WO2008033483A2 - Protecting client-side code - Google Patents

Protecting client-side code Download PDF

Info

Publication number
WO2008033483A2
WO2008033483A2 PCT/US2007/019968 US2007019968W WO2008033483A2 WO 2008033483 A2 WO2008033483 A2 WO 2008033483A2 US 2007019968 W US2007019968 W US 2007019968W WO 2008033483 A2 WO2008033483 A2 WO 2008033483A2
Authority
WO
WIPO (PCT)
Prior art keywords
client
page
code
piece
function
Prior art date
Application number
PCT/US2007/019968
Other languages
French (fr)
Other versions
WO2008033483A3 (en
Inventor
Jeffery Gordon Heithcock
David William Barry
Original Assignee
Emc Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US11/521,903 external-priority patent/US20080072069A1/en
Priority claimed from US11/522,194 external-priority patent/US8250178B2/en
Application filed by Emc Corporation filed Critical Emc Corporation
Publication of WO2008033483A2 publication Critical patent/WO2008033483A2/en
Publication of WO2008033483A3 publication Critical patent/WO2008033483A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability

Definitions

  • a server hosting a web page or application typically has provided to a client machine, most commonly in the clear, all of the code that may be required to be executed at the client depending on how the client is used to interact with the web page and/or application.
  • Current web pages and applications therefore, typically suffer from having a large part of their source code easily exposed at the client-side.
  • web pages may incorporate client-side scripting in their associated HTML files or as include files that can be readily downloaded from an associated server.
  • the source code associated with the implementation of a page or application is typically included in a few files and/or in small pieces inside the associated HTML page and is usually stored on disk at the client-side. The code is often in plain text and is only compiled by an associated browser as needed at the client.
  • the source code associated with the implementation of a page or application is easily decipherable by anyone who has access to the files associated with the code at the client-side.
  • This code is valuable intellectual property that requires the investment of time and money by the creators.
  • One existing method for obfuscating the source code associated with a page or application is to parse through the source code and strip out comments and unneeded white spaces and to covert variable and function names to shortened versions. While this makes it more difficult to decipher, de-parsing the downloaded obfuscated code files to determine the underlying source code is still possible.
  • Figure 1 illustrates an embodiment of a network environment.
  • Figure 2 illustrates an embodiment of a process for receiving an at least initial definition and/or interface of a desired web page or application from a server.
  • Figure 3 illustrates an embodiment of an object graph of a page at a client.
  • Figure 4A illustrates an embodiment of an object graph of a page at a client.
  • Figure 4B represents a transition of object graph 400 of Figure 4A to a state in which stub 404 is replaced by an object 408 associated with Function A.
  • Figure 5 illustrates an embodiment of a process for obtaining code associated with a page.
  • Figure 6 illustrates an embodiment of an object graph of a page at a client.
  • Figure 7 illustrates an embodiment of a process for executing a desired function at a client.
  • Figure 8 illustrates an embodiment of a process for executing a desired function at a client.
  • the invention can be implemented in numerous ways, including as a process, an apparatus, a system, a composition of matter, a computer readable medium such as a computer readable storage medium or a computer network wherein program instructions are sent over optical or electronic communication links.
  • these implementations, or any other form that the invention may take, may be referred to as techniques.
  • a component such as a processor or a memory described as being configured to perform a task includes both a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task.
  • the order of the steps of disclosed processes may be altered within the scope of the invention.
  • Protecting client-side code is disclosed.
  • an initial definition of the page is sent to the client wherein the initial definition comprises a client-side code configured to cause the client to request on an as-needed basis download of a client- executable code associated with the page.
  • a client receives such an initial definition of a requested page from an associated server of the page via a network.
  • the server is sent via the network a request to download the client-executable code.
  • FIG. 1 illustrates an embodiment of a network environment.
  • a client 102 communicates with a server 104 via a network 106.
  • Network 106 corresponds to any public or private network, such as a LAN, WAN, the Internet, etc., and facilitates the communication and interchange of information between client 102 and server 104. It may be desirable at client 102 to access data and/or a software program or application available at server 104. For example, it may be desirable at client 102 to access a web page, web site, or web-based application hosted by server 104.
  • a web page or application hosted by server 104 may be accessed at client 102, for example, by entering an associated URL into a browser, via an associated hyperlink to the desired web page or application, via a dedicated client- side program associated with the desired web page or application, etc.
  • an at least initial definition associated with the desired web page or application such as an associated user interface and/or its associated data, is provided to client 102 by server 104.
  • a web page or application that is hosted by server 104 may at least in part include client-side code, and in such cases the client-side code is provided to requesting client 102 by server 104 for execution at the client-side.
  • Data associated with a desired web page or application may be provided to client 102 by server 104 and/or may at least in part be supplied at the client-side, such as, for example, in the form of user input by a user or process of client 102 or from memory or storage associated with client 102.
  • input data provided at client 102 with respect to a web page or application hosted by server 104 is persisted at server 104 or an associated storage location such as a database based on a data persistency policy associated with server 104 or the particular web page, application, or a session thereof.
  • security measures such as user authentication techniques are employed to ensure that code and/or data is made available by server 104 only to a valid client 102.
  • encryption is employed to secure the interchange of information between client 102 and server 104.
  • Client 102 and server 104 each include appropriate hardware and software components, such as a processor, memory, input/output devices, communications interface, etc.
  • client 102 includes connection logic for connecting to and exchanging information with server 104.
  • Connection logic may be built into a browser at client 102, included in a client-side program running at client 102 that is associated with a desired page or application hosted by server 104, included (e.g., as browser executable code or script) in an initial page definition data provide to the client by the server in response to a request to retrieve a page (e.g., HTTP GET), included in another software program or application running at client 102, etc.
  • a page e.g., HTTP GET
  • connection logic includes logic for requesting and/or receiving client-side code at client 102 from server 104.
  • connection logic associated with the interchange of code and/or data with server 104 is provided to client 102 by server 104 such as, for example, with an initial definition of a requested page or application.
  • client 102 includes a dedicated client-side module that includes the connection logic for connecting to and interchanging information with server 104.
  • the client-side module is included in an ⁇ Vor provided in addition to the page data comprising a requested page.
  • such a client-side module at client 102 corresponds to a process running on a processor associated with client 102.
  • client-side code and/or data is requested and/or received from server 104 as and when needed at client 102 via such a client-side module. For example, if a function associated with a page or application received from server 104 is invoked or attempted to be invoked at client 102 and it is determined at client 102 that the function does not exist at client 102, an associated client-side module may facilitate the acquisition of the code associated with the function from server 104 so that the function can be executed at client 102.
  • client-side scripts that are executed, for example, by a web browser or other appropriate software program or application at the client.
  • client-side code may be implemented using any appropriate programming paradigm, such as procedural programming, object oriented programming, etc., and may be written using any appropriate programming language, such as C, C++, JavaScript, Python, Perl, etc.
  • client-side code may be desirable to perform at the client-side an operation that requires data and/or code available only at the client so that such information does not have to be supplied to an associated server.
  • client-side code refers to code that is provided by an associated server to a client machine and that exists and is executed at the client machine.
  • client-side code refers to code that is provided by an associated server to a client machine and that exists and is executed at the client machine.
  • web pages and/or applications are described in some examples, the techniques described herein may be employed with respect to any code and/or data that is provided from an associated server to be used at a client machine.
  • a page received at a client is described as including a user interface.
  • user interface is not limited to a graphical user interface for interacting with a page or application but more generally refers to any mechanism for interaction by a client with an associated server.
  • Figure 2 illustrates an embodiment of a process for receiving an at least initial definition and/or interface of a desired web page or application from a server.
  • process 200 is employed by a client such as client 102 of Figure 1.
  • Process 200 starts at 202 at which a page is requested.
  • the page requested at 202 may be associated with, for example, a web site or web-based application hosted by a server, such as server 104 of Figure 1.
  • a page may be requested at 202 from a server using any appropriate application, program, or technique at a client.
  • a page may be requested at 202 from a server hosting the page or an associated application by entering an associated URL into a browser, via an associated hyperlink to the desired page, via a dedicated client-side program associated with the desired page, etc.
  • the page received at 204 includes a user interface.
  • Such a user interface may facilitate various functionalities, such as, for example, the ability to input data, select among various options, navigate to other related pages, etc.
  • the initial definition and/or interface of the page received at 204 includes an associated script.
  • the page requested at 202 and received at 204 includes client-side executable code and/or references, stubs, and/or function calls associated with client-side executable code not included in and/or provided with the requested page and/or not necessarily yet available at the client.
  • Client-side code associated with a page such as the page received at
  • 204 of process 200 of Figure 2 can be provided to the client by an associated server in various manners.
  • some or all of the client-side code associated with a page may be provided to the client with the requested page, e.g., at 204 of process 200 of Figure 2.
  • the client-side code is included or embedded in the source code of the page.
  • the client-side code may be included in the HTML file provided in response to a request to retrieve the page (e.g., HTTP GET).
  • the source code of a requested page includes references, function calls, and/or object calls to client-side code defined in one or more separate files.
  • the one or more separate files that define the client-side code may be provided by the associated server, such as, for example, when the file or code associated with the requested page is provided to the requesting client (e.g., at 204 of process 200 of Figure 2), and/or may be made available for download from the associated server.
