Abstract
Current web browsers are plagued with vulnerabilities, providing hackers with easy access to computer systems via browser-based attacks. Browser security efforts that retrofit existing browsers have had limited success because the design of modern browsers is fundamentally flawed. To enable more secure web browsing, we design and implement a new browser, called the OP web browser, that attempts to improve the state-of-the-art in browser security. We combine operating system design principles with formal methods to design a more secure web browser by drawing on the expertise of both communities. Our design philosophy is to partition the browser into smaller subsystems and make all communication between subsystems simple and explicit. At the core of our design is a small browser kernel that manages the browser subsystems and interposes on all communications between them to enforce our new browser security features.
To show the utility of our browser architecture, we design and implement three novel security features. First, we develop flexible security policies that allow us to include browser plugins within our security framework. Second, we use formal methods to prove useful security properties including user interface invariants and browser security policy. Third, we design and implement a browser-level information-flow tracking system to enable post-mortem analysis of browser-based attacks.
In addition to presenting the OP browser architecture, we discuss the design and implementation of a second version of OP, OP2, that includes features from other secure web browser designs to improve on the overall security and performance of OP. To evaluate our design, we implemented OP2 and tested both performance, memory, and filesystem impact while browsing popular pages. We show that the additional security features in OP and OP2 introduce minimal overhead.
- Adobe. Flash player settings manager. http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html.Google Scholar
- Adobe. Flash player update available to address security vulnerabilities. http://www.adobe.com/support/security/bulletins/apsb07-12.html.Google Scholar
- Adobe. 2008. External data not accessible outside a macromedia flash movie’s domain. http://www.adobe.com/go/tn_14213.Google Scholar
- Adobe. 2009a. Adobe flash player. http://www.adobe.com/products/flashplayer/.Google Scholar
- Adobe. 2009b. Flash player penetration. http://www.adobe.com/products/player_census/flashplayer/.Google Scholar
- Anupam, V. and Mayer, A. 1998. Security of web browser scripting languages: Vulnerabilities, attacks, and remedies. In Proceedings of the 7th USENIX Security Symposium. Google Scholar
Digital Library
- Arora. 2009. Arora: Cross platform WebKit browser. http://code.google.com/p/arora/.Google Scholar
- AusCERT. Sun java runtime environment vulnerability allows remote compromise. http://www.auscert.org.au/render.html?it=7664.Google Scholar
- Barth, A., Jackson, C., and Mitchell, J. C. 2008. Securing frame communication in browsers. In Proceedings of the 17th USENIX Security Symposium. 17--30. Google Scholar
Digital Library
- Barth, A., Caballero, J., and Song, D. 2009. Secure content sniffing for web browsers or how to stop papers from reviewing themselves. In Proceedings of the IEEE Symposium on Security and Privacy. Google Scholar
Digital Library
- Chen, S., Meseguer, J., Sasse, R., Wang, H. J., and Wang, Y.-M. 2007a. A systematic approach to uncover security flaws in GUI logic. In Proceedings of the 2007 IEEE Symposium on Security and Privacy. 71--85. Google Scholar
Digital Library
- Chen, S., Ross, D., and Wang, Y.-M. 2007b. An analysis of browser domain-isolation bugs and a light-weight transparent defense mechanism. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS). 2--11. Google Scholar
Digital Library
- Chong, S., Liu, J., Myers, A. C., Qi, X., Vikram, K., Zheng, L., and Zheng, X. 2007a. Secure web applications via automatic partitioning. In Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP). 31--44. Google Scholar
Digital Library
- Chong, S., Vikram, K., and Myers, A. C. 2007b. Sif: Enforcing confidentiality and integrity in web applications. In Proceedings of the 16th USENIX Security Symposium. Google Scholar
Digital Library
- Clavel, M., Durán, F., Eker, S., Lincoln, P., Martí-Oliet, N., Meseguer, J., and Quesada, J. F. 2002. Maude: Specification and programming in rewriting logic. Theoret. Comput. Sci. 285, 2, 187--243. Google Scholar
Digital Library
