WebC: toward a portable framework for deploying legacy code in web browsers

For security, most web applications are developed in some type-safe language, such as JavaScriptor Java. However, there is a huge amount of legacy codes developed in unsafe languages, which provide richfunctionality and are more efficient than their type-safe counterparts. To allow browsers to incorporate type-safecomponents in a secure way, previous approaches use the software-based fault isolation (SFI) to isolate untrustedlegacy code. The SFI approach performs machine-code transformation for security, but the downside is the lossof architecture independence. We propose WebC, a system that allows legacy code transmitted over the web viathe Low Level Virtual Machine (LLVM) bitcode format. The untrusted bitcode is transformed by WebC intocode in the WebC security language, which enforces both memory isolation and control-flow integrity. Comparedwith previous approaches, WebC is more portable, provides stronger security, and allows more flexible memorymanagement. Experimental results show that the average runtime overhead of WebC is modest.