  • the source code of the HTML page may include references to client- side code defined in or one or more associated script files, and these one or more script files may be provided to the client by the associated server and/or may be made available for download from the associated server.
  • the client- side code received at a client includes class definitions associated with objects referenced in a requested page.
  • Objects associated with the page may be instantiated using such class definitions at the client.
  • the source code associated with the page is parsed to determine if it includes references to any external files, functions, and/or objects. If any such code has not already been provided to or is not available at the client, it is requested or downloaded from the associated server so that a complete or nearly complete definition of the page exists at the client-side.
  • Figure 3 illustrates an embodiment of an object graph of a page at a client.
  • object graph 300 corresponds to the object graph of a page received at 204 of Figure 2.
  • object graph 300 includes an object 302 associated with an initial interface of a page.
  • Object 302 may include, for example, at least some of the definitions, code, and/or data associated with the various widgets that define a user interface associated with the page.
  • object 302 includes references to two external functions, Function A and Function B, that are not defined within object 302. Rather, each of these functions is defined with respect to a separate object. Specifically, Function A is defined by object 304, and Function B is defined by object 306.
  • Function A and Function B are executed at the client-side when invoked. Each of these functions may be invoked, for example, in response to user input or selection of an associated option via the initial interface of the page defined by object 302.
  • the initial interface definition of the desired page ⁇ i.e. object 302) and the client-side code associated with the page (i.e. objects 304 and 306) may all be received together or separately at the client as one or more files.
  • the client-side code associated with the page includes class definitions from which objects 304 and 306 are instantiated at the client-side.
  • a complete or nearly complete definition of a page hosted by a server exists at a client when the page is requested and received by the client.
  • all or most of the client-side code associated with the page exists at the client-side.
  • the entire object graph of a page may be populated at the client-side.
  • the files, code, data, etc., associated with a requested page are saved on disk at the client and may persist within the file system of the client indefinitely.
  • the various components associated with the requested page at the client-side may be readily accessible at the client, for example, by a user or process of the client and in some cases for other than their intended use at the client.
  • the code and/or data associated with a particular page that exist at the client-side may be proprietary, and it may be desirable to protect information related to the implementation of the page from hostile users who might maliciously use such information, for example, for piracy, authoring a similar page or associated application, creating related extension pages or applications, detecting and exploiting vulnerabilities in the page or associated application, etc. It is, therefore, useful to protect the code and/or data associated with the implementation of a page that exists at the client-side by limiting the accessibility of such information at the client.
  • preventing the code and/or data associated with a page from being easily accessed at the client-side is at least in part achieved by providing at least initially by an associated server only a limited definition of a requested page to a client, such as at 204 of process 200 of Figure 2.
  • a shell of the page is provided by the associated server to the client.
  • such a shell includes only a basic interface and very limited functionality.
  • the shell of a page includes an initial user interface associated with the page that facilitates, for example, receiving user input associated with the page, user selection of various options associated with the page, user navigation through content associated with the page or other related pages, etc., at the client.
  • client-side code associated with a page is not included within the shell (e.g., as part of the code associated with the shell or as one or more separate files) and is not directly available for download from an associated server.
  • just enough logic or functionality exists within a shell of a page so that when a particular functionality referenced in the shell is invoked or attempted to be invoked at a client, e.g., when a user selects a corresponding option via the interface associated with the page, the client-side code associated with the functionality is dynamically requested and received by the client from the associated server.
  • client-side code associated with a page is received at the client from an associated server in individual pieces or files as and when needed at the client at runtime.
  • the code and/or data associated with a requested page is not as readily accessible by a user of the client and has a significantly shorter persistence at the client-side.
  • Figure 4A illustrates an embodiment of an object graph of a page at a client.
  • object graph 400 corresponds to the object graph of a page received at 204 of Figure 2.
  • an object graph of a page received at a client corresponds to or is similar to object graph 400 when only a shell of a requested page is at least initially provided to the client by an associated server.
  • Object graph 400 of Figure 4 parallels object graph 300 of Figure 3 with the exception that in object graph 400 client-side code is at least initially represented by stubs. Class definitions and/or objects associated with client-side code are not initially provided to or made available to the client but are dynamically requested and received at the client as and when the associated functionalities are invoked at the client.
  • object graph 400 includes an object 402 associated with an initial interface of the page.
  • Object 402 may include, for example, at least some of the definitions, code, and/or data associated with the various widgets that define a user interface associated with the page.
  • object 402 includes references to two external functions, Function A and Function B, which are not defined within object 402.
  • class definitions and/or objects associated with Function A and Function B do not at least initially exist at the client and, thus, the associated objects do not at least initially appear in object graph 400.
  • stubs serve as place holders for the objects associated with Functions A and B as depicted in object graph 400 of Figure 4A as stub 404 and stub 406, respectively.
  • Figure 4B represents a transition of object graph 400 of Figure 4 A to a state in which stub 404 has been replaced by (and/or augmented and/or completed to create) an object 408 associated with Function A.
  • an instance of object 408 associated with Function A is provided by the server to the client when Function A is invoked or is attempted to be invoked at the client.
  • Function A may be invoked or attempted to be invoked at the client, for example, when a user of the client selects an option associated with the execution of Function A via the user interface associated with object 402.
  • the class definition associated with Function A and/or object 408 is requested by and/or received at the client by a client-side module that includes connection logic associated with communicating with an associated server when code and/or data is needed at the client.
  • the class definition is not provided, and instead just the code comprising an individual instance, e.g., object 408 in the example shown, is provided.
  • object 408 exists only in memory and is not cached or otherwise stored persistently at the client.
  • object 408 is prevented from being cached or otherwise stored persistently at the client at least in part by operation of a connection logic and/or module configured to obtain the object 408 from the server on an as needed basis, as described herein.
  • Figure 5 illustrates an embodiment of a process for obtaining code associated with a page.
  • process 500 is employed by a client such as client 102 of Figure 1.
  • process 500 is employed to obtain from a server client-side code associated with a page obtained from the server.
  • a client-side module and/or connection logic implements the process of Figure 5.
  • the client-side module is downloaded from the server from which a page with which client-side code not include in or with the page when first requested is retrieved.
  • the client-side module is included in the page, sent with the page, or obtained from the server before or after the page is requested.
  • Process 500 starts at 502 at which it is determined whether any new code associated with a page obtained from a server is needed. In some embodiments, it is determined at 502 that new code associated with a page is needed when an indication is received that the associated code is desired to be executed at the client. Such an indication may be received with respect to an associated page, for example, in response to the invocation of a function, selection of an option, input of data, etc., when the associated code does not already exist at the client. In some embodiments, an indication is received at 502 that new code is needed when a request for the code is received from a stub associated with the code.
  • the class definition of the object and/or an instance of the object may be requested by the associated stub.
  • an indication is received at 502 that new code is needed when a function is called, exception is thrown, or other error generated because the associated code is not defined at the client. If it is determined at 502 that new code is needed, the needed code is obtained from an associated server at 504. In some embodiments, a dedicated client-side module at a client facilitates the acquisition of needed code from an associated server.
  • the code obtained from the server at 504 is temporarily stored in memory at the client so that the code is not indefinitely persisted at the client and is not as readily accessible to users or processes of the client other than for its intended purpose.
  • process 500 Upon obtaining the needed code from an associated server at 504 or if it is determined at 502 that no new code is needed, process 500 continues to monitor for indications that new code is needed until it is determined at 506 that the process 500 is done - e.g., if a page with which process 500 is associated is no longer being displayed — after which process 500 ends. Steps 502 and 504 may be repeated multiple times as and when code is needed at the client- side.
  • data associated with the page may be obtained in various manners. For example, data associated with a page may be pushed to the client from an associated server; may be requested by and received at the client from an associated server; may be available a the client-side, for example, via user input by a user or process of the client or from memory or storage associated with the client; etc.
  • process 500 of Figure 5 is employed to obtain not only code but also data for a page from an associated server, for example, as and when the data is needed at the client-side.
  • an initial definition of a page includes stubs in place of code (e.g., client-side code), and the code associated with the stubs is fetched from an associated server when needed at a client machine.
  • a dedicated function can be employed in the initial definition of a page for calling functions associated with client-side code. Invocations of various functions at a client, such as functions associated with client- side code, can be defined with respect to the invocation of such a dedicated function that includes in its arguments the actual function that is desired to be executed. In such cases, the dedicated function facilitates the acquisition of client-side code from an associated server when the associated code is desired to be invoked at the client and executes the code at the client.
  • a scripting language such as JavaScript in which all objects inherit from the global Object class.
  • a global "do" or other semantically equivalent function can be added to the Object class, and the arguments of such a "do" function can include a function descriptor and any other optional parameters associated with the function identified by the function descriptor.
