Channels ▼

Jonathan Erickson

Dr. Dobb's Bloggers

MashupOS: Can You Have Security and Web 2.0?

April 23, 2008

Okay, you have a web browser, and you have Web 2.0 applications -- mashups, in other words. And you have a choice -- convenience or security. The convenience of running mashups that combine related data from unrelated sources versus the minefield of running web services from multiple unknown, untrusted sites in a browser that was designed for visiting one known, trusted web site at a time. What's the answer?

For researchers Xiaofeng Fan, Helen Wang, Jon Howell, and Collin Jackson, the answer involves applying operating system principles to Web 2.0 environments. And from that perspective, they believe that the current generation of browsers don't involve operating system abstractions. Instead they rely upon a limited binary trust model and protection abstractions suitable only for single principal systems. To remedy the situation, the researcher team has launched the MashupOS project, in which they are designing and building a browser-based multi-principal operating system. As they describe in their paper MashupOS: Operating System Abstractions for Client Mashups, MashupOS is a "set of abstractions that isolate mutually-untrusting web services within the browser, while allowing safe forms of communication."

The specific goals of the MashupOS project are to implement secure browser abstractions with:

  • Cross-domain protection that prevents code in one domain from compromising the confidentiality or integrity of other domains.
  • Controlled cross-domain communication that lets services from one domain interoperate with services from another.
  • Doing minimal violence to existing Web API, thereby easeing adoption of the new abstractions, while maintaining backwardscompatibility.

Central to the MashupOS is the ServiceInstance abstraction, which as the unit of isolation, fault containment, and resource allocation. The ServiceInstance abstraction is used for rendering access-controlled content. MashupOS also introduces the <Friv> , a flexible cross-domain display abstraction that gets its name becauses it's a cross between <iframe> and <div>. According to the researchers in Protection and Communication Abstractions for Web Browsers in MashupOS, a <Friv>, like an <iframe>, provides a boundary between a container document and an inner document, isolating the content from separate domains, but enabling the inner document to appear within the container's display.

Like a <div>, <Friv> lets the child's layout requirements flow to the frame in the container, enabling the container to adjust its layout to suit the child document. It achieves this by providing default handlers that negotiate layout size across the isolation boundary using theMashupOS local communication primitives, providing flexible <div> -like layout behavior.

To provide a hands-on experience, Fan, who along with Wang and Powell is a researcher at Microsoft Research, has implemented an Internet Explorer-based prototype for MashupOS.

All in all, MashupOS looks to be a start towards fine-grained, brower-based security, along with browser support for third-party content. But its just that -- a start. It is also worth noting that Microsoft Research isn't the only tiger chasing the secure mashup tail. IBM's solution is a technology codenamed SMash, short for "secure mashup" that lets information from different sources talk to each other, but keeps them separate so malicious code cannot creep into enterprise systems. IBM has contribute SMash technology to the OpenAjax Alliance (



Related Reading

More Insights

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.

Dr. Dobb's TV