Shop: This program models an important class of real-world
Web applications, and is the largest Swift program written to
date: 1,094 lines of Jif source. It is an online shopping application with a back-end PostgreSQL database. Users must
register and log in before updating their shopping cart and
making purchases.
Poll: This is an online poll that allows users to vote for one of
three options and view the current winner.
Secret Keeper: This simple application allows users to store
a secret on the server and retrieve the secret later by logging in. This example shows that Swift can handle complex
policies with application-defined principals, and that it
can automatically generate protocols for password-based
authentication and authorization from high-level information security policies.
treasure hunt: This game has a grid of cells. Some contain
bombs and others, treasure. The user chooses cells to dig in,
exposing their contents, until a bomb is encountered. The
game has a relatively rich user interface.
auction: This online auction application allows users to list
items for auction and to bid on items from other users. The
application automatically polls the server to retrieve auction
status updates and to update the display.
5. 2. Code size results
Programs compiled by Swift do expand as run-time mechanisms are inserted, though avoiding this expansion was
not a significant goal in the current implementation.
Across the example applications, we found that expansion
was roughly linear, with a server-side code expansion factor between 8 and 13. On the client side, about 800 bytes
of JavaScript code were generated per line of Jif code.
Much of the expansion occurs when Java code is compiled
to JavaScript by GWT, so translating directly to JavaScript
would probably help.
5. 3. Performance results
From the user’s perspective, the interactive performance of
applications is primarily affected by network latency. Table
2 shows measurements of the number of network messages required to carry out the core user interface task in
each application. For example, the core user interface task
in Guess-a-Number is submitting a guess. The number of
actual messages is compared to the optimum that could be
achieved by writing a secure Web application by hand.
Messages sent from the server to the client are the most
important measure of responsiveness because it is these
messages that the client waits for. The table also reports the
number of messages sent from the client to the server; these
messages are less important because the client does not
block when they are sent.
The number of server–client messages in the example
applications is always optimal or nearly so. For example, in
the Shop application, it is possible to update the shopping
cart without any client–server communication. The optimum number of messages is not achieved for poll because
the structure of Swift applications currently requires that the
client hears a response to each request. For Guess-a-Number
and Treasure Hunt, there are extra client–server messages
triggering server-side computations that the client does not
wait for, but server–client messages remain optimal.
5. 4. automatic repartitioning
One advantage of Swift is that the compiler can repartition
the application when security policies change. We tested
this feature with the Guess-a-Number example: if the number to guess is no longer required to be secret, the field that
stores the number and the code that manipulates it can be
replicated to the client for better responsiveness. Lines 9–13
of Figure 4 all become replicated on both server and client,
and the message for the transition from line 13 to 14 is no
longer needed. The only source-code change is to replace
the label { → ; ← } with { →client; ← } on line 3 of
Figure 2. Everything else follows automatically.
6. ReLateD WoRK
In recent years there have been a number of attempts to
improve Web application security. At the same time, there has
been increasing interest in unified frameworks for Web application development. As a unified programming framework
that enforces end-to-end information security policies, Swift
is at the confluence of these two lines of work. It is also related
to prior work on automatically partitioning applications.
6. 1. Information flow in Web applications
Several previous systems have used information flow control to enforce Web application security. This prior work
is mostly concerned with tracking information integrity,
rather than confidentiality, with the goal of preventing the
client from subverting the application by providing bad
information (e.g., that might be used in an SQL query). Some
of these systems use static program analysis (of information
flow and other program properties), and some use
10, 12, 22
dynamic taint tracking,
9,
16,
23 which usually has the weakness
table 2: network messages required to perform a core uI task.
example
Guess-a-Number
Shop
Poll
Secret Keeper
Treasure Hunt
auction
task
Guessing a number
adding an item
Casting a vote
viewing the secret
exploring a cell
Bidding
actual
server→Client Client→server
1 2
0 0
1 1
1 1
1 2
1 1
optimal
server→Client Client→server
1 1
0 0
0 1
1 1
1 1
1 1
febrUary 2009 | vol. 52 | no. 2 | CommunICatIons of the aCm
85