  • the arguments may include a parameter associated with an object or object type with respect to which the "do" function is called so that, for example, a version of the desired function that is appropriate for the object type is obtained and/or executed.
  • the desired function is invoked with respect to the "do" function being invoked with respect to the object (e.g., myObject.do(myFunction, other parameters)).
  • the "do" function when invoked, attempts to call the function passed to it in its parameters directly, and if the function is not present, the function is requested from an associated server.
  • the "do" function may request the function from an associated client-side module that is responsible for connecting to and interchanging information with an associated server as needed at the client.
  • the "do" function Upon receiving the implementation for the desired function from an associated server, the "do" function invokes the function on behalf of the object with respect to which the "do" function was invoked. If the implementation of the desired function is not received by the "do" function, for example, due to server time-out or other error, in some embodiments, the "do" function throws an exception or returns an error. If the implementation of the desired function already exists at the client-side (e.g., from a previous call cached in RAM at the client, because it was part of a stub functionality, etc.), the desired function is called directly by the "do" function and does not have to be obtained from the associated server.
  • the client-side e.g., from a previous call cached in RAM at the client, because it was part of a stub functionality, etc.
  • Figure 6 illustrates an embodiment of an object graph of a page at a client.
  • object graph 600 corresponds to the object graph of a page received at 204 of Figure 2.
  • an object graph of a page received at a client corresponds to or is similar to object graph 600 when "do" or another similar function is employed to call client-side code at a client.
  • Object graph 600 of Figure 6 parallels object graph 300 of Figure 3 and object graph 400 of Figures 4A and 4B with the exception that with respect to object graph 600 client-side code is invoked via "do" functions.
  • object graph 600 includes an object 602 associated with an initial interface of the page.
  • Object 602 may include, for example, at least some of the definitions, code, and/or data associated with the various widgets that define a user interface associated with the page.
  • object 602 includes references to two "do" functions, a "do" function 604 associated with Function A and a "do" function 606 associated with Function B.
  • Function A and Function B are not defined within object 602, and class definitions and/or objects associated with Function A and Function B do not at least initially exist at the client. Rather, invocations of Function A and Function B are defined within object 602 with respect to associated "do" functions, 604 and 606, respectively.
  • the associated "do" function facilitates the acquisition of the needed code (e.g., class definitions, objects, etc.) and/or the execution of the associated code at the client.
  • object 602 includes a single "do" method that is called whenever a specific function (i.e., other than “do") is required to be invoked.
  • a specific function e.g., either Function A or Function B in the example shown in Figure 6
  • the single "do" function looks for the code that implements the method(s) required to perform the specific function and, if the code is not yet present at the client, retrieves the code from the server, thereby extending the object 602 by adding the additional method(s) associated with the invoked specific function.
  • a dedicated function for invoking functions associated with client-side code is not limited to be used with respect to an object or an object-oriented language.
  • a global "do" function may be defined, and a definition of a page may include direct invocations of such a "do" function (e.g., do(my Function, other parameters)) wherever a client-side function is desired to be executed.
  • do(my Function, other parameters) e.g., do(my Function, other parameters
  • Figure 7 illustrates an embodiment of a process for executing a desired function at a client.
  • process 700 is employed by a client such as client 102 of Figure 1.
  • process 700 is associated with the invocation of a "do" function included in a definition of a page that is used to facilitate the execution of a desired function at a client.
  • Process 700 starts at 702 at which a call to a "do" function is received.
  • a call to a "do" function includes as an argument the name of a desired function which the "do" function facilitates invoking at the client.
  • the arguments of such a call to a "do" function include one or more other parameters associated with the desired function that are to be used with the execution of the desired function.
  • the arguments include a parameter associated with an object or object type with respect to which the "do" function is called so that, for example, a version of the desired function that is appropriate for the object type is obtained and/or executed.
  • the code associated with the desired function is obtained from an associated server at 708, and subsequently at 706 the desired function is executed with any associated parameters that were specified at 702 in the call of the "do" function as inputs.
  • a dedicated client-side module at a client facilitates the acquisition of needed code from an associated server at 708.
  • the code obtained from the server at 708 is temporarily stored in memory at the client so that the code is not indefinitely persisted at the client and is not as readily accessible to users or processes of the client other than for its intended purpose.
  • the results are returned at 708, and process 700 ends.
  • Process 700 may be repeated multiple times as and when a "do" function included in the definition of a page is encountered when executing code associated with the page at the client-side. Although process 700 has been described with respect to the "do" function, any other appropriate function may be similarly employed to facilitate the acquisition and/or execution of client-side code at a client.
  • exception handling is employed at a client to indicate a need for code associated with a page and to obtain the needed code from an associated server. In such cases, for example, code associated with a function referenced within the definition of a page is attempted to be invoked at the client. If the function exists at the client, the function is successfully executed.
  • Exception handling can be used with respect to client-side functions or code defined in various manners in the definition of a page.
  • exception handling may be employed with respect to stubs, functions invoked directly (e.g., myFunction(parameters)), functions invoked with respect to objects (e.g., myObject.myFunction(parameters)), functions invoked with respect to a "do" function (e.g., do(myFunction, other parameters)), functions invoked with respect to a "do" function invoked with respect to an object (e.g., myObject.do(myFunction, other parameters)),etc.
  • myFunction e.g., myFunction(parameters)
  • objects e.g., myObject.myFunction(parameters)
  • functions invoked with respect to a "do" function e.g., do(myFunction, other parameters)
  • functions invoked with respect to a "do" function invoked with respect to an object e.g., myObject.do(myFunction, other parameters)
  • exception handling has been described
  • a dedicated "do" or similar global function configured to invoke and optionally and/or as applicable pass arguments and/or other parameters to other functions, such as described above, is not required.
  • the Python script language or another language that enables customized exception handling, is used.
  • Page data initially provided to a client includes code (e.g., Python script) configured to call one or more specific functions, e.g., in response to a user interaction with an initial user interface which interaction invokes or indicates a need to invoke and/or be able to invoke the function.
  • the call to myObject.myFunction(parameters) in this embodiment results in an error/exception, because the underlying method(s) is/are not defined.
  • the client is configured, e.g., using Python, to invoke custom exception handling code, e.g., associated with the page, a connection module with which the page is associated, a custom browser or other software component, etc., which custom exception handling code is configured to obtain from the server dynamically the code associated with the necessary method(s), which is then used to fulfill the original function call.
  • custom exception handling code e.g., associated with the page, a connection module with which the page is associated, a custom browser or other software component, etc.
  • custom exception handling code is configured to obtain from the server dynamically the code associated with the necessary method(s), which is then used to fulfill the original function call.
  • Python or similar custom error/exception handling has been invoked in some embodiments is transparent to the user and/or the code or other process that made the function call.
  • Figure 8 illustrates an embodiment of a process for executing a desired function at a client.
  • process 800 is employed by a client such as client 102 of Figure 1.
  • process 800 includes employing exception handling to obtain from a server client-side code associated with a page executing at a client.
  • Process 800 starts at 802 at which an indication is received that a function has been invoked.
  • a function may be invoked, for example, via a stub associated with the function, via a direct invocation of the function, via an object, via a "do" function, via a "do" function associated with an object, etc. It is determined at 804 whether a definition for the function exists.
  • a definition of a function may exist and be at least temporarily cached at a client, for example, from a previous call to the function. If it is determined at 804 that a definition for the function does not exist, exception handling is performed at 806 to retrieve the needed code from an associated server.
  • the functionality associated with exception handling may be defined in any appropriate manner and may depend on the language in which the definition of a page and/or an associated script is implemented.
  • a dedicated client- side module at a client facilitates the acquisition of needed code from an associated server in response to an exception being thrown at 806.
  • the code obtained from the server at 806 is temporarily stored in memory at the client so that the code is not indefinitely persisted at the client and is not as readily accessible to users or processes of the client other than for its intended purpose.
  • the function is executed and the associated results are returned.
  • Process 800 subsequently ends. Process 800 may be repeated multiple times as and when a function is encountered when executing code associated with a page at the client-side.
  • a basic definition or a shell of a desired page is at least initially provided to a client, and various pieces of associated client-side code and/or data are individually provided as and when needed at the client, resulting in improved obfuscation of the possibly proprietary implementation of the page at the client-side, as has been disclosed herein.
  • code associated with various functionality of a page or an associated application is dynamically obtained at runtime at the client- side when the functionality is desired to be executed and may not be obtained at all if it is never executed at the client-side.
  • the code and/or data associated with the implementation of a page are never available as downloadable files from an associated server. Rather, when needed at the client, the associated files are obtained from the server and temporarily cached in memory at the client, so that they can not be easily accessed at the client other than for their intended use.
  • Other obfuscation techniques may also be employed to protect client-side code and/or data at a client.
  • the code before being sent to the client, the code may be parsed to strip out comments and unneeded white spaces and to convert variable and function names to shortened versions.
  • encryption or other software obfuscation techniques are employed to make the implementation of a page less decipherable at the client-side.
  • DLL Dynamic Linked Library

