Web applications are becoming increasingly distributed, marked by the emergence of popular AJAX (Asynchronous JavaScript and XML) applications such as Hotmail, Google Maps, Facebook, and many others. A typical multi-tier AJAX application consists of a server component implemented in Java J2EE or Microsoft .NETfor example and a client-side component executing in the browser. The resulting application is more performant and responsive, since computation is moved closer to the client, thus avoiding unnecessary network round trips. Unlike a computation performed entirely on the server however, when a portion of the code is moved to the client, the overall computation can no longer be trusted.
Indeed, a malicious client can easily manipulates data that resides on and code that runs within the browser using one of many readily available data tampering or debugging tools. For example, consider a JavaScript-based shopping cart within a typical e-commerce retail site such as Amazon.com that allows the user to add items, adjust their quantities, add coupons, compute the shopping cart totals, and so forth. When run on the client, this application can be compromised in a variety of ways. For instance, coupon validation checks can be dodged, allowing the user to reduce the total. Even simpler, the total computation can be compromised to set the total to an arbitrary, potentially even negative amount.
Due to the possibility of these attacks, almost every action in a typical shopping cart application today requires a round trip to the server, the latency of which can be quite noticeable, especially on mobile or long-distance connections. For non-malicious users, who constitute the majority, this unnecessary precaution leads to a much less responsive user experience. Moreover, the developer of the distributed application currently is responsible for splitting the application in a manner that places all security-sensitive operations on the server. While some language-based approaches have recently been proposed to address this problem, these techniques still require a great deal of developer involvement, making them difficult to use for existing large-scale projects.