Publications
At Google:
Site Isolation: Process Separation for Web Sites within the Browser
[pdf] [Usenix Security page]
Charles Reis, Alexander Moshchuk, Nasko Oskov
USENIX Security, August 2019.
Presentation: [pdf] [video]
Abstract:
Current production web browsers are multi-process but place different web sites in the same renderer process, which is not sufficient to mitigate threats present on the web today. With the prevalence of private user data stored on web sites, the risk posed by compromised renderer processes, and the advent of transient execution attacks like Spectre and Meltdown that can leak data via microarchitectural state, it is no longer safe to render documents from different web sites in the same process. In this paper, we describe our successful deployment of the Site Isolation architecture to all desktop users of Google Chrome as a mitigation for process-wide attacks. Site Isolation locks each renderer process to documents from a single site and filters certain cross-site data from each process. We overcame performance and compatibility challenges to adapt a production browser to this new architecture. We find that this architecture offers the best path to protection against compromised renderer processes and same-process transient execution attacks, despite current limitations. Our performance results indicate it is practical to deploy this level of isolation while sufficiently preserving compatibility with existing web content. Finally, we discuss future directions and how the current limitations of Site Isolation might be addressed.
App Isolation: Get the Security of Multiple Browsers with Just One
[pdf]
Eric Y. Chen, Jason Bau, Charles Reis, Adam Barth, Collin Jackson
Computer and Communications Security. Chicago, Illinois, October 2011.
Abstract:
Many browser-based attacks can be prevented by using separate browsers for separate web sites. However, most users access the web with only one browser. We explain the security benefits that using multiple browsers provides in terms of two concepts: entry-point restriction and state isolation. We combine these concepts into a general app isolation mechanism that can provide the same security benefits in a single browser. While not appropriate for all types of web sites, many sites with high-value user data can opt in to app isolation to gain defenses against a wide variety of browser-based attacks. We implement app isolation in the Chromium browser and verify its security properties using finite-state model checking. We also measure the performance overhead of app isolation and conduct a large-scale study to evaluate its adoption complexity for various types of sites, demonstrating how the app isolation mechanisms are suitable for protecting a number of high-value Web applications, such as online banking.
Browser Security: Lessons from Google Chrome
[ACM]
Charles Reis, Adam Barth, Carlos Pizano
ACM Queue, June 2009.
Isolating Web Programs in Modern Browser Architectures
[pdf]
Charles Reis, Steven D. Gribble
Eurosys 2009. Nuremberg, Germany, April 2009.
Presentation: [pdf] [key]
Abstract:
Many of today's web sites contain substantial amounts of client-side code, and consequently, they act more like programs than simple documents. This creates robustness and performance challenges for web browsers. To give users a robust and responsive platform, the browser must identify program boundaries and provide isolation between them.

We provide three contributions in this paper. First, we present abstractions of web programs and program instances, and we show that these abstractions clarify how browser components interact and how appropriate program boundaries can be identified. Second, we identify backwards compatibility tradeoffs that constrain how web content can be divided into programs without disrupting existing web sites. Third, we present a multi-process browser architecture that isolates these web program instances from each other, improving fault tolerance, resource management, and performance. We discuss how this architecture is implemented in Google Chrome, and we provide a quantitative performance evaluation examining its benefits and costs.

At University of Washington:
Detecting In-Flight Page Changes with Web Tripwires
[pdf]
Charles Reis, Steven D. Gribble, Tadayoshi Kohno, Nicholas C. Weaver
5th USENIX Symposium on Networked Systems Design and Implementation (NSDI) 2008. San Francisco, California, April 2008.
Presentation: [pdf] [key]
Abstract:
While web pages sent over HTTP have no integrity guarantees, it is commonly assumed that such pages are not modified in transit. In this paper, we provide evidence of surprisingly widespread and diverse changes made to web pages between the server and client. Over 1% of web clients in our study received altered pages, and we show that these changes often have undesirable consequences for web publishers or end users. Such changes include popup blocking scripts inserted by client software, advertisements injected by ISPs, and even malicious code likely inserted by malware using ARP poisoning. Additionally, we find that changes introduced by client software can inadvertently cause harm, such as introducing cross-site scripting vulnerabilities into most pages a client visits. To help publishers understand and react appropriately to such changes, we introduce web tripwires---client-side JavaScript code that can detect most in-flight modifications to a web page. We discuss several web tripwire designs intended to provide basic integrity checks for web servers. We show that they are more flexible and less expensive than switching to HTTPS and do not require changes to current browsers.
Architectural Principles for Safe Web Programs
[pdf]
Charles Reis, Steven D. Gribble, Henry M. Levy
Sixth Workshop on Hot Topics in Networks (HotNets) 2007. Atlanta, Georgia, November 2007.
Presentation: [pdf] [key]
Abstract:
Web content is migrating away from simple hyperlinked documents towards a diverse set of programs that execute within the web browser. Unfortunately, modern browsers do not provide a safe environment for running these web programs. In this paper, we show how current web security threats are symptoms of four key problems in supporting web programs: vague program boundaries, unwanted code, poor isolation, and inconsistent security policies. In response, we introduce abstractions for web programs and program instances, and we present a set of architectural principles to address these fundamental problems.
BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML
[ACM]
Charles Reis, John Dunagan, Helen Wang, Opher Dubrovsky, Saher Esmeir
ACM Transactions on the Web. Volume 1, Issue 3, September 2007.
Abstract:
Vulnerability-driven filtering of network data can offer a fast and easy-to-deploy alternative or intermediary to software patching, as exemplified in Shield [Wang et al. 2004]. In this article, we take Shield's vision to a new domain, inspecting and cleansing not just static content, but also dynamic content. The dynamic content we target is the dynamic HTML in Web pages, which have become a popular vector for attacks. The key challenge in filtering dynamic HTML is that it is undecidable to statically determine whether an embedded script will exploit the browser at runtime. We avoid this undecidability problem by rewriting web pages and any embedded scripts into safe equivalents, inserting checks so that the filtering is done at runtime. The rewritten pages contain logic for recursively applying runtime checks to dynamically generated or modified web content, based on known vulnerabilities. We have built and evaluated BrowserShield, a general framework that performs this dynamic instrumentation of embedded scripts, and that admits policies for customized runtime actions like vulnerability-driven filtering. We also explore other applications on top of BrowserShield.
BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML
[pdf]
Charles Reis, John Dunagan, Helen Wang, Opher Dubrovsky, Saher Esmeir
OSDI 2006. Seattle, Washington, November 2006.
Presentation: [pdf] [key]
Abstract:
Vulnerability-driven filtering of network data can offer a fast and easy-to-deploy alternative or intermediary to software patching, as exemplified in Shield. In this paper, we take Shield's vision to a new domain, inspecting and cleansing not just static content, but also dynamic content. The dynamic content we target is the dynamic HTML in web pages, which have become a popular vector for attacks. The key challenge in filtering dynamic HTML is that it is undecidable to statically determine whether an embedded script will exploit the browser at run-time. We avoid this undecidability problem by rewriting web pages and any embedded scripts into safe equivalents, inserting checks so that the filtering is done at run-time. The rewritten pages contain logic for recursively applying run-time checks to dynamically generated or modified web content, based on known vulnerabilities. We have built and evaluated BrowserShield, a system that performs this dynamic instrumentation of embedded scripts, and that admits policies for customized run-time actions like vulnerability-driven filtering.
Measurement-Based Models of Delivery and Interference in Static Wireless Networks
[pdf]
Charles Reis, Ratul Mahajan, Maya Rodrig, David Wetherall, John Zahorjan
SIGCOMM 2006. Pisa, Italy, September 2006.
Presentation: [pdf] [key]
Abstract:
We present practical models for the physical layer behaviors of packet reception and carrier sense with interference in static wireless networks. These models use measurements of a real network rather than abstract RF propagation models as the basis for accuracy in complex environments. Seeding our models requires N trials in an N node network, in which each sender transmits in turn and receivers measure RSSI values and packet counts, both of which are easily obtainable. The models then predict packet delivery and throughput in the same network for different sets of transmitters with the same node placements. We evaluate our models for the base case of two senders that broadcast packets simultaneously. We find that they are effective at predicting when there will be significant interference effects. Across many predictions, we obtain an RMS error for 802.11a and 802.11b of a half and a third, respectively, of a measurement-based model that ignores interference.
Measurement-based Characterization of 802.11 in a Hotspot Setting
[pdf]
Maya Rodrig, Charles Reis, Ratul Mahajan, David Wetherall, John Zahorjan
EWIND Workshop at SIGCOMM 2005. Philadelphia, Pennsylvania, August 2005.
Presentation: [pdf]
Abstract:
We analyze wireless measurements taken during the SIGCOMM 2004 conference to understand how well 802.11 operates in real deployments. We find that the overhead of 802.11 is high, with only 40% of the transmission time spent in sending original data. Most of the remaining time is consumed by retransmissions due to packet losses that are caused by both contention and transmission errors. Our analysis also shows that wireless nodes adapt their transmission rates with an extremely high frequency. We comment on the difficulties and opportunities of working with wireless traces, rather than the wired traces of wireless activity that are presently more common.
At Rice University:
AP3: Cooperative, Decentralized Anonymous Communication
[pdf]
Alan Mislove, Gaurav Oberoi, Ansley Post, Charles Reis, Peter Druschel, Dan Wallach.
SIGOPS-EW 2004. Leuven, Belgium, September 2004.
Taming a Professional IDE for the Classroom
[pdf]
Charles Reis, Robert Cartwright.
SIGCSE 2004. Norfolk, Virginia, March 2004.
Presentation: [ppt] [pdf]
A Friendly Face for Eclipse
[pdf]
Charles Reis, Robert Cartwright.
eTX Workshop at OOPSLA. Anaheim, California. October 2003.
Presentation: [ppt] [pdf]
POST: A Secure, Resilient, Cooperative Messaging System
[pdf]
Alan Mislove, Ansley Post, Charles Reis, Paul Willmann, Peter Druschel, Dan Wallach, Rice University, Xavier Bonnaire, Pierre Sens, Jean-Michel Busca, Luciana Arantes-Bezerra, LIP6.
HotOS 2003. Lihue, Hawaii, May 2003.
Production Programming in the Classroom
[pdf]
Eric Allen, Robert Cartwright, Charles Reis.
SIGCSE 2003. Reno, Nevada, February 2003.
Presentation: [ppt] [pdf]