Web Sandbox Architecture: Overview
This brief architecture overview shows the structure of the sandbox as well as the interplay during the components at runtime. The diagrams use the UML notation from Documenting Software Architecture--Views and Beyond; consequently the boxes represent architectural elements rather than classes. For structure we use a hybrid of Decomposition and Uses styles, where the connectors represent either usage or aggregation; for runtime we use the Pipes-and-Filters style, where the connectors represent data flow. We cover the transformation pipeline and the virtual machine in subsequent sections.
Structure
The sandbox provides security and extensibility through host virtualization. Untrusted code such as gadgets executes in a virtual machine rather than directly in the browser. The virtual machine isolates the trusted code running outside the sandbox from the untrusted code.
The architecture comprises the following modules:
- Virtual Machine
- Provides an isolated container that executes untrusted code. The Virtual Machine uses the Browser, the Transformation Pipeline, and a Policy.
- Browser
- Provides the runtime (JavaScript and DOM).
- Transformation Pipeline
- Injects an interception layer that verifies all accesses to the runtime. This entails converting HTML, CSS and script code into code that the virtual machine can execute.
- Policy
- Contains a set of rules that, using the invocation context, determines whether the access to the runtime should be granted, denied, or provided through an alternate implementation (i.e., augmented).
Runtime
The sandbox begins interacting with the other components when code executing in the host requests untrusted content from a 3rd party. The untrusted code (which was written to target the browser and thus is completely independent of the sandbox) goes through a series of transformations.
The transformations convert HTML, CSS and script code into code that executes in the virtual machine, injecting an interception layer. Upon executing the transformed code, the virtual machine adds type information to all object references.
Accessing a typed reference in the virtual machine causes the interception layer to verify the access against a context and set of rules. Using the context, the rules determine whether the virtual machine allows, denies, or uses an alternate implementation (i.e., augmentation) when accessing the browser. Augmentations allow the sandbox to provide namespace isolation, as well as a bridge between the W3C's APIs and the browser's native API.