- Clavel, M., Durán, F., Eker, S., Lincoln, P., Martí-Oliet, N., Meseguer, J., and Talcott, C. 2007. Maude manual (version 2.3).Google Scholar
- Cox, R. S., Hansen, J. G., Gribble, S. D., and Levy, H. M. 2006. A safety-oriented platform for web applications. In Proceedings of the IEEE Symposium on Security and Privacy. 350--364. Google Scholar
Digital Library
- Erlingsson, U., Livshits, B., and Xie, Y. 2007. End-to-end web application security. In Proceedings of the Workshop on Hot Topics in Operating Systems (HotOS XI). Google Scholar
Digital Library
- Goel, A., Po, K., Farhadi, K., Li, Z., and del Lara, E. 2005. The Taser intrusion recovery system. In Proceedings of ACM Symposium on Operating Systems Principles (SOSP). 163--176. Google Scholar
Digital Library
- Goldberg, I., Wagner, D., Thomas, R., and Brewer, E. A. 1996. A secure environment for untrusted helper applications. In Proceedings of the 1996 USENIX Security Symposium. 1--13. Google Scholar
Digital Library
- Google. 2008. Process models (Chromium developer documentation). http://dev.chromium.org/developers/design-documents/process-models.Google Scholar
- Google. 2009. Google chrome. http://www.google.com/chrome.Google Scholar
- GreenBorder. 2007. Greenborder desktop DMZ solutions. http://www.greenborder.com.Google Scholar
- Grier, C., Tang, S., and King, S. T. 2008. Secure web browsing with the OP web browser. In Proceedings of the IEEE Symposium on Security and Privacy. 402--416. Google Scholar
Digital Library
- Grier, C., King, S. T., and Wallach, D. S. 2009. How I learned to stop worrying and love plugins. In Web 2.0 Security and Privacy.Google Scholar
- Hickson, I. 2009. Acid tests - the web standards project. http://www.acidtests.org.Google Scholar
- Ioannidis, S. and Bellovin, S. M. 2001. Building a secure web browser. In Proceedings of the USENIX Annual Technical Conference (FREENIX Track). Google Scholar
Digital Library
- Jackson, C. and Wang, H. J. 2007. Subspace: Secure cross-domain communication for web mashups. In Proceedings of the 16th International World Wide Web Conference (WWW). 611--620. Google Scholar
Digital Library
- Jackson, C., Bortz, A., Boneh, D., and Mitchell, J. C. 2006. Protecting browser state from web privacy attacks. In Proceedings of the 15th International Conference on World Wide Web (WWW). 737--744. Google Scholar
Digital Library
- Jackson, C., Barth, A., Bortz, A., Shao, W., and Boneh, D. 2007. Protecting browsers from DNS rebinding attacks. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS). Google Scholar
Digital Library
- Jim, T., Swamy, N., and Hicks, M. 2007. Defeating script injection attacks with browser-enforced embedded policies. In Proceedings of the 16th International Conference on World Wide Web. 601--610. Google Scholar
Digital Library
- Jovanovic, N., Kirda, E., and Kruegel, C. 2006. Preventing cross site request forgery attacks. In Proceedings of the IEEE International Conference on Security and Privacy for Emerging Areas in Communication Networks (Securecomm).Google Scholar
- Karlof, C., Tygar, J., Wagner, D., and Shankar, U. 2007. Dynamic pharming attacks and locked same-origin policies for web browsers. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS). 58--71. Google Scholar
Digital Library
- KDE. 2009. The konqueror web browser. http://www.konqueror.org/features/browser.php.Google Scholar
- King, S. T. and Chen, P. M. 2003. Backtracking intrusions. In Proceedings of the Symposium on Operating Systems Principles (SOSP). 223--236. Google Scholar
Digital Library
- King, S. T., Mao, Z. M., Lucchetti, D. G., and Chen, P. M. 2005. Enriching intrusion alerts through multi-host causality. In Proceedings of the Network and Distributed System Security Symposium (NDSS).Google Scholar
- Lampson, B. W. 1973. A note on the confinement problem. Comm. ACM 16, 10, (Oct.), 613--615. Google Scholar
Digital Library
- Loscocco, P. and Smalley, S. 2001. Integrating flexible support for security policies into the Linux operating system. In Proceedings of the USENIX Annual Technical Conference FREENIX Track. Google Scholar
Digital Library
- Meseguer, J. 1992. Conditional rewriting logic as a united model of concurrency. Theoret. Comput. Sci. 96, 73--155. Google Scholar
Digital Library
- Microsoft. Activex security: Improvements and best practices. http://msdn2.microsoft.com/en-us/library/bb250471.aspx.Google Scholar
- Moshchuk, A., Bragin, T., Gribble, S. D., and Levy, H. M. 2006. A crawler-based study of spyware on the web. In Proceedings of the Network and Distributed System Security Symposium (NDSS).Google Scholar
- Mozilla. 2004. Netscape plugin API. http://www.mozilla.org/projects/plugins/.Google Scholar
- Mozilla. 2009. Rhino: Javascript for java. http://www.mozilla.org/rhino/.Google Scholar
- Novell. 2009. Apparmor Linux application security.Google Scholar
- Petrkov, P. D. Pdf pwns windows. http://www.gnucitizen.org/blog/0day-pdf-pwns-windows.Google Scholar
- Petrkov, P. D. Quicktime pwns firefox. http://www.gnucitizen.org/blog/0day-quicktime-pwns-firefox.Google Scholar
- Provos, N. 2003. Improving host security with system call policies. In Proceedings of the USENIX Security Symposium. 257--272. Google Scholar
Digital Library
- Provos, N., McNamee, D., Mavrommatis, P., Wang, K., and Modadugu, N. 2007. The ghost in the browser: Analysis of Web-based malware. In Proceedings of the Workshop on Hot Topics in Understanding Botnets (HotBots). Google Scholar
Digital Library
- Provos, N., Mavrommatis, P., Rajab, M. A., and Monrose, F. 2008. All your iFRAMEs point to us. In Proceedings of the 17th USENIX Security Symposium. 1--15. Google Scholar
Digital Library
- Qt Software. 2009. Qt -- a cross-platform application and UI framework. http://www.qtsoftware.com.Google Scholar
- Reis, C. and Gribble, S. D. 2009. Isolating web programs in modern browser architectures. In Proceedings of the EuroSys Conference. Google Scholar
Digital Library
- Reis, C., Dunagan, J., Wang, H., Dubrovsky, O., and Esmeir, S. 2006. BrowserShield: Vulnerability-driven filtering of dynamic HTML. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation (OSDI). Google Scholar
Digital Library
- Richardson, T., Stafford-Fraser, Q., Wood, K. R., and Hopper, A. 1998. Virtual network computing. IEEE Internet Comput. 2, 1 (Jan.), 33--38. Google Scholar
Digital Library
- SopCast. 2009. Sopcast. http://www.sopcast.org/.Google Scholar
- Stamos, A. and Lackey, Z. 2006. Attaking ajax web applications. Presented at the Black Hat USA Conference.Google Scholar
- Sun. Java security architecture. http://java.sun.com/j2se/1.4.2/docs/guide/security/spec/security-spec.doc1.html.Google Scholar
- Turner, D. 2007. Symantec internet security threat report: Trends for january - june 07. http://www.symantec.com/business/theme.jsp?themeid=threatreport.Google Scholar
- Wang, H. J., Fan, X., Howell, J., and Jackson, C. 2007. Protection and communication abstractions for web browsers in MashupOS. In Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP). Google Scholar
Digital Library
- Wang, H. J., Grier, C., Moshchuk, A., King, S. T., Choudhury, P., and Venter, H. 2009. The multi-principal OS construction of the Gazelle web browser. In Proceedings of the USENIX Security Symposium. Google Scholar
Digital Library
- Wang, Y.-M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., and King, S. 2006. Automated web patrol with strider HoneyMonkeys: Finding web sites that exploit browser vulnerabilities. In Proceedings of the 2006 Network and Distributed System Security Symposium (NDSS).Google Scholar
- WebKit. 2009. The webkit open source project. http://www.webkit.org.Google Scholar
- Yu, D., Chander, A., Islam, N., and Serikov, I. 2007. JavaScript instrumentation for browser security. In Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. 237--249. Google Scholar
Digital Library
Index Terms
Designing and Implementing the OP and OP2 Web Browsers
Recommendations
Secure Web Browsing with the OP Web Browser
SP '08: Proceedings of the 2008 IEEE Symposium on Security and PrivacyCurrent web browsers are plagued with vulnerabilities, providing hackers with easy access to computer systems via browser-based attacks. Browser security efforts that retrofit existing browsers have had limited success because the design of modern ...
RSVP Browser: Web Browsing on Small Screen Devices
In this paper, we illustrate the use of space-time trade-offs for information presentation on small screens. We propose the use of Rapid Serial Visual Presentation (RSVP) to provide a rich set of navigational information for Web browsing. The principle ...
Cookies and Web browser design: toward realizing informed consent online
CHI '01: Proceedings of the SIGCHI Conference on Human Factors in Computing SystemsWe first provide criteria for assessing informed consent online. Then we examine how cookie technology and Web browser designs have responded to concerns about informed consent. Specifically, we document relevant design changes in Netscape Navigator and ...








Comments