Proceedings of CCS, Alexandria, VA, October 2007.
7. R. Cooper and C. Collins. GWT in Practice. Manning Publications, Greenwich, CT, 2008.
8. M. Cova, C. Kruegel, and G. Vigna. Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code. In Proceedings of WWW, Raleigh, NC, April 2010.
9. C. Coyier. Percentage Bugs in WebKit. CSS-tricks Blog. http://css-tricks.com/percentage-bugs-in-webkit/, August 30, 2010.
10. D. Crane, B. Bibeault, and T. Locke. Prototype and Scriptaculous in Action. Manning Publications, Greenwich, CT, 2007.
11. D. Crockford. The application/json Media Type for JavaScript Object Notation (JSON). RFC 4627, July 2006.
12. M. Daniel, J. Honoroff, and C. Miller. Engineering Heap Overflow Exploits with JavaScript. In Proceedings of USENIX Workshop on Offensive Technologies, 2008.
13. J. Douceur, J. Elson, J. Howell, and J. Lorch. Leveraging Legacy Code to Deploy Desktop Applications on the Web. In Proceedings of OSDI, San Diego, CA, December 2008.
14. th edition, December 2009.
15. H. Edskes. IE8 overflow and expanding box bugs. Final Builds Blog.http://www.edskes.net/ie/ ie8overflowandexpandingboxbugs.htm, 2010.
16. D. Engler, M. Kaashoek, and J. O. Jr. Exokernel: An Operating System Architecture for Application-Level Resource Management. In Proceedings of SOSP, Copper Mountain, CO, December 1995.
17. Envjs Team. Envjs: Bringing the Browser. http://www.envjs.com/, 2010.
18. eSpace Technologies. A tiny bug in Prototype JS leads to major incompatibility with Facebook JS client library. eSpace.com blog, April 23, 2008.
19. Fielding, R., Gettys, J., Mogul, J.,Frystyk, H., Masinter, L., Leach, P., and Berners-Lee, T. Hypertext Transfer Protocol - HTTP/1.1. RFC 2616 (Draft Standard), June 1999.
20. D. Flanagan. JavaScript: The Definitive Guide. O'Reilly Media, Inc., 5th edition, 2006.
21. Forrester Consulting. eCommerce Web Site Performance Today: An Updated Look At Consumer Reaction To A Poor Online Shopping Experience. White paper, 2009.
22. S. Galineau. The CSS Corner: Using Filters In IE8. IBBlog. http://blogs.msdn.com/b/ie/archive/2009/02/19/ the-css-corner-using-filters-in- ie8.aspx, February 19, 2009.
23. D. Glazman. JSCSSP: A CSS parser in JavaScript. http://www.glazman.org/ JSCSSP/, 2010.
24. Google. Fixing Google Chrome Compatibility bugs in WebSites. http://code.google.com/p/doctype/ wiki/ArticleGoogleChromeCompatFAQ#Inline- elements-can%27t-enclose-block-elements, May 25, 2010.
25. C. Grier, S. Tang, and S. King. Secure Web Browsing with the OP Web Browser. In Proceedings of IEEE Security, Oakland, CA, May 2008.
26. L.-S. Huang, Z. Weinberg, C. Evans, and C. Jackson. Protecting Browsers from Cross-Origin CSS Attacks. In Proceedings of CCS, Chicago, IL, October 2010.
27. J. Zaytsev. What's wrong with extending the DOM. Perfection Kills Website. http://perfectionkills. com/whats-wrong-with-extending-the-dom, April 5, 2010.
28. jQuery Message Forum. Focus() inside a blur() handler. https://forum.jquery.com/topic/ focus-inside-a-blur-handler, January 2010.
29. N. Kothari. Script#: Version 0.5.5.0. http://projects.nikhilk.net/ ScriptSharp, 2009.
30. L. Lazaris. CSS Bugs and Inconsistencies in Firefox 3.x. Webdesigner Depot. http://www.webdesignerdepot.com/2010/03/ css-bugs-and-inconsistencies-in- firefox-3-x, March 15, 2010.