Abstract

Protecting client-side code is disclosed. In some embodiments, when a request for a page is received via a network from a client, an initial definition of the page is sent to the client wherein the initial definition comprises a client-side code configured to cause the client to request on an as-needed basis download of a client- executable code associated with the page. A client receives such an initial definition of a requested page from an associated server of the page via a network. When an indication that the client-executable code referenced in the initial definition of the page is required to be executed, the server is sent via the network a request to download the client-executable code.

Description

PROTECTING CLIENT-SIDE CODE
BACKGROUND OF THE INVENTION
[0001] To date, a server hosting a web page or application typically has provided to a client machine, most commonly in the clear, all of the code that may be required to be executed at the client depending on how the client is used to interact with the web page and/or application. Current web pages and applications, therefore, typically suffer from having a large part of their source code easily exposed at the client-side. For example, web pages may incorporate client-side scripting in their associated HTML files or as include files that can be readily downloaded from an associated server. The source code associated with the implementation of a page or application is typically included in a few files and/or in small pieces inside the associated HTML page and is usually stored on disk at the client-side. The code is often in plain text and is only compiled by an associated browser as needed at the client. As a result, the source code associated with the implementation of a page or application is easily decipherable by anyone who has access to the files associated with the code at the client-side. This code, however, is valuable intellectual property that requires the investment of time and money by the creators.
[0002] One existing method for obfuscating the source code associated with a page or application is to parse through the source code and strip out comments and unneeded white spaces and to covert variable and function names to shortened versions. While this makes it more difficult to decipher, de-parsing the downloaded obfuscated code files to determine the underlying source code is still possible.
[0003] Therefore, there exists a need for an improved technique to protect client-side code.
BRIEF DESCRIPTION OF THE DRAWINGS [0004] Various embodiments of the invention are disclosed in the following detailed description and the accompanying drawings.
[0005] Figure 1 illustrates an embodiment of a network environment.
[0006] Figure 2 illustrates an embodiment of a process for receiving an at least initial definition and/or interface of a desired web page or application from a server.
[0007] Figure 3 illustrates an embodiment of an object graph of a page at a client.
[0008] Figure 4A illustrates an embodiment of an object graph of a page at a client.
[0009] Figure 4B represents a transition of object graph 400 of Figure 4A to a state in which stub 404 is replaced by an object 408 associated with Function A.
[0010] Figure 5 illustrates an embodiment of a process for obtaining code associated with a page.
[0011] Figure 6 illustrates an embodiment of an object graph of a page at a client.
[0012] Figure 7 illustrates an embodiment of a process for executing a desired function at a client.
[0013] Figure 8 illustrates an embodiment of a process for executing a desired function at a client.
DETAILED DESCRIPTION
[0014] The invention can be implemented in numerous ways, including as a process, an apparatus, a system, a composition of matter, a computer readable medium such as a computer readable storage medium or a computer network wherein program instructions are sent over optical or electronic communication links. In this specification, these implementations, or any other form that the invention may take, may be referred to as techniques. A component such as a processor or a memory described as being configured to perform a task includes both a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task. In general, the order of the steps of disclosed processes may be altered within the scope of the invention.
[0015] A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. Numerous specific details are set forth in the following description in order to provide a thorough understanding of the invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details. For the purpose of clarity, technical material that is known in the technical fields related to the invention has not been described in detail so that the invention is not unnecessarily obscured.
[0016] Protecting client-side code is disclosed. In some embodiments, when a request for a page is received via a network from a client, an initial definition of the page is sent to the client wherein the initial definition comprises a client-side code configured to cause the client to request on an as-needed basis download of a client- executable code associated with the page. A client receives such an initial definition of a requested page from an associated server of the page via a network. When an indication that the client-executable code referenced in the initial definition of the page is required to be executed, the server is sent via the network a request to download the client-executable code.
[0017] Figure 1 illustrates an embodiment of a network environment. In the example shown, a client 102 communicates with a server 104 via a network 106. Network 106 corresponds to any public or private network, such as a LAN, WAN, the Internet, etc., and facilitates the communication and interchange of information between client 102 and server 104. It may be desirable at client 102 to access data and/or a software program or application available at server 104. For example, it may be desirable at client 102 to access a web page, web site, or web-based application hosted by server 104. A web page or application hosted by server 104 may be accessed at client 102, for example, by entering an associated URL into a browser, via an associated hyperlink to the desired web page or application, via a dedicated client- side program associated with the desired web page or application, etc. In response, in some embodiments, an at least initial definition associated with the desired web page or application, such as an associated user interface and/or its associated data, is provided to client 102 by server 104. In some embodiments, a web page or application that is hosted by server 104 may at least in part include client-side code, and in such cases the client-side code is provided to requesting client 102 by server 104 for execution at the client-side.
[0018] Data associated with a desired web page or application may be provided to client 102 by server 104 and/or may at least in part be supplied at the client-side, such as, for example, in the form of user input by a user or process of client 102 or from memory or storage associated with client 102. In some embodiments, input data provided at client 102 with respect to a web page or application hosted by server 104 is persisted at server 104 or an associated storage location such as a database based on a data persistency policy associated with server 104 or the particular web page, application, or a session thereof. In some embodiments, security measures such as user authentication techniques are employed to ensure that code and/or data is made available by server 104 only to a valid client 102. In some embodiments, encryption is employed to secure the interchange of information between client 102 and server 104.
[0019] Client 102 and server 104 each include appropriate hardware and software components, such as a processor, memory, input/output devices, communications interface, etc. In some embodiments, client 102 includes connection logic for connecting to and exchanging information with server 104. Connection logic may be built into a browser at client 102, included in a client-side program running at client 102 that is associated with a desired page or application hosted by server 104, included (e.g., as browser executable code or script) in an initial page definition data provide to the client by the server in response to a request to retrieve a page (e.g., HTTP GET), included in another software program or application running at client 102, etc. In some embodiments, such connection logic includes logic for requesting and/or receiving client-side code at client 102 from server 104. In some embodiments, connection logic associated with the interchange of code and/or data with server 104 is provided to client 102 by server 104 such as, for example, with an initial definition of a requested page or application. In some embodiments, client 102 includes a dedicated client-side module that includes the connection logic for connecting to and interchanging information with server 104. In some embodiments, the client-side module is included in anάVor provided in addition to the page data comprising a requested page. In some embodiments, such a client-side module at client 102 corresponds to a process running on a processor associated with client 102. In some embodiments, client-side code and/or data is requested and/or received from server 104 as and when needed at client 102 via such a client-side module. For example, if a function associated with a page or application received from server 104 is invoked or attempted to be invoked at client 102 and it is determined at client 102 that the function does not exist at client 102, an associated client-side module may facilitate the acquisition of the code associated with the function from server 104 so that the function can be executed at client 102.
[0020] Many web pages, web sites, and web-based applications hosted by a server include client-side scripts that are executed, for example, by a web browser or other appropriate software program or application at the client. Such client-side code may be implemented using any appropriate programming paradigm, such as procedural programming, object oriented programming, etc., and may be written using any appropriate programming language, such as C, C++, JavaScript, Python, Perl, etc. Many motivations exist for the inclusion of client-side code in the definition of a web page or application. For instance, it may be desirable to perform at the client-side an operation that requires data and/or code available only at the client so that such information does not have to be supplied to an associated server. It may be desirable to perform at the client operations that include variable content that depend upon factors such as user input from the client or environmental variables such as the date and time. Although it may be possible to perform an operation at an associated server and to send the results of performing the operation at the server back to the client, it may be desirable to offload certain operations to the client so that the server is not burdened with operations that can be handled by the client. Performing an operation at the client may be quicker than receiving from the server the results of performing the operation at the server, for example, because the server might be busy serving multiple clients, because of network traffic, etc. Furthermore, it may be desirable to perform various operations at the client-side so as to avoid or at least reduce the amount of time, bandwidth, and/or security risks associated with interchanging information between the client and server over a network.
