informa
/
Commentary

MashupOS: Can You Have Security and Web 2.0?

Okay, you have a web browser, and you have Web 2.0 applications -- mashups, in other words. And you have a choice -- convenience or security. The convenience of running mashups that combine related data from unrelated sources versus the minefield of running web services from multiple unknown, untrusted sites in a browser that was designed for visiting one known, trusted web site at a time. What's the answer?

Okay, you have a web browser, and you have Web 2.0 applications -- mashups, in other words. And you have a choice -- convenience or security. The convenience of running mashups that combine related data from unrelated sources versus the minefield of running web services from multiple unknown, untrusted sites in a browser that was designed for visiting one known, trusted web site at a time. What's the answer?

For researchers Xiaofeng Fan, Helen Wang, Jon Howell, and Collin Jackson, the answer involves applying operating system principles to Web 2.0 environments. And from that perspective, they believe that the current generation of browsers don't involve operating system abstractions. Instead they rely upon a limited binary trust model and protection abstractions suitable only for single principal systems. To remedy the situation, the researcher team has launched the MashupOS project, in which they are designing and building a browser-based multi-principal operating system. As they describe in their paper MashupOS: Operating System Abstractions for Client Mashups, MashupOS is a "set of abstractions that isolate mutually-untrusting web services within the browser, while allowing safe forms of communication."

The specific goals of the MashupOS project are to implement secure browser abstractions with:

  • Cross-domain protection that prevents code in one domain from compromising the confidentiality or integrity of other domains.
  • Controlled cross-domain communication that lets services from one domain interoperate with services from another.
  • Doing minimal violence to existing Web API, thereby easeing adoption of the new abstractions, while maintaining backwardscompatibility.

Central to the MashupOS is the ServiceInstance abstraction, which as the unit of isolation, fault containment, and resource allocation. The ServiceInstance abstraction is used for rendering access-controlled content. MashupOS also introduces the <Friv> , a flexible cross-domain display abstraction that gets its name becauses it's a cross between <iframe> and <div>. According to the researchers in Protection and Communication Abstractions for Web Browsers in MashupOS, a <Friv>, like an <iframe>, provides a boundary between a container document and an inner document, isolating the content from separate domains, but enabling the inner document to appear within the container's display.


Like a <div>, <Friv> lets the child's layout requirements flow to the frame in the container, enabling the container to adjust its layout to suit the child document. It achieves this by providing default handlers that negotiate layout size across the isolation boundary using theMashupOS local communication primitives, providing flexible <div> -like layout behavior.

To provide a hands-on experience, Fan, who along with Wang and Powell is a researcher at Microsoft Research, has implemented an Internet Explorer-based prototype for MashupOS.

All in all, MashupOS looks to be a start towards fine-grained, brower-based security, along with browser support for third-party content. But its just that -- a start. It is also worth noting that Microsoft Research isn't the only tiger chasing the secure mashup tail. IBM's solution is a technology codenamed SMash, short for "secure mashup" that lets information from different sources talk to each other, but keeps them separate so malicious code cannot creep into enterprise systems. IBM has contribute SMash technology to the OpenAjax Alliance (http://www.openajax.org).