skip to main content
research-article

Designing and Implementing the OP and OP2 Web Browsers

Published:01 May 2011Publication History
Skip Abstract Section

Abstract

Current web browsers are plagued with vulnerabilities, providing hackers with easy access to computer systems via browser-based attacks. Browser security efforts that retrofit existing browsers have had limited success because the design of modern browsers is fundamentally flawed. To enable more secure web browsing, we design and implement a new browser, called the OP web browser, that attempts to improve the state-of-the-art in browser security. We combine operating system design principles with formal methods to design a more secure web browser by drawing on the expertise of both communities. Our design philosophy is to partition the browser into smaller subsystems and make all communication between subsystems simple and explicit. At the core of our design is a small browser kernel that manages the browser subsystems and interposes on all communications between them to enforce our new browser security features.

To show the utility of our browser architecture, we design and implement three novel security features. First, we develop flexible security policies that allow us to include browser plugins within our security framework. Second, we use formal methods to prove useful security properties including user interface invariants and browser security policy. Third, we design and implement a browser-level information-flow tracking system to enable post-mortem analysis of browser-based attacks.

In addition to presenting the OP browser architecture, we discuss the design and implementation of a second version of OP, OP2, that includes features from other secure web browser designs to improve on the overall security and performance of OP. To evaluate our design, we implemented OP2 and tested both performance, memory, and filesystem impact while browsing popular pages. We show that the additional security features in OP and OP2 introduce minimal overhead.