[0021] As used herein, the term "client-side code" refers to code that is provided by an associated server to a client machine and that exists and is executed at the client machine. Although web pages and/or applications are described in some examples, the techniques described herein may be employed with respect to any code and/or data that is provided from an associated server to be used at a client machine. In some examples, a page received at a client is described as including a user interface. As used herein, the term "user interface" is not limited to a graphical user interface for interacting with a page or application but more generally refers to any mechanism for interaction by a client with an associated server.
[0022] Figure 2 illustrates an embodiment of a process for receiving an at least initial definition and/or interface of a desired web page or application from a server. In some embodiments, process 200 is employed by a client such as client 102 of Figure 1. Process 200 starts at 202 at which a page is requested. The page requested at 202 may be associated with, for example, a web site or web-based application hosted by a server, such as server 104 of Figure 1. A page may be requested at 202 from a server using any appropriate application, program, or technique at a client. For example, a page may be requested at 202 from a server hosting the page or an associated application by entering an associated URL into a browser, via an associated hyperlink to the desired page, via a dedicated client-side program associated with the desired page, etc. At 204, at least an initial definition and/or interface of the page requested at 202 is received, and process 200 ends. In some embodiments, the page received at 204 includes a user interface. Such a user interface may facilitate various functionalities, such as, for example, the ability to input data, select among various options, navigate to other related pages, etc. In some embodiments, the initial definition and/or interface of the page received at 204 includes an associated script. In some embodiments, the page requested at 202 and received at 204 includes client-side executable code and/or references, stubs, and/or function calls associated with client-side executable code not included in and/or provided with the requested page and/or not necessarily yet available at the client.
[0023] Client-side code associated with a page, such as the page received at
204 of process 200 of Figure 2, can be provided to the client by an associated server in various manners. For example, some or all of the client-side code associated with a page may be provided to the client with the requested page, e.g., at 204 of process 200 of Figure 2. In some cases, the client-side code is included or embedded in the source code of the page. For instance, if the requested page is an HTML page, the client-side code may be included in the HTML file provided in response to a request to retrieve the page (e.g., HTTP GET). In some cases, the source code of a requested page includes references, function calls, and/or object calls to client-side code defined in one or more separate files. In such cases, the one or more separate files that define the client-side code may be provided by the associated server, such as, for example, when the file or code associated with the requested page is provided to the requesting client (e.g., at 204 of process 200 of Figure 2), and/or may be made available for download from the associated server. For instance, in the aforementioned example of an HTML page, the source code of the HTML page may include references to client- side code defined in or one or more associated script files, and these one or more script files may be provided to the client by the associated server and/or may be made available for download from the associated server. In some embodiments, the client- side code received at a client includes class definitions associated with objects referenced in a requested page. Objects associated with the page may be instantiated using such class definitions at the client. In some cases, when a requested page is received at a client, the source code associated with the page is parsed to determine if it includes references to any external files, functions, and/or objects. If any such code has not already been provided to or is not available at the client, it is requested or downloaded from the associated server so that a complete or nearly complete definition of the page exists at the client-side.
[0024] Figure 3 illustrates an embodiment of an object graph of a page at a client. In some embodiments, object graph 300 corresponds to the object graph of a page received at 204 of Figure 2. In the given example, object graph 300 includes an object 302 associated with an initial interface of a page. Object 302 may include, for example, at least some of the definitions, code, and/or data associated with the various widgets that define a user interface associated with the page. As depicted in object graph 300, object 302 includes references to two external functions, Function A and Function B, that are not defined within object 302. Rather, each of these functions is defined with respect to a separate object. Specifically, Function A is defined by object 304, and Function B is defined by object 306. Function A and Function B are executed at the client-side when invoked. Each of these functions may be invoked, for example, in response to user input or selection of an associated option via the initial interface of the page defined by object 302. The initial interface definition of the desired page {i.e. object 302) and the client-side code associated with the page (i.e. objects 304 and 306) may all be received together or separately at the client as one or more files. In some embodiments, the client-side code associated with the page includes class definitions from which objects 304 and 306 are instantiated at the client-side.
[0025] In some embodiments, a complete or nearly complete definition of a page hosted by a server exists at a client when the page is requested and received by the client. In such cases, all or most of the client-side code associated with the page exists at the client-side. As the example of Figure 3 shows, in such cases, the entire object graph of a page may be populated at the client-side. In some cases, the files, code, data, etc., associated with a requested page are saved on disk at the client and may persist within the file system of the client indefinitely. As a result, the various components associated with the requested page at the client-side may be readily accessible at the client, for example, by a user or process of the client and in some cases for other than their intended use at the client. However, the code and/or data associated with a particular page that exist at the client-side may be proprietary, and it may be desirable to protect information related to the implementation of the page from hostile users who might maliciously use such information, for example, for piracy, authoring a similar page or associated application, creating related extension pages or applications, detecting and exploiting vulnerabilities in the page or associated application, etc. It is, therefore, useful to protect the code and/or data associated with the implementation of a page that exists at the client-side by limiting the accessibility of such information at the client.
[0026] In some embodiments, preventing the code and/or data associated with a page from being easily accessed at the client-side is at least in part achieved by providing at least initially by an associated server only a limited definition of a requested page to a client, such as at 204 of process 200 of Figure 2. In some embodiments, when a page is requested by a client, a shell of the page is provided by the associated server to the client. In some embodiments, such a shell includes only a basic interface and very limited functionality. In some cases, the shell of a page includes an initial user interface associated with the page that facilitates, for example, receiving user input associated with the page, user selection of various options associated with the page, user navigation through content associated with the page or other related pages, etc., at the client. In some embodiments, client-side code associated with a page is not included within the shell (e.g., as part of the code associated with the shell or as one or more separate files) and is not directly available for download from an associated server.
[0027] In some embodiments, just enough logic or functionality exists within a shell of a page so that when a particular functionality referenced in the shell is invoked or attempted to be invoked at a client, e.g., when a user selects a corresponding option via the interface associated with the page, the client-side code associated with the functionality is dynamically requested and received by the client from the associated server. Thus, in some embodiments, instead of maintaining a complete or nearly complete definition of a page at the client-side, client-side code associated with a page is received at the client from an associated server in individual pieces or files as and when needed at the client at runtime. In such cases, if some of the client-side code associated with a page is never invoked at a client, the code is never received at the client from the server. In some embodiments, data associated with a page that is needed from a server is similarly dynamically obtained at runtime when needed at the client. In some embodiments, the shell of the requested page, the associated client-side code that is dynamically received at the client at runtime, and/or any associated data exists only in memory (e.g., RAM) at the client and is not persisted in disk or other persistent storage at the client. Thus, in such cases, the code and/or data associated with a requested page is not as readily accessible by a user of the client and has a significantly shorter persistence at the client-side. Since a complete definition of a page does not exist within a few easily accessible files at the client and all pieces of code defining the page may never be received at the client (e.g., if the associated functionality is never invoked at the client), it is difficult, if not impossible, to reconstruct a complete or nearly complete definition of the page and all associated functionality at the client-side by a user of the client, thus, better protecting the possibly proprietary implementation of the page from malicious users.
[0028] Figure 4A illustrates an embodiment of an object graph of a page at a client. In some embodiments, object graph 400 corresponds to the object graph of a page received at 204 of Figure 2. In some embodiments, an object graph of a page received at a client corresponds to or is similar to object graph 400 when only a shell of a requested page is at least initially provided to the client by an associated server. Object graph 400 of Figure 4 parallels object graph 300 of Figure 3 with the exception that in object graph 400 client-side code is at least initially represented by stubs. Class definitions and/or objects associated with client-side code are not initially provided to or made available to the client but are dynamically requested and received at the client as and when the associated functionalities are invoked at the client. Similar to object graph 300, object graph 400 includes an object 402 associated with an initial interface of the page. Object 402 may include, for example, at least some of the definitions, code, and/or data associated with the various widgets that define a user interface associated with the page. As depicted by object graph 400, object 402 includes references to two external functions, Function A and Function B, which are not defined within object 402. However, unlike the example of Figure 3, class definitions and/or objects associated with Function A and Function B do not at least initially exist at the client and, thus, the associated objects do not at least initially appear in object graph 400. Rather, stubs serve as place holders for the objects associated with Functions A and B as depicted in object graph 400 of Figure 4A as stub 404 and stub 406, respectively.
