Security Architecture of the Chromium Browser
[link to pdf]
Adam Barth, Collin Jackson, Charles Reis, and The Google Chrome Team
Stanford Technical Report, September 2008.
Most current web browsers employ a monolithic architecture that combines "the user" and "the web" into a single protection domain. An attacker who exploits an arbitrary code execution vulnerability in such a browser can steal sensitive files or install malware. In this paper, we present the security architecture of Chromium, the open-source browser upon which Google Chrome is built. Chromium has two modules in separate protection domains: a browser kernel, which interacts with the operating system, and a rendering engine, which runs with restricted privileges in a sandbox. This architecture helps mitigate high-severity attacks without sacrificing compatibility with existing web sites. We define a threat model for browser exploits and evaluate how the architecture would have mitigated past vulnerabilities.
At University of Washington:
Web Browsers as Operating Systems: Supporting Robust and Secure Web Programs
Charles Reis, Ph.D. Dissertation, June 2009.
The World Wide Web has changed significantly since its introduction, facing a shift in its workload from passive web pages to active programs. Current web browsers were not designed for this demanding workload, and web content formats were not designed to express programs. As a result, the platform faces numerous robustness and security problems, ranging from interference between programs to script injection attacks to browser exploits.
This dissertation presents a set of contributions that adapt lessons from operating systems to make the web a more suitable platform for deploying and running programs. These efforts are based upon four architectural principles for supporting programs. First, we must recognize web programs and precisely identify the boundaries between them, while preserving compatibility with existing content. Second, we must improve browser architectures to effectively isolate web programs from each other at runtime. Third, publishers must have the ability to authorize the code that runs within the programs they deploy. Fourth, users must be able to enforce policies on the programs they run within their browser.
In this work, I incorporate these architectural principles into web browsers and web content, and I use experiments to quantify the improvements to robustness and performance while preserving backward compatibility. Additionally, some of these efforts have been incorporated into the Google Chrome web browser, demonstrating their practicality.
Using Processes to Improve the Reliability of Browser-based Applications
Charles Reis, Brian Bershad, Steven D. Gribble, Henry M. Levy
Technical Report UW-CSE-2007-12-01, University of Washington, December 2007.
Web content now includes programs that are executed directly within a web browser. Executable content, though, creates new reliability problems for users who rely on the browser to provide program services typical of operating systems. In particular, we find that the runtime environments of current browsers poorly isolate applications from one another. As a result, one web application executing within the browser can interfere with others, whether it be through an explicit failure or the excessive consumption of resources. Our goal is to make the browser a safe environment for running programs by introducing an isolation mechanism that insulates one application from the behavior of another. We show how to use OS processes within the browser to safely isolate programs in a way that is both efficient and backwards compatible with existing web sites.
Improving the Security and Robustness of Modern Web Browsers
General Exam Report, University of Washington, May 2007.
Despite their popularity, modern web browsers do not offer a secure or
robust environment for interacting with untrusted content. Today's web
users face a variety of threats, including exploits of browser
vulnerabilities, interference between web sites, script injection
attacks, and abuse of authentication credentials. To address these
threats, I leverage an analogy between operating systems and web
browsers, as both must run independent programs from multiple sources.
My hypothesis is that mechanisms from OS research can improve the
security and robustness of modern web browsers. In this report, I
propose abstractions and mechanisms to isolate independent web content
within the browser, and I propose two separate interposition techniques
to support flexible security policies. Combined, these contributions
can improve the safety of web browsers, while preserving backwards
compatibility and imposing low overhead.
An Empirical Characterization of Wireless Network Behavior
Quals Paper, University of Washington, June 2005.
Existing work on understanding 802.11 wireless network behavior has been largely unsatisfactory for practical settings. Widely used simulators rely on unrealistic assumptions about signal propagation, while more detailed radio models are too complex to configure for predicting performance of an actual wireless system. To gain a more accurate understanding of wireless behavior in practice, we use experimentation on a wireless testbed and in controlled settings to effectively characterize packet delivery. We contribute a simple measurement-based model of wireless behavior, supported by empirical observations of relevant physical effects. Our model and observations can be used directly for designing and improving wireless protocols and systems in practice.
At Rice University: