Browsers went through quite the journey... Static Document Networked Application User demand (quickly) pushed towards the right, "what I once did locally, but Web!" trending: Forms Scripting Flash, ... AJAX Applets Emscripten WebAssembly WebGPU WebMidi WebUSB, ... Electron Browser Breakdown Conformant Implementation Needs To Cover Full Gradient
Complex == More Bugs, More E ff ort Crashes → Resilience Vulnerabilities → Sandbox More Features! More Hardware Platforms! Virtualize All the Things! Browser Breakdown
Breakdown IPC Poor Man's Window Manager Compositor "Inside look at modern web browser" @ developer.chrome.com/blog/inside-browser-part1 CC-BY-4.0 (https://creativecommons.org/licenses/by/4.0/)
Breakdown •Separation based on Internal / Architectural Boundaries • Harder to de fi ne Necessary and Su ff i cient privileges • More Complex Policies • Synchronisation Di ffi culties •Poor alignment with outer desktop needs • 'Display Server' Role su ff ers, becomes weak point! • ChromeOS as OS features to bootstrap Chrome, not Chrome as OS • Minimal- Interaction with local software (clipboard, drag and drop, fi le-picker ...) • Assimilation of software rather than Collaboration The IPC Thing
and Reduce Scope Static Document Networked Application Only This Thing, and Well • O ffl ine or Preprocessing Tools, "Print to App" • User-customization Mix-in / Overrides • Inspectable Intermediate Representation • Compile, Package, Sign • "Static Site Generator" Pattern • Can run on same or di ff erent device
On Natural Boundaries •Decode [machine to human] • Very distinct use-pattern: "Allocate / Open" into pledge(STDIO), unveil("") • Attractive attack surface (unsafe parsers of legacy formats) made unattractive •Encode [human to machine] • Covers sharing scenarios and lossy data transforms (OCR, TTS, ...) • Ex fi ltration / Privacy- risk (or transform for enabling Deception) •Network [external resource resolution / retrieval] • Negotiates outbound connections from high level descriptions (e.g. host, url, ...) • Tie to tra ff i c monitoring / Firewall •Set of interchangeable executables • Update / Upgrade / Restrict based on context at runtime
Key Properties •Crash Recovery / Runtime Redirection • For resilience (prevent loss) • For migration (moving speci fi c work load to other device) • Compartmentation per device := Speculative Side-Channels •Alternate Representations • Content synched to primary - Debug view / Low, No- Vision A11y, ... •Match Desktop Application Data/Interaction Model • Embed / Collaborate with local software • Expose it to scripting API to route inputs and data/metadata transfers •Recursive (Next slide) See also: https://arcan-fe.com/2024/11/21/a-deeper-dive-into-the-shmif-ipc-system/
Decode Network Recursive •Instance can embed / interact with itself • Outmost one binds to existing desktop or becomes Display Server + Window Manager • Di ff erent set of [decode, encode, network, persistent K/V store, exec allowlist] - if desired OS Encode Decode Network Appl Platform Core Script VM IPC User DB Appl Platform Core Script VM IPC User DB
the Networked Application -- called after engine launch function myapp() end function myapp_input(io) -- respond to keypresses, mouse motion, touch, ... end myapp/myapp.lua: •Only requirement: •folder with script fi le with one function •all matching the name of the application •Builtin-API ~250 functions •Optional: •event handler entry points pre fi xed with name_ •retrieve network process control handle •connection status, messaging, remote resource loading, ... To start: arcan /path/to/myapp
Advanced Streaming Video function myapp() net_open("@stdin", function(source, status) if status.kind == "connected" then play_media(source) end end ) end function play_media(ref) local fio = open_nonblock(ref, {}, "appl:/test.mp4") launch_decode(nil, "protocol=media", function(src, status) if status.kind == "bchunkstate" then open_nonblock(src, {}, fio) elseif status.kind == "resized" then show_image(src) resize_image(src, status.width, status.height) end end ) end O ffl ine fi rst, explicitly request access to network connection Request resource from server-side application speci fi c store Transfer control parameters (bu ff ering, parallelisation) Spawn sandboxed decode process Announced supported formats Transfer ownership of remote stream First frame delivery, set presentation
Lua, not Javascript? •Thinking of Lua as both Intermediate Representation and Language in one • Not a new idea, remember Postscript? Display Postscript? •As IR • VM binding API is a stack based protocol decoder in disguise • deserialise-command → while(tokens_left) { push_[type](value) } call() → serialize-results • Use documentation (doc/*.lua) to generate wire format • Ignore the 'fancy' stu ff (e.g. metatables) •As Language • A more civilised 'BASIC' • Very slow moving (and that is a good thing, mostly unchanged for 20+ years) • Tiny set of 'quirks' versus Javascript • Easy enough to implement, reference implementation stable • Existing transpilers translators, e.g. Typescript-To-Lua
Summary: •Skip the 'Document' story - o ff l ine tools that compile to application. •Compartmentation that match what is processed, not how you process. •Align communication (IPC) between compartments to cover desktop needs. •Design scripting API for the same (and regular interactive media processing). ... And you get a browser that a small number of individuals can write. Yet is still more capable.
XSS, SQLi, CSRF, SSRF, Response Splitting •Topology / Intermediaries: CDN / DDoS "protection" •SSL Added and Removed Here •Free to Tamper with User Data •URL Rewriting •Scrapers overtaking real tra ff i c • Robots.txt • Search convention, not protocol feature •Complex Deployment Rest Is Not Much Better
upon a time Bulletin Board Systems •Personal •Someone shared a slice of their computing •Emergent meet-up space •Featureful •File-Areas, Chat, Games, Messaging •Discovery •Initial: Word of Mouth / Media Publication •Secondary: Local Reference (.nfo, 'Other Boards') •Search: None or Local-Only •Linking •Unidirectional: A can Refer to B, B unaware Unauthenticated: Link to anything or nothing •No Content Linking
features de fi nes 'the Web'? •Document Formats? •Browser? •Protocol? •It is in the links .. and the content. Moving Targets .. First on scene (Xanadu) What we got (URLs)
Story •URLs: <scheme>://<user>:<password>@<host>:<port>/<url-path> •[RFC1738] - "a compact string representation for a resource available via the Internet" •Unidirectional: A links to B, B unaware and no mechanism for consent •Turned into HTTP_REFERER into "Hotlinking not allowed" •Unauthenticated: •Validation only by Walking, Content-type by Retrieving, Mutate whenever •Credentials in link turned into Identity Provider + Sideband State (Cookies) •URL-Path turned into Asynch RPC call: /myfunc?arg1=xyz&... •Made them unpronounceable (hey, go to ...) turned into link shorteners •Which also shortened life-span ... and opened up for more tracking •Host meant DNS meant Filtering/Blocking/Namesquatting/Registrars/... ‽
'Webs' are emerging ... Discord •Mimic BBS appeal super fi cially •Without the personality •All the Web Warts Underneath •Browser : Web but worse •Linking : Web but worse •Search : Highly suspicious Accelerated by Search Dissolving, SEO and AI spam
Approach: A12-Web •Other Models to be Discovered •'Network' resolution decoupled, swap it out. •Many Devices, One Desktop First •Personal swarm of 'devices' •Your Desktop, Reaching Out •Share slices •Closer to BBS model with modern capabilities •But di ff erent linking / discovery / search / developer story •Can't rely on [mass-] adoption •Needs to be personally useful •Work in Airgapped, Private and Mesh networks
Server Extension •Adds DIRECTORY Role •Flat index of Petnames with change noti fi cation •Used for Source-Sink Rendezvous / Transitive Discovery •STUN / TURN •Authentication key-bound State- / File- Storage •Ed25519 Signed •Networked Application Hosting •Client Crash / Pro fi ling collection •Atomic Updates •Messaging Domain (Broadcast or Server-Side Controller) •Per Application fi le-storage
•Links are de fi ned per Directory Server •con fi g.lua: reference_directory(keyid, cb), link_directory(keyid, cb) •Two types: Referential and Uni fi ed •Contractual - B must permit A linking to it, Revokable •Authenticated - Only exists while connection kept alive •Small set of links per server - 6 Degrees of Separation Event handler for liveness / Logging
App Friend Friend App SomeSrc Client Wants to run @petname/Friend/App Referential 1. Client:Resolve @petname to |host+keymaterial] 1. Connects and Authenticates 2. Client:Requests DIRLIST 1. Dir: Returns "1.App, 2.Friend" 3. Client:DIROPEN(2:tunnel) 1. Dir: Forwards DIROPEN Client.kPub to Friend 1. Friend [remembers Client.kPub], Returns [Friend.kPub] 2. Dir: Returns DIROPENED + [Friend.kPub] + Tunnel ID 4. Client: Authenticates over Tunnel ID, Requests DIRLIST 1. Friend: Returns "1. App, 2. SomeSrc" Routed through Dir. 5. Client: Issues download for state+app For ID 1 over Tunnel ID. If 2:direct - Dir returns host instead of Tunnel ID and client makes new outbound connection.
App Dir2 App Uni fi ed •Primarily Load Balancing / Redundancy •Higher Privilege than referential •Link initiator mirrors list, apps and ctrl •Forms one big virtual directory •Also broadcast domain for discover protocol •Implementation is complex •Netsplit / Join reminiscent of IRC networks •Handover of C1 between Dir 1 to Dir 2 •Individual Usecase would be LAN homeserver to VPS •One reason why keystore petname has sets of hosts •arcan-net mypet@ myapp would try hosts based on adress / routing C1 C2
•"." Pre fi x on names reserved for directory servers features •current ones: .index, .monitor, .state, .report •File transfers are triggered by BCHUNKSTATE event (name, type, namespace) •Namespace : 0 for key-private, otherwise matches applid from LIST •File upload also has slot for metadata (which can also carry signature) •File-download of .index (similar to web convention of 'Index Of /') •corresponds to search results •File-upload of .index sets fi lter on subsequent .index requests •Flow from controller → [application store | external resolver] •External resolver maps to more advanced storage solution •e.g. IPFS, bittorrent, SOLID, ...
Story •Same tool to host, browse and develop •Transfer: arcan-net --push-appl myapp --sign-tag mysig mytag@ •Controller: arcan-net --push-ctrl myapp --sign-tag mysig mytag@ •Atomic and Dynamic Updates •Clients get DIRLIST updates with new [size, hash] → issues download •Active clients snapshot state, swaps in new version, restores state •Debugging •Client-Side uploads traces/scenegraph on Script Error •Dev Flush/collate: arcan-net --get- fi le [numeric appid] .report - mytag@ •Symbolic Debugger: •controller: arcan-net --get- fi le [numeric appid] .monitor - mytag@ •client: (on-demand, opt-in) attach and register frontend as directory source •TUI wrapper for both so ctrl+app can be treated as di ff erent 'threads'
letoram
you
taka_aki
masamiyajiri
hokuo
oracle4engineer
applism118
nanaism
e99h2121
databricksjapan
kentarofujii
yuhattor
sansantech
cassininazir
aki_iinuma
frankvandijk
marktimemedia
kimpetersen
katarinadahlin
tmiket
bryan
rocio
bkeepers
morganepeng
skipperchong
