13,251 research outputs found
Genet: A Quickly Scalable Fat-Tree Overlay for Personal Volunteer Computing using WebRTC
WebRTC enables browsers to exchange data directly but the number of possible
concurrent connections to a single source is limited. We overcome the
limitation by organizing participants in a fat-tree overlay: when the maximum
number of connections of a tree node is reached, the new participants connect
to the node's children. Our design quickly scales when a large number of
participants join in a short amount of time, by relying on a novel scheme that
only requires local information to route connection messages: the destination
is derived from the hash value of the combined identifiers of the message's
source and of the node that is holding the message. The scheme provides
deterministic routing of a sequence of connection messages from a single source
and probabilistic balancing of newer connections among the leaves. We show that
this design puts at least 83% of nodes at the same depth as a deterministic
algorithm, can connect a thousand browser windows in 21-55 seconds in a local
network, and can be deployed for volunteer computing to tap into 320 cores in
less than 30 seconds on a local network to increase the total throughput on the
Collatz application by two orders of magnitude compared to a single core
An Expressive Model for the Web Infrastructure: Definition and Application to the BrowserID SSO System
The web constitutes a complex infrastructure and as demonstrated by numerous
attacks, rigorous analysis of standards and web applications is indispensable.
Inspired by successful prior work, in particular the work by Akhawe et al. as
well as Bansal et al., in this work we propose a formal model for the web
infrastructure. While unlike prior works, which aim at automatic analysis, our
model so far is not directly amenable to automation, it is much more
comprehensive and accurate with respect to the standards and specifications. As
such, it can serve as a solid basis for the analysis of a broad range of
standards and applications.
As a case study and another important contribution of our work, we use our
model to carry out the first rigorous analysis of the BrowserID system (a.k.a.
Mozilla Persona), a recently developed complex real-world single sign-on system
that employs technologies such as AJAX, cross-document messaging, and HTML5 web
storage. Our analysis revealed a number of very critical flaws that could not
have been captured in prior models. We propose fixes for the flaws, formally
state relevant security properties, and prove that the fixed system in a
setting with a so-called secondary identity provider satisfies these security
properties in our model. The fixes for the most critical flaws have already
been adopted by Mozilla and our findings have been rewarded by the Mozilla
Security Bug Bounty Program.Comment: An abridged version appears in S&P 201
Analyzing the BrowserID SSO System with Primary Identity Providers Using an Expressive Model of the Web
BrowserID is a complex, real-world Single Sign-On (SSO) System for web
applications recently developed by Mozilla. It employs new HTML5 features (such
as web messaging and web storage) and cryptographic assertions to provide
decentralized login, with the intent to respect users' privacy. It can operate
in a primary and a secondary identity provider mode. While in the primary mode
BrowserID runs with arbitrary identity providers (IdPs), in the secondary mode
there is one IdP only, namely Mozilla's default IdP.
We recently proposed an expressive general model for the web infrastructure
and, based on this web model, analyzed the security of the secondary IdP mode
of BrowserID. The analysis revealed several severe vulnerabilities.
In this paper, we complement our prior work by analyzing the even more
complex primary IdP mode of BrowserID. We do not only study authentication
properties as before, but also privacy properties. During our analysis we
discovered new and practical attacks that do not apply to the secondary mode:
an identity injection attack, which violates a central authentication property
of SSO systems, and attacks that break an important privacy promise of
BrowserID and which do not seem to be fixable without a major redesign of the
system. Some of our attacks on privacy make use of a browser side channel that
has not gained a lot of attention so far.
For the authentication bug, we propose a fix and formally prove in a slight
extension of our general web model that the fixed system satisfies all the
requirements we consider. This constitutes the most complex formal analysis of
a web application based on an expressive model of the web infrastructure so
far.
As another contribution, we identify and prove important security properties
of generic web features in the extended web model to facilitate future analysis
efforts of web standards and web applications.Comment: arXiv admin note: substantial text overlap with arXiv:1403.186
Scale-invariance underlying the logistic equation and its social applications
On the basis of dynamical principles we derive the Logistic Equation (LE),
widely employed (among multiple applications) in the simulation of population
growth, and demonstrate that scale-invariance and a mean-value constraint are
sufficient and necessary conditions for obtaining it. We also generalize the LE
to multi-component systems and show that the above dynamical mechanisms
underlie large number of scale-free processes. Examples are presented regarding
city-populations, diffusion in complex networks, and popularity of
technological products, all of them obeying the multi-component logistic
equation in an either stochastic or deterministic way. So as to assess the
predictability-power of our present formalism, we advance a prediction,
regarding the next 60 months, for the number of users of the three main web
browsers (Explorer, Firefox and Chrome) popularly referred as "Browser Wars"
Declarative Ajax Web Applications through SQL++ on a Unified Application State
Implementing even a conceptually simple web application requires an
inordinate amount of time. FORWARD addresses three problems that reduce
developer productivity: (a) Impedance mismatch across the multiple languages
used at different tiers of the application architecture. (b) Distributed data
access across the multiple data sources of the application (SQL database, user
input of the browser page, session data in the application server, etc). (c)
Asynchronous, incremental modification of the pages, as performed by Ajax
actions.
FORWARD belongs to a novel family of web application frameworks that attack
impedance mismatch by offering a single unifying language. FORWARD's language
is SQL++, a minimally extended SQL. FORWARD's architecture is based on two
novel cornerstones: (a) A Unified Application State (UAS), which is a virtual
database over the multiple data sources. The UAS is accessed via distributed
SQL++ queries, therefore resolving the distributed data access problem. (b)
Declarative page specifications, which treat the data displayed by pages as
rendered SQL++ page queries. The resulting pages are automatically
incrementally modified by FORWARD. User input on the page becomes part of the
UAS.
We show that SQL++ captures the semi-structured nature of web pages and
subsumes the data models of two important data sources of the UAS: SQL
databases and JavaScript components. We show that simple markup is sufficient
for creating Ajax displays and for modeling user input on the page as UAS data
sources. Finally, we discuss the page specification syntax and semantics that
are needed in order to avoid race conditions and conflicts between the user
input and the automated Ajax page modifications.
FORWARD has been used in the development of eight commercial and academic
applications. An alpha-release web-based IDE (itself built in FORWARD) enables
development in the cloud.Comment: Proceedings of the 14th International Symposium on Database
Programming Languages (DBPL 2013), August 30, 2013, Riva del Garda, Trento,
Ital
- …