Research

Web Browser Research

PhD Dissertation

Web Browsers as Operating Systems: Supporting Robust and Secure Web Programs

Modern web browsers have evolved from simple document renderers to complex runtime environments for many types of web content. This makes them analogous to operating systems in many ways. My current research takes advantage of this analogy, using ideas from operating systems to improve the security and robustness of web browsers.

I am studying how to address several current threats on the web, including browser vulnerabilities, cross-site scripting, cross-site request forgeries, and resource contention between web sites. I have proposed a set of architectural principles to better support running web programs within the browser:

  • Web programs and program instances must have clear boundaries on the network and within the web browser.
  • It must be easy to specify which code is authorized to run in a web program, and to impose limitations on this code.
  • Instances of programs must be isolated in the browser, to prevent interference between them.
  • The behavior of program instances must be governed by uniform browser-level policies, independent of content types and browser extensions.

Publications Overview

  • Site Isolation: Process Separation for Web Sites within the Browser
    USENIX Security, 2019.
    This paper describes the challenges we overcame to launch Site Isolation in Chrome, to help defend web sites against Spectre attacks and compromised renderer processes.  This work included performance and compatibility challenges to make it practical, as well as over 400,000 lines of code to update Chrome's architecture and feature set.

  • App Isolation: Get the Security of Multiple Browsers with Just One
    CCS, 2011.
    This paper crystallizes the security benefits of using separate browsers for different sites, and it shows how to achieve those benefits on an opt-in basis in a single web browser.

    Browser Security: Lessons from Google Chrome
    ACM Queue, 2009.
    This article describes how the Google Chrome team addressed security for web browsers in several ways, including limiting the severity of vulnerabilities, the window of vulnerability, and the frequency with which users are exposed to dangerous content.

  • Isolating Web Programs in Modern Browser Architectures
    Eurosys, 2009.
    This paper introduces abstractions that allow web browsers to identify and isolate "web programs" from each other, without breaking existing content. The browser can then put each web program instance in its own OS process to prevent interference between them. We have helped add support for our abstractions to Google Chrome, and we evaluate how its multi-process architecture improves robustness and performance.

  • Detecting In-Flight Page Changes with Web Tripwires
    NSDI, 2008.
    This measurement study shows that many users receive web pages that have been altered between the server and the browser, often with unwanted or dangerous consequences. The paper also shows how these changes can be detected with simple JavaScript code. We have a summary report available online, which also contains links to our web tripwire toolkit and service. Our work is referenced on the recently announced Measurement Lab.

  • Architectural Principles for Safe Web Programs
    HotNets, 2007.
    This paper shows how current web security threats are symptoms of four fundamental problems in the ways web programs are defined and web browsers are built. It proposes architectural principles for addressing these problems.

  • BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML
    ACM Transactions on the Web, 2007.
    This journal paper extends our OSDI paper on BrowserShield, providing more detail on the framework's policies and applications.

  • BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML
    OSDI, 2006.
    This paper describes how JavaScript rewriting can be used to enforce policies on the behavior of web pages, such as preventing exploits of known browser vulnerabilities. BrowserShield has since influenced the development of Web Sandbox at Microsoft Live Labs.

Reports Overview

  • The Security Architecture of the Chromium Browser
    September, 2008.
    This tech report describes how the Chromium web browser (from which Google Chrome is built) uses a sandbox to try to limit the damage that can be done if a vulnerability in Chromium's rendering engine is exploited. Joint work with Adam Barth and Collin Jackson.

  • Using Processes to Improve the Reliability of Browser-based Applications
    December, 2007.
    This tech report shows how an increase in the use of client-side JavaScript code is leading to reliability problems in web browsers, and it evaluates the use of OS processes to isolate web sites from each other within the browser.

  • Improving the Security and Robustness of Modern Web Browsers
    General Exam Report, 2007.
    This report is an informal thesis proposal. It describes how the current threats to web browser security can be addressed by improving the isolation between unrelated web pages and interposing on web page behavior.