[0029] Figure 4B represents a transition of object graph 400 of Figure 4 A to a state in which stub 404 has been replaced by (and/or augmented and/or completed to create) an object 408 associated with Function A. In some embodiments, an instance of object 408 associated with Function A is provided by the server to the client when Function A is invoked or is attempted to be invoked at the client. Function A may be invoked or attempted to be invoked at the client, for example, when a user of the client selects an option associated with the execution of Function A via the user interface associated with object 402. In some embodiments, the class definition associated with Function A and/or object 408 is requested by and/or received at the client by a client-side module that includes connection logic associated with communicating with an associated server when code and/or data is needed at the client. In some embodiments, the class definition is not provided, and instead just the code comprising an individual instance, e.g., object 408 in the example shown, is provided. In some embodiments, object 408 exists only in memory and is not cached or otherwise stored persistently at the client. In some embodiments, object 408 is prevented from being cached or otherwise stored persistently at the client at least in part by operation of a connection logic and/or module configured to obtain the object 408 from the server on an as needed basis, as described herein. By storing the object 408 only in memory, the associated code would only be exposed to a highly sophisticate malicious user who had available to him/her and knew how to use a network communication "sniffer" or other tool usable to intercept and decode the network communications used to send the code comprising object 408, for example, from the server to the client. Although not depicted in Figure 4B, if in a similar manner Function B were invoked or attempted to be invoked at the client, code comprising and/or required to generate or complete at the client an object configured to perform Function B would be requested and received from an associated server, and the object graph associated with the received page would include an object for Function B in place of stub 406. However, if Function B were never invoked at the client, the corresponding class definition and/or object in some embodiments would never be requested and/or received at the client, thereby protecting the associated code from unnecessary risk of disclosure, even to a sophisticated malicious user.
[0030] Figure 5 illustrates an embodiment of a process for obtaining code associated with a page. In some embodiments, process 500 is employed by a client such as client 102 of Figure 1. In some embodiments, process 500 is employed to obtain from a server client-side code associated with a page obtained from the server. In some embodiments, a client-side module and/or connection logic implements the process of Figure 5. In some embodiments, the client-side module is downloaded from the server from which a page with which client-side code not include in or with the page when first requested is retrieved. In various embodiments, the client-side module is included in the page, sent with the page, or obtained from the server before or after the page is requested. Process 500 starts at 502 at which it is determined whether any new code associated with a page obtained from a server is needed. In some embodiments, it is determined at 502 that new code associated with a page is needed when an indication is received that the associated code is desired to be executed at the client. Such an indication may be received with respect to an associated page, for example, in response to the invocation of a function, selection of an option, input of data, etc., when the associated code does not already exist at the client. In some embodiments, an indication is received at 502 that new code is needed when a request for the code is received from a stub associated with the code. For example, if the stub is associated with an object and the code associated with the object is desired to be executed at the client, the class definition of the object and/or an instance of the object may be requested by the associated stub. In some embodiments, an indication is received at 502 that new code is needed when a function is called, exception is thrown, or other error generated because the associated code is not defined at the client. If it is determined at 502 that new code is needed, the needed code is obtained from an associated server at 504. In some embodiments, a dedicated client-side module at a client facilitates the acquisition of needed code from an associated server. In some embodiments, the code obtained from the server at 504 is temporarily stored in memory at the client so that the code is not indefinitely persisted at the client and is not as readily accessible to users or processes of the client other than for its intended purpose. Upon obtaining the needed code from an associated server at 504 or if it is determined at 502 that no new code is needed, process 500 continues to monitor for indications that new code is needed until it is determined at 506 that the process 500 is done - e.g., if a page with which process 500 is associated is no longer being displayed — after which process 500 ends. Steps 502 and 504 may be repeated multiple times as and when code is needed at the client- side.
[0031] Regardless of the manner in which code associated with a page is obtained at a client, data associated with the page may be obtained in various manners. For example, data associated with a page may be pushed to the client from an associated server; may be requested by and received at the client from an associated server; may be available a the client-side, for example, via user input by a user or process of the client or from memory or storage associated with the client; etc. In some embodiments, process 500 of Figure 5 is employed to obtain not only code but also data for a page from an associated server, for example, as and when the data is needed at the client-side.
[0032] As described above, in some embodiments, an initial definition of a page includes stubs in place of code (e.g., client-side code), and the code associated with the stubs is fetched from an associated server when needed at a client machine. In addition to and/or instead of stubs, a dedicated function can be employed in the initial definition of a page for calling functions associated with client-side code. Invocations of various functions at a client, such as functions associated with client- side code, can be defined with respect to the invocation of such a dedicated function that includes in its arguments the actual function that is desired to be executed. In such cases, the dedicated function facilitates the acquisition of client-side code from an associated server when the associated code is desired to be invoked at the client and executes the code at the client.
[0033] Consider, for example, a scripting language such as JavaScript in which all objects inherit from the global Object class. In such cases, for example, a global "do" or other semantically equivalent function can be added to the Object class, and the arguments of such a "do" function can include a function descriptor and any other optional parameters associated with the function identified by the function descriptor. In some embodiments, the arguments may include a parameter associated with an object or object type with respect to which the "do" function is called so that, for example, a version of the desired function that is appropriate for the object type is obtained and/or executed. In the cases where a dedicated function such as the "do" function is employed to call other functions, instead of a desired function being invoked with respect to an object (e.g., myObject.myFunction(parameters)), in some embodiments, the desired function is invoked with respect to the "do" function being invoked with respect to the object (e.g., myObject.do(myFunction, other parameters)). In some embodiments, when invoked, the "do" function attempts to call the function passed to it in its parameters directly, and if the function is not present, the function is requested from an associated server. For example, the "do" function may request the function from an associated client-side module that is responsible for connecting to and interchanging information with an associated server as needed at the client. Upon receiving the implementation for the desired function from an associated server, the "do" function invokes the function on behalf of the object with respect to which the "do" function was invoked. If the implementation of the desired function is not received by the "do" function, for example, due to server time-out or other error, in some embodiments, the "do" function throws an exception or returns an error. If the implementation of the desired function already exists at the client-side (e.g., from a previous call cached in RAM at the client, because it was part of a stub functionality, etc.), the desired function is called directly by the "do" function and does not have to be obtained from the associated server.
[0034] Figure 6 illustrates an embodiment of an object graph of a page at a client. In some embodiments, object graph 600 corresponds to the object graph of a page received at 204 of Figure 2. In some embodiments, an object graph of a page received at a client corresponds to or is similar to object graph 600 when "do" or another similar function is employed to call client-side code at a client. Object graph 600 of Figure 6 parallels object graph 300 of Figure 3 and object graph 400 of Figures 4A and 4B with the exception that with respect to object graph 600 client-side code is invoked via "do" functions. Class definitions and/or objects associated with client- side code are not initially provided to or made available to the client but are requested and received via the "do" function as and when the associated functionalities are invoked at the client. Similar to object graphs 300 and 400, object graph 600 includes an object 602 associated with an initial interface of the page. Object 602 may include, for example, at least some of the definitions, code, and/or data associated with the various widgets that define a user interface associated with the page. As depicted by object graph 600, object 602 includes references to two "do" functions, a "do" function 604 associated with Function A and a "do" function 606 associated with Function B. Function A and Function B are not defined within object 602, and class definitions and/or objects associated with Function A and Function B do not at least initially exist at the client. Rather, invocations of Function A and Function B are defined within object 602 with respect to associated "do" functions, 604 and 606, respectively. When the functionality associated with Function A or Function B is desired to be executed at the client, the associated "do" function facilitates the acquisition of the needed code (e.g., class definitions, objects, etc.) and/or the execution of the associated code at the client.
