Upload
alex-pugh
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
On the Design of a Web Browser: Lessons learned from Operating Systems
Kapil Singh and Wenke Lee
Georgia Institute of Technology
Web 2.0 Security and Privacy – 2008
2
Motivation
Browser has evolved from rendering static web pages to a host of variety of applications.
Browser size has grown and is running much more application code.
Effectively building up into a mini-OS.
… … so why not think of browser design based so why not think of browser design based on known OS designs?on known OS designs?
3
What we have today?
All browser components run in one isolation boundary. Minimum or no isolation among components Problem of plug-ins
increased code size Source of increasing browser
vulnerabilities bad maintainability
lack of flexibility Not much freedom to customize your browser
4
…Have we already seen these issues somewhere?
Monolithic kernel design suffers from similar limitations!
Can we do something better? Micro-kernel, Exokernel, SpinOS…
Can the lessons from OS be applied to the browser design?
5
Design Principles
Isolation between browser componentsIntegrity of communication channelsSeparation between policy and
mechanismCustomization and Flexibility
6
Browser Design
Goal: To leverage known OS designs to develop Goal: To leverage known OS designs to develop a secure and flexible web browser.a secure and flexible web browser.
Utilize the μ-kernel OS design [Leitdke95] Layered architecture with a “kernel” mode and a
“user” mode. β-kernel provides complete mediation. All applications run on the layer on top of the β-
kernel.
7
Browser from an OS view
μ-kernel based OS β-kernel based browser
8
β-kernel: primitives
Address spaceCommunication between browser
componentsIdentity of browser components
9
β-kernel primitives: Address Space
Enable isolation and customized access control.
Memory management module owns complete address space at browser startup.
Grant, Map and Flush operations.Applicable to browser cache and file
system.
10
Example: Same Origin Policy
X.com MemoryManagement
AccessControl
grantRequest
Y.com
RequestAccess X.com
X
map
β-kernel
Access Y.com
X
11
Design Directions
Single process browser better performance and memory management
Intra-address space isolation [Ford08, Chiueh99] Vx32 provides lightweight sandbox for guest
code in the host address space. Can control the systems calls from the guest
code.
12
Single process: Performance (?)
W W
OS Kernel mode
W W W
β-kernel
OS Kernel mode
13
Tackling browser extensions
Browser design allows flexibility to develop your own memory management, access control, etc. on top of the kernel.
Installation of new extensions mediated by the β-kernel. Communication interfaces verified according to
the user policies.Execution verification and isolation
Intra-process sandboxing
14
Conclusions
Presented a new browser design based on the learnings from a μ-kernel design.
Design shows potential, feasibility depends on performance and usability.
Attempt to bridge the gap between OS designs and browser designs. Might be useful to utilize other experiences from
the OS field.