Authors: Helen J. Wang, Chris Grier, Alexander Moshchuk, Samuel T. King, Piali Choudhury, and Herman Venter
Date: Microsoft Research whitepaper, 2009
Novel idea: The authors succinctly state that "it is realistic to turn an existing browser into a multi-principal OS that yields significantly stronger security and robustness with acceptable performance." In this case, a principle is defined as <protocol, domain-name, port>.
Main results: The authors' design features a browser kernel, which mediates the principals' access to system resources and enforces security polices. The authors then implemented their design on top of the Windows Vista and Internet Explorer codebases. In doing so, they had to deal with nontrivial issues regarding cross-principal/cross-process display and events protection.
Impact: There may be a market for hardware and software that is to be used exclusively for web applications.
Evidence: The authors tested their implementation with the top 20 Alexa web sites. They also measured page loading latencies, the memory foot print, and responsiveness of their prototype in comparison with IE7 and Google Chrome. They believe their implementation provided acceptable performance.
Prior work: The paper builds on the architectural improvements for browsers that begun with Google Chrome.
Competitive work: Wikipedia compares Gazelle to Chrome as follows: "Rather than the operating system being reduced in role to that of a browser, the browser [is] strengthened using operating system principles."
Reproducibility: The implementation is described well enough on a high level. With a solid engineering team, it should be possible to reproduce the results using alternative kernels and rendering engines. That having been said, few of us have that luxury.
Praise: It's impressive to see Microsoft innovating in the browser space again.
The Multi-Principal OS Construction of the Gazelle Web Browser
Authors
Helen J. Wang, Chris Grier, Alexander Moshchuk, Samuel T. King, Piali
Choudhury, Herman Venter
Date
USENIX Security'09
Novel Idea
Implementing the web browser with a central component that manages the
resource sharing among isolated web sessions.
Main Results
The paper presents Gazelle, a research browser implemented like a
multi-principal OS, managing the resources shared among the processes
in an exclusive and isolated manner (in other words, the managing
logic is located in a single place, and outside the address space of
the managed sessions).
Impact
1- The description and evaluation of a secure architecture for web
browser development. 2- Elucidate (directly or indirectly) the
possible compatibility impact of this (and similar) design structure
on current web pages.
Evidence
The paper first contrasts the security model of Gazelle versus the
security model of some current browser implementations. They discuss
the security advantages of the security model/system architecture
while these two topics are discussed, but they also have another
section in which they make higher-level comments about the issues
involved.
In their evaluation section, they discuss about time to load, required
memory, number of processes created. They also show which actions are
responsible for different partitions of the overhead. They have some
problems, which are discussed on the Questions + Criticism section.
Prior Work + Competitive Work
Primarily, they mention Google Chrome and IE8 as they isolate web
sessions by means of OS processes. However, they clearly mention that
these two browsers are more concerned with fault tolerance than with
credential management (in the sense of proper isolation and access
control).
They mention that OP has a similar architecture, but they argue that
it "does not provide all the cross-principal protection needed [...]",
saying that display management is relied to the processes.
They also talk about Tahoma, but they also argue that it doesn't
correctly isolate the principals (as many sites could share
information).
Another project is mentioned - Building a Secure Web Browser project -
but the authors say that it is not concerned with protecting
cross-section resource sharing (and display sharing, in particular).
Reproducibility
The experiments are reproducible. They are very simple and
straightforward. (Such simplicity is actually discussed in the next
section.)
Questions + Criticism
[Criticism] The evaluation section is actually concerned about
measuring time to load, memory required and number of process
creations. The first two metrics are discussed in the context of two
sites only. The third uses the top 100 from Alexa. I believe that the
first two measures are too restricted on the evaluation, as these
issues are still not clear for me:
[Question] Would the browser respond with more time or memory than
"necessary" depending on any particular web site configuration (number
of embedded components, number of external references, "image-farming"
(as the skyrock.com example for the evaluation of the third metric)?
By the way, what is an image farm?
[Question] Would there be any objective way to evaluate security in
this case except from argumentation? Anyway, the paper evaluate impact
objectively (and have the issues above), and evaluate security by
arguments (which appears reasonable to me).
On Mon, Nov 15, 2010 at 7:48 PM, Rodrigo Fonseca
<rodrigo...@gmail.com> wrote: