WebC： toward a portable framework for deploying legacy code in web browsers

For security, most web applications are developed in some type-safe language, such as JavaScript or Java. However, there is a huge amount of legacy codes developed in unsafe languages, which provide rich functionality and are more efficient than their type-safe counterparts. To allow browsers to incorporate type-safe components in a secure way, previous approaches use the software-based fault isolation （SFI） to isolate untrusted legacy code. The SFI approach performs machine-code transformation for security, but the downside is the loss of architecture independence. We propose WebC, a system that allows legacy code transmitted over the web via the Low Level Virtual Machine （LLVM） bitcode format. The untrusted bitcode is transformed by WebC into code in the WebC security language, which enforces both memory isolation and control-flow integrity. Compared with previous approaches, WebC is more portable, provides stronger security, and allows more flexible memory management. Experimental results show that the average runtime overhead of WebC is modest.