Rich Internet applications are becoming increasingly distributed, as demonstrated by the popularity of AJAX or Web 2.0 applications such as Facebook, Google Maps, Hotmail and many others. A typical multi-tier AJAX application consists of a server component implemented in Java J2EE, PHP or ASP.NET and a client-side component executing in JavaScript. The resulting application is more responsive because computation is moved closer to the client, avoiding unnecessary network round trips for frequent user actions. However, once a portion of the code is moved to the client, a malicious user can subvert the client side of the computation, jeopardizing the integrity of the server-side state. In this paper we propose Ripley, a system that uses replicated execution to automatically preserve the integrity of a distributed computation. Ripley replicates a copy of the client-side computation on the trusted server tier. Every client-side event is transferred to the replica of the client for execution. Ripley observes results of the computation, both as computed on the client-side and on the server side using the replica of the client-side code. Any discrepancy is flagged as a potential violation of computational integrity. We built Ripley on top of Volta, a distributing compiler that translates .NET applications into JavaScript, effectively providing a measure of security by construction for Volta applications. We have evaluated the Ripley approach on five representative AJAX applications built in Volta and also Hotmail, a large widely-used AJAX application. Our results so far suggest that Ripley provides a promising strategy for building secure distributed Web applications, which places minimal burden on the application developer at the cost of a low performance overhead. |