[0035] In some embodiments, object 602 includes a single "do" method that is called whenever a specific function (i.e., other than "do") is required to be invoked. When a specific function (e.g., either Function A or Function B in the example shown in Figure 6) is invoked, the single "do" function looks for the code that implements the method(s) required to perform the specific function and, if the code is not yet present at the client, retrieves the code from the server, thereby extending the object 602 by adding the additional method(s) associated with the invoked specific function.
[0036] A dedicated function for invoking functions associated with client-side code, such as the "do" function described above, is not limited to be used with respect to an object or an object-oriented language. For example, a global "do" function may be defined, and a definition of a page may include direct invocations of such a "do" function (e.g., do(my Function, other parameters)) wherever a client-side function is desired to be executed. Although the given examples has been described with respect to the "do" function, similar techniques can be employed with a semantically equivalent function in any appropriate programming language.
[0037] Figure 7 illustrates an embodiment of a process for executing a desired function at a client. In some embodiments, process 700 is employed by a client such as client 102 of Figure 1. In some embodiments, process 700 is associated with the invocation of a "do" function included in a definition of a page that is used to facilitate the execution of a desired function at a client. Process 700 starts at 702 at which a call to a "do" function is received. In some embodiments, a call to a "do" function includes as an argument the name of a desired function which the "do" function facilitates invoking at the client. In some embodiments, the arguments of such a call to a "do" function include one or more other parameters associated with the desired function that are to be used with the execution of the desired function. In some embodiments, the arguments include a parameter associated with an object or object type with respect to which the "do" function is called so that, for example, a version of the desired function that is appropriate for the object type is obtained and/or executed. At 704, it is determined whether the code associated with the desired function with respect to which the "do" function was invoked at 702 already exists at the client. If it is determined at 704 that the code associated with the desired function exists at the client, at 706 the desired function is executed with any associated parameters that were specified at 702 in the call of the "do" function as inputs. If it is determined at 704 that the code associated with the desired function does not exist at the client, the code associated with the desired function is obtained from an associated server at 708, and subsequently at 706 the desired function is executed with any associated parameters that were specified at 702 in the call of the "do" function as inputs. In some embodiments, a dedicated client-side module at a client facilitates the acquisition of needed code from an associated server at 708. In some embodiments, the code obtained from the server at 708 is temporarily stored in memory at the client so that the code is not indefinitely persisted at the client and is not as readily accessible to users or processes of the client other than for its intended purpose. Upon execution of the desired function at 706, the results are returned at 708, and process 700 ends. Process 700 may be repeated multiple times as and when a "do" function included in the definition of a page is encountered when executing code associated with the page at the client-side. Although process 700 has been described with respect to the "do" function, any other appropriate function may be similarly employed to facilitate the acquisition and/or execution of client-side code at a client. [0038] In some embodiments, exception handling is employed at a client to indicate a need for code associated with a page and to obtain the needed code from an associated server. In such cases, for example, code associated with a function referenced within the definition of a page is attempted to be invoked at the client. If the function exists at the client, the function is successfully executed. However, if the function is undefined at the client, an exception is thrown by an exception handler, indicating a need to obtain the code from an associated server. Exception handling can be used with respect to client-side functions or code defined in various manners in the definition of a page. For example, exception handling may be employed with respect to stubs, functions invoked directly (e.g., myFunction(parameters)), functions invoked with respect to objects (e.g., myObject.myFunction(parameters)), functions invoked with respect to a "do" function (e.g., do(myFunction, other parameters)), functions invoked with respect to a "do" function invoked with respect to an object (e.g., myObject.do(myFunction, other parameters)),etc. Although exception handling has been described in the given example, the techniques described herein may be similarly employed with any other appropriate error generating mechanisms.
[0039] In some embodiments, a dedicated "do" or similar global function configured to invoke and optionally and/or as applicable pass arguments and/or other parameters to other functions, such as described above, is not required. In some embodiments, the Python script language, or another language that enables customized exception handling, is used. Page data initially provided to a client includes code (e.g., Python script) configured to call one or more specific functions, e.g., in response to a user interaction with an initial user interface which interaction invokes or indicates a need to invoke and/or be able to invoke the function. The call to myObject.myFunction(parameters) in this embodiment results in an error/exception, because the underlying method(s) is/are not defined. The client is configured, e.g., using Python, to invoke custom exception handling code, e.g., associated with the page, a connection module with which the page is associated, a custom browser or other software component, etc., which custom exception handling code is configured to obtain from the server dynamically the code associated with the necessary method(s), which is then used to fulfill the original function call. The fact that Python or similar custom error/exception handling has been invoked in some embodiments is transparent to the user and/or the code or other process that made the function call.
[0040] Figure 8 illustrates an embodiment of a process for executing a desired function at a client. In some embodiments, process 800 is employed by a client such as client 102 of Figure 1. In some embodiments, process 800 includes employing exception handling to obtain from a server client-side code associated with a page executing at a client. Process 800 starts at 802 at which an indication is received that a function has been invoked. A function may be invoked, for example, via a stub associated with the function, via a direct invocation of the function, via an object, via a "do" function, via a "do" function associated with an object, etc. It is determined at 804 whether a definition for the function exists. A definition of a function may exist and be at least temporarily cached at a client, for example, from a previous call to the function. If it is determined at 804 that a definition for the function does not exist, exception handling is performed at 806 to retrieve the needed code from an associated server. The functionality associated with exception handling may be defined in any appropriate manner and may depend on the language in which the definition of a page and/or an associated script is implemented. In some embodiments, a dedicated client- side module at a client facilitates the acquisition of needed code from an associated server in response to an exception being thrown at 806. In some embodiments, the code obtained from the server at 806 is temporarily stored in memory at the client so that the code is not indefinitely persisted at the client and is not as readily accessible to users or processes of the client other than for its intended purpose. Upon retrieving the needed code from an associated server at 806 or if it is determined at 804 that a definition for the function does exist, at 808 the function is executed and the associated results are returned. Process 800 subsequently ends. Process 800 may be repeated multiple times as and when a function is encountered when executing code associated with a page at the client-side.
[0041] Instead of making the implementation of a page vulnerable to unauthorized use at the client-side by providing client-side code and/or data in a single or a few files that can be easily accessed at the client, in some embodiments only a basic definition or a shell of a desired page is at least initially provided to a client, and various pieces of associated client-side code and/or data are individually provided as and when needed at the client, resulting in improved obfuscation of the possibly proprietary implementation of the page at the client-side, as has been disclosed herein. In some embodiments, code associated with various functionality of a page or an associated application is dynamically obtained at runtime at the client- side when the functionality is desired to be executed and may not be obtained at all if it is never executed at the client-side. In some embodiments, the code and/or data associated with the implementation of a page are never available as downloadable files from an associated server. Rather, when needed at the client, the associated files are obtained from the server and temporarily cached in memory at the client, so that they can not be easily accessed at the client other than for their intended use. Other obfuscation techniques may also be employed to protect client-side code and/or data at a client. For example, before being sent to the client, the code may be parsed to strip out comments and unneeded white spaces and to convert variable and function names to shortened versions. In some cases, encryption or other software obfuscation techniques are employed to make the implementation of a page less decipherable at the client-side. Although the protection of a possibly proprietary implementation of a page serves as one motivation for the techniques described herein, other advantages exist for dynamically providing client-side code as needed to a client. For example, such techniques allow the meshing of code associated with different Dynamic Linked Library (DLL) versions at a client since the implementation of a function associated with any DLL version can be provided to a client. Thus, as described herein, it is useful to dynamically extend to the client from an associated server code and/or data as and when needed for execution at the client-side.
[0042] Although the foregoing embodiments have been described in some detail for purposes of clarity of understanding, the invention is not limited to the details provided. There are many alternative ways of implementing the invention. The disclosed embodiments are illustrative and not restrictive.
[0043] WHAT IS CLAIMED IS :