31. J. Mickens, J. Howell, and J. Elson. Mugshot: Deterministic Capture and Replay for JavaScript Applications. In Proceedings of NSDI, San Jose, CA, April 2010.
32. Microsoft. Update for Native JSON feature in IE8. http://support. microsoft.com/kb/976662, February 2010.
33. M. Miller, M. Samuel, B. Laurie, I. Awad, and M. Stay. Caja: Safe active content in sanitized JavaScript. Draft specification, January 15, 2008.
34. A. Moshchuk and H. J. Wang. Resource Management for Web Applications in ServiceOS. Microsoft Research Tech Report MSR-TR-2010-56, May 18, 2010.
35. Mozilla Corporation. Narcissus javascript. http: //mxr.mozilla.org/ mozilla/source/js/narcissus/.
36. Mozilla Developer Center. Gecko Plugin API Reference. https://developer.mozilla.org/en/ Gecko-Plugin-API-Reference, 2010.
37. Mozilla Developer Center. HTML5 Parser. https://developer.mozilla.org/en/ HTML/HTML5/ HTML5-Parser, July 29, 2010.
38. National Vulnerability Database. CVE-2010-2301, 2010. Cross-site scripting vulnerability: innerHTML.
39. T. Olsson. The Ultimate CSS Reference. Sitepoint, Collingwood, Victoria, Austraiia, 2008.
40. T. Parr. The Definitive ANTLR Reference. Pragmatic Bookshelf, Raleigh, North Carolina, 2007.
41. Peter-Paul Koch. QuirksMode-for all your browser quirks. http://www.quirksmode.org, 2011.
42. J. Pobar, T. Neward, D. Stutz, and G. Shilling. Shared Source CLI 2.0 Internals. http://callvirt.net/blog/files/Shared%20Source%20CLI%202. 0%20Internals.pdf, 2008.
43. P. Ratanaworabhan, B. Livshits, and B. Zorn. JSMeter: Comparing the Behavior of JavaScript Benchmarks with RealWeb Applications. In Proceedings of USENIX WebApps, Boston, MA, June 2010.
44. J. Resig. Pure JavaScript HTML Parser. http: //ejohn.org/blog/pure- javascript-html-parser/, May 2008.
45. C. Stork, P. Housel, V. Haldar, N. Dalton, and M. Franz. Towards language-agnostic mobile code. In Proceedings of the Workshop on Multi-Language Infrastructure and Interoperability, Firenze, Italy, 2001.
46. S. Tang, H. Mai, and S. T. King. Trust and Protection in the Illinois Browser Operating System. In Proceedings of OSDI, 2010.
47. C. Tyler. X Power Tools. O'Reilly Media, Inc., Cambridge, MA, 2007.
48. W3C Web Apps Working Group. Web Storage: W3C Working Draft. http: //www.w3.org/TR/2009/WD-webstorage-20091029, October 29, 2009.
49. H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The Multi-principal OS Construction of the Gazelle Web Browser. In Proceedings of USENIX Security, 2009.
50. Web Hypertext Application Technology Working Group (WHATWG). Web Workers (Draft Recommendation). http://www.whatwg.org/specs/ web-workers/current-work/, September 10, 2010.
51. World Wide Web Consortium. Document object model (DOM) level 2 core specification. W3C Recommendation, November 13, 2000.
52. World Wide Web Consortium. Cascading Style Sheets Level 2 Revision 1 (CSS 2.1) Specification. W3C Working Draft. http://www.w3.org/TR/CSS2, September 8, 2009.
53. World Wide Web Consortium. Geolocation API Specification. http://dev.w3.org/geo/api/spec-source.html, February 10, 2010.
54. World Wide Web Consortium. HTML Device: An addition to HTML. http://dev.w3.org/html5/html-device/, September 9, 2010.
55. World Wide Web Consortium. HTML5: A vocabulary and associated APIs for HTML and XHTML. W3C Working Draft. http://www.w3.org/TR/html5, June 24, 2010.
56. B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native Client: A Sandbox for Portable, Untrusted x86 Native Code. In Proceedings of IEEE Security, Oakland, CA, May 2009.