that the principal client may learn; the result of a computation on the client can be used on the server only if
the labels indicate that the result can be affected by the
principal client.
The translation to WebIL also translates Jif-specific
language features. Uses of the primitive Jif type label
are translated to uses of a class
jif.lang.Label.
Declassifications and endorsements are removed, as
they have no effect on the run-time behavior of the
program. However, they do affect the labels of code
and expressions, and therefore affect their placement
annotations.
4. 3. Goals and constraints
The compiler decides the partitioning by choosing a
placement for every field and statement of the WebIL
program. Placements are chosen to satisfy both the placement constraints and to improve performance. Since network latency is typically the most significant component
of Web application run time, fields and statements are
placed in order to minimize latency arising from messages sent between the client and server. For example,
it is desirable to give consecutive statements the same
placement.
Replicating computation can also reduce the number
of messages. Consider lines 5–8 of the Guess-a-Number
application in Figure 3, which check that the user’s input
i is between 1 and 10 inclusive. To securely check that the
client provides valid input, these statements must execute
on the server. If the value entered by the user is not in the
valid range, the server sends a message to the client to
execute line 25, informing the user of the error. However,
if lines 5–8 execute on both the client and server, no server–
client message is needed, and the user interface is more
responsive.
Figure 4 shows the
GuessANumber.makeGuess method
after partitioning. A placement has been chosen for each
statement. The field tries has been replicated on both client and server, requiring all assignments to it to occur on
both hosts (lines 14 and 17). Also, the compiler has replicated on both client and server the validation code to check
that the user’s guess is between 1 and 10 (lines 2–8). The validation code must be on the server for security, but placing it
on the client allows the user to be informed of errors (on line
25) without waiting for a server response.
4. 4. Partitioning algorithm
The compiler chooses placements for statements and fields
in two stages. First, it constructs a weighted directed graph
that approximates the control flow of the whole program.
Each node in the graph is a statement, and weights on the
edges are static approximations of the frequency of execution following that edge. Second, the weighted directed
graph and the annotations of the statements and field
declarations are used to construct an instance of an integer programming problem, which is then reduced to an
instance of the maximum flow problem. This can be solved
in polynomial time, directly yielding fields and statement
placements.
84 CommunICatIons of the aCm | febrUary 2009 | vol. 52 | no. 2
figure 4: Guess-a-number after partitioning.
5. eVaLuatIon
The Swift compiler extends the Jif compiler with about 20,000
lines of noncomment nonblank lines of Java code. Both the
Swift and Jif compilers are written using the Polyglot compiler framework.
17 The Swift server and client run-time systems together comprise about 2,600 lines of Java code. The
UI framework is implemented in 1,400 lines of WebIL code
and an additional 560 lines of Java code that adapt the GWT
UI library. We also ported the Jif run-time system from Java
to WebIL, resulting in about 3,900 lines of WebIL code. The
Jif run-time system provides support for run-time representations of labels and principals.
To evaluate our system, we implemented six Web applications with varying characteristics. None of these applications is large, but because they test the functionality of
Swift in different ways, they suggest that Swift will work for
a wide variety of Web applications. Because the applications
are written in a higher-level language than is usual for Web
applications, they provide much functionality (and contain
many security issues) per line of code. Overall, the performance of these Web applications is comparable to what can
be obtained by writing applications by hand. Therefore, we
do not see any barrier to using this system on larger Web
applications.
5. 1. example Web applications
guess-a-number: Our running example demonstrates how
Swift uses replication to avoid round-trip communication
between client and server. Figure 4, lines 5–8, shows that the
compiler automatically replicates the range check onto the
client and server, thus saving a network message from the
server to the client at line 25.