Claims

1. A method for protecting code associated with a page, comprising: receiving from a client via a network a request for a page; sending to the client an initial definition of the page, the initial definition comprising a client-side code configured to cause the client to request on an as- needed basis download of a client-executable code associated with the page.
2. A method as recited in claim 1, wherein the client-side code comprises a client-side module configured to request download of the client-executable code.
3. A method as recited in claim 2, wherein the client-side module is configured to request download of the client-executable code in response to receiving an indication that the client-executable code is required to be executed at the client.
4. A method as recited in claim 3, wherein the indication is received in response to one or more of the following: a user input, a user input associated with the initial definition of the page, an indication that a user has selected an option associated with the initial definition of the page, and an indication that a user has or desires to navigate from the page to another page.
5. A method as recited in claim 3, wherein the indication comprises one or more of the following: an indication from a stub associated with the client-executable code, an indication from a function associated with the client-executable code, an indication from an object with respect to which the client-executable code is desired to be executed, an indication from a dedicated function associated with facilitating the execution of the client-executable code, an exception thrown due to the client- executable code being undefined at the client, and an error generated due to the client- executable code being undefined at the client.
6. A method as recited in claim 1, wherein the client-side code comprises a stub in the place of the client-executable code.
7. A method as recited in claim 6, wherein the initial definition of the page further comprises a client-side module configured to use the stub to retrieve the client- executable code.
8. A method as recited in claim 6, wherein a browser used by the client to request the page comprises a module configured to use the stub to retrieve the client- executable code.
9. A method as recited in claim 1, wherein the client-side code is configured to cause the client to request download of the client-executable code after determining that the client-executable code does not already exist at the client.
10. A method as recited in claim 1, wherein the initial definition of the page is saved to a disk or other persistent storage at the client.
11. A method as recited in claim 1, wherein the client-executable code, if downloaded, is saved in memory at the client.
12. A method as recited in claim 1, wherein the client-executable code, if downloaded, is not saved to a disk or other persistent storage at the client.
13. A method for obtaining code associated with a page, comprising: receiving from a server via a network an initial definition of the page, the initial definition comprising a client-side code configured to cause download of a client-executable code associated with the page to be requested on an as-needed basis; receiving an indication that the client-executable code referenced in the initial definition of the page is required to be executed; and sending to the server via the network a request to download the client- executable code.
14. A system for protecting code associated with a page, comprising: a processor configured to: receive from a client via a network a request for a page; and send to the client an initial definition of the page, the initial definition comprising a client-side code configured to cause the client to request on an as-needed basis download of a client-executable code associated with the page; and a memory coupled to the processor and configured to provide instructions to the processor.
15. A system as recited in claim 14, wherein the client-side code comprises a client-side module configured to request download of the client-executable code.
16. A system as recited in claim 15, wherein the client-side module is configured to request download of the client-executable code in response to receiving an indication that the client-executable code is required to be executed at the client.
17. A computer program product for protecting code associated with a page, the computer program product being embodied in a computer readable medium and comprising computer instructions for: receiving from a client via a network a request for a page; sending to the client an initial definition of the page, the initial definition comprising a client-side code configured to cause the client to request on an as- needed basis download of a client-executable code associated with the page.
18. A method for protecting client-side code associated with a page, comprising: receiving from a client a request for the page; and providing to the client an initial definition associated with the page, the initial definition including a reference to a piece of client-side code not included in the initial definition and a code retrieval logic which, when executed at the client, results in the piece of client-side code being obtained dynamically from an associated server at runtime when the piece of client-side code is desired to be executed at the client.
19. A method as recited in claim 18, wherein the code retrieval logic includes invoking a dedicated function associated with obtaining from the server one or more pieces of client-side code associated with the page.
20. A method as recited in claim 19, wherein the dedicated function comprises a global function used to obtain any client-side code including the piece of client-side code.
21. A method as recited in claim 19, wherein the dedicated function is invoked with respect to an object with respect to which the piece of client-side code is desired to be executed.
22. A method as recited in claim 19, wherein the dedicated function includes one or more of the following arguments: an identifier associated with the piece of client- side code, an object type with respect to which the dedicated function is invoked, and one or more input parameters associated with the piece of client-side code.
23. A method as recited in claim 19, wherein the dedicated function obtains the piece of client-side code from (1) memory or storage at the client if the piece of client-side code already exists at the client, or (2) from the server if the piece of client-side code does not already exist at the client.
24. A method as recited in claim 19, wherein the dedicated function comprises a "do function" in JavaScript.
25. A method as recited in claim 18, wherein the code retrieval logic includes a call to a function or method with which the piece of client-side code is associated, such that an error is generated when the function or method is called and the associated piece of client-side code is determined to not be available.
26. A method as recited in claim 25, wherein the piece of client-side code is obtained from the server in response to the generation of the error.
27. A method for protecting client-side code associated with a page, comprising: receiving a definition of the page which definition includes a reference to a piece of client-side code not included in the definition and logic configured to retrieve the piece of client-side code from an associated server at runtime when the piece of client-side code is desired to be executed; receiving an indication that the piece of client-side code is desired to be executed; and executing the logic to obtain the piece of client-side code dynamically from the associated server.
28. A system for protecting client-side code associated with a page, comprising: a processor associated with a server and configured to: receive from a client a request for the page; and provide to the client an initial definition associated with the page, the initial definition including a reference to a piece of client-side code not included in the initial definition and a code retrieval logic which, when executed at the client, results in the piece of client-side code being obtained dynamically from the associated server at runtime when the piece of client- side code is desired to be executed at the client; and a memory coupled to the processor and configured to provide instructions to the processor.
29. A computer program product for protecting client-side code associated with a page, the computer program product being embodied in a computer readable medium and comprising computer instructions for: receiving from a client a request for the page; and providing to the client an initial definition associated with the page, the initial definition including a reference to a piece of client-side code not included in the initial definition and a code retrieval logic which, when executed at the client, results in the piece of client-side code being obtained dynamically from an associated server at runtime when the piece of client-side code is desired to be executed at the client.
PCT/US2007/019968 2006-09-15 2007-09-14 Protecting client-side code WO2008033483A2 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US11/521,903 US20080072069A1 (en) 2006-09-15 2006-09-15 Protecting client-side code
US11/521,903 2006-09-15
US11/522,194 US8250178B2 (en) 2006-09-15 2006-09-15 Protecting client-side code
US11/522,194 2006-09-15

Publications (2)

Publication Number Publication Date
WO2008033483A2 true WO2008033483A2 (en) 2008-03-20
WO2008033483A3 WO2008033483A3 (en) 2008-05-08

Family

ID=39184363

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2007/019968 WO2008033483A2 (en) 2006-09-15 2007-09-14 Protecting client-side code

Country Status (1)

Country Link
WO (1) WO2008033483A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102830956A (en) * 2011-06-14 2012-12-19 上海博泰悦臻电子设备制造有限公司 Vehicle system and demand processing device thereof
WO2014071771A1 (en) * 2012-11-07 2014-05-15 广州市动景计算机科技有限公司 Method and system for expanding webapp application function

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030217197A1 (en) * 2002-05-14 2003-11-20 Microsoft Corporation Preparation for software on demand system
US6675230B1 (en) * 2000-08-22 2004-01-06 International Business Machines Corporation Method, system, and program for embedding a user interface object in another user interface object
US20050108647A1 (en) * 2003-02-28 2005-05-19 Scott Musson Method for providing a graphical user interface
US20060136552A1 (en) * 2004-12-16 2006-06-22 Rolf Krane Client-server data communication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6675230B1 (en) * 2000-08-22 2004-01-06 International Business Machines Corporation Method, system, and program for embedding a user interface object in another user interface object
US20030217197A1 (en) * 2002-05-14 2003-11-20 Microsoft Corporation Preparation for software on demand system
US20050108647A1 (en) * 2003-02-28 2005-05-19 Scott Musson Method for providing a graphical user interface
US20060136552A1 (en) * 2004-12-16 2006-06-22 Rolf Krane Client-server data communication

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102830956A (en) * 2011-06-14 2012-12-19 上海博泰悦臻电子设备制造有限公司 Vehicle system and demand processing device thereof
WO2014071771A1 (en) * 2012-11-07 2014-05-15 广州市动景计算机科技有限公司 Method and system for expanding webapp application function

Also Published As

Publication number Publication date
WO2008033483A3 (en) 2008-05-08

Similar Documents

Publication Publication Date Title
US7620934B2 (en) System and method for a Web service definition
EP2976709B1 (en) Systems and methods for intercepting, processing, and protecting user data through web application pattern detection
US7617480B2 (en) System and method for a Web service virtual interface
EP2798494B1 (en) Virtual channel for embedded process communication
US7487513B1 (en) Web service archive
US8082508B2 (en) Method and system for obtaining and modifying portlets via an application programming interface
US7694140B1 (en) Web service client extensions
US6996833B1 (en) Protocol agnostic request response pattern
Zheng et al. Ethereum smart contract development in solidity
US7822826B1 (en) Deployment of a web service
WO2013142947A1 (en) Secured execution of a web application
US8250178B2 (en) Protecting client-side code
US8290152B2 (en) Management system for web service developer keys
US8656501B2 (en) Method and device for selectively protecting one of a plurality of methods of a class of an application written in an object-orientated language
US7500227B1 (en) Process and system for intercepting a .NET method at runtime
WO2016036972A1 (en) Object-oriented programming system and library
US20080072069A1 (en) Protecting client-side code
US7472399B2 (en) Method and system for a client invoking on an interface defined in a first notation to invoke an object having an interface defined in a second notation
WO2008033483A2 (en) Protecting client-side code
Guo et al. Compoweb: a component-oriented web architecture
Wei et al. A secure information flow architecture for web service platforms
US7783717B1 (en) System and method for a web service client framework
Gallingani Static detection and automatic exploitation of intent message vulnerabilities in Android applications
AU2006291366B2 (en) Server-side service framework
Bishop Improvements of User's Security and Privacy in a Web Browser

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07838207

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07838207

Country of ref document: EP

Kind code of ref document: A2