References

  1. Adobe. Flash player settings manager. http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html.Google ScholarGoogle Scholar
  2. Adobe. Flash player update available to address security vulnerabilities. http://www.adobe.com/support/security/bulletins/apsb07-12.html.Google ScholarGoogle Scholar
  3. Adobe. 2008. External data not accessible outside a macromedia flash movie’s domain. http://www.adobe.com/go/tn_14213.Google ScholarGoogle Scholar
  4. Adobe. 2009a. Adobe flash player. http://www.adobe.com/products/flashplayer/.Google ScholarGoogle Scholar
  5. Adobe. 2009b. Flash player penetration. http://www.adobe.com/products/player_census/flashplayer/.Google ScholarGoogle Scholar
  6. Anupam, V. and Mayer, A. 1998. Security of web browser scripting languages: Vulnerabilities, attacks, and remedies. In Proceedings of the 7th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Arora. 2009. Arora: Cross platform WebKit browser. http://code.google.com/p/arora/.Google ScholarGoogle Scholar
  8. AusCERT. Sun java runtime environment vulnerability allows remote compromise. http://www.auscert.org.au/render.html?it=7664.Google ScholarGoogle Scholar
  9. Barth, A., Jackson, C., and Mitchell, J. C. 2008. Securing frame communication in browsers. In Proceedings of the 17th USENIX Security Symposium. 17--30. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Barth, A., Caballero, J., and Song, D. 2009. Secure content sniffing for web browsers or how to stop papers from reviewing themselves. In Proceedings of the IEEE Symposium on Security and Privacy. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Chen, S., Meseguer, J., Sasse, R., Wang, H. J., and Wang, Y.-M. 2007a. A systematic approach to uncover security flaws in GUI logic. In Proceedings of the 2007 IEEE Symposium on Security and Privacy. 71--85. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Chen, S., Ross, D., and Wang, Y.-M. 2007b. An analysis of browser domain-isolation bugs and a light-weight transparent defense mechanism. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS). 2--11. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Chong, S., Liu, J., Myers, A. C., Qi, X., Vikram, K., Zheng, L., and Zheng, X. 2007a. Secure web applications via automatic partitioning. In Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP). 31--44. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Chong, S., Vikram, K., and Myers, A. C. 2007b. Sif: Enforcing confidentiality and integrity in web applications. In Proceedings of the 16th USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Clavel, M., Durán, F., Eker, S., Lincoln, P., Martí-Oliet, N., Meseguer, J., and Quesada, J. F. 2002. Maude: Specification and programming in rewriting logic. Theoret. Comput. Sci. 285, 2, 187--243. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Clavel, M., Durán, F., Eker, S., Lincoln, P., Martí-Oliet, N., Meseguer, J., and Talcott, C. 2007. Maude manual (version 2.3).Google ScholarGoogle Scholar
  17. Cox, R. S., Hansen, J. G., Gribble, S. D., and Levy, H. M. 2006. A safety-oriented platform for web applications. In Proceedings of the IEEE Symposium on Security and Privacy. 350--364. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Erlingsson, U., Livshits, B., and Xie, Y. 2007. End-to-end web application security. In Proceedings of the Workshop on Hot Topics in Operating Systems (HotOS XI). Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Goel, A., Po, K., Farhadi, K., Li, Z., and del Lara, E. 2005. The Taser intrusion recovery system. In Proceedings of ACM Symposium on Operating Systems Principles (SOSP). 163--176. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Goldberg, I., Wagner, D., Thomas, R., and Brewer, E. A. 1996. A secure environment for untrusted helper applications. In Proceedings of the 1996 USENIX Security Symposium. 1--13. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Google. 2008. Process models (Chromium developer documentation). http://dev.chromium.org/developers/design-documents/process-models.Google ScholarGoogle Scholar
  22. Google. 2009. Google chrome. http://www.google.com/chrome.Google ScholarGoogle Scholar
  23. GreenBorder. 2007. Greenborder desktop DMZ solutions. http://www.greenborder.com.Google ScholarGoogle Scholar
  24. Grier, C., Tang, S., and King, S. T. 2008. Secure web browsing with the OP web browser. In Proceedings of the IEEE Symposium on Security and Privacy. 402--416. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Grier, C., King, S. T., and Wallach, D. S. 2009. How I learned to stop worrying and love plugins. In Web 2.0 Security and Privacy.Google ScholarGoogle Scholar
  26. Hickson, I. 2009. Acid tests - the web standards project. http://www.acidtests.org.Google ScholarGoogle Scholar
  27. Ioannidis, S. and Bellovin, S. M. 2001. Building a secure web browser. In Proceedings of the USENIX Annual Technical Conference (FREENIX Track). Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Jackson, C. and Wang, H. J. 2007. Subspace: Secure cross-domain communication for web mashups. In Proceedings of the 16th International World Wide Web Conference (WWW). 611--620. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Jackson, C., Bortz, A., Boneh, D., and Mitchell, J. C. 2006. Protecting browser state from web privacy attacks. In Proceedings of the 15th International Conference on World Wide Web (WWW). 737--744. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Jackson, C., Barth, A., Bortz, A., Shao, W., and Boneh, D. 2007. Protecting browsers from DNS rebinding attacks. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS). Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Jim, T., Swamy, N., and Hicks, M. 2007. Defeating script injection attacks with browser-enforced embedded policies. In Proceedings of the 16th International Conference on World Wide Web. 601--610. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Jovanovic, N., Kirda, E., and Kruegel, C. 2006. Preventing cross site request forgery attacks. In Proceedings of the IEEE International Conference on Security and Privacy for Emerging Areas in Communication Networks (Securecomm).Google ScholarGoogle Scholar
  33. Karlof, C., Tygar, J., Wagner, D., and Shankar, U. 2007. Dynamic pharming attacks and locked same-origin policies for web browsers. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS). 58--71. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. KDE. 2009. The konqueror web browser. http://www.konqueror.org/features/browser.php.Google ScholarGoogle Scholar
  35. King, S. T. and Chen, P. M. 2003. Backtracking intrusions. In Proceedings of the Symposium on Operating Systems Principles (SOSP). 223--236. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. King, S. T., Mao, Z. M., Lucchetti, D. G., and Chen, P. M. 2005. Enriching intrusion alerts through multi-host causality. In Proceedings of the Network and Distributed System Security Symposium (NDSS).Google ScholarGoogle Scholar
  37. Lampson, B. W. 1973. A note on the confinement problem. Comm. ACM 16, 10, (Oct.), 613--615. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Loscocco, P. and Smalley, S. 2001. Integrating flexible support for security policies into the Linux operating system. In Proceedings of the USENIX Annual Technical Conference FREENIX Track. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Meseguer, J. 1992. Conditional rewriting logic as a united model of concurrency. Theoret. Comput. Sci. 96, 73--155. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Microsoft. Activex security: Improvements and best practices. http://msdn2.microsoft.com/en-us/library/bb250471.aspx.Google ScholarGoogle Scholar
  41. Moshchuk, A., Bragin, T., Gribble, S. D., and Levy, H. M. 2006. A crawler-based study of spyware on the web. In Proceedings of the Network and Distributed System Security Symposium (NDSS).Google ScholarGoogle Scholar
  42. Mozilla. 2004. Netscape plugin API. http://www.mozilla.org/projects/plugins/.Google ScholarGoogle Scholar
  43. Mozilla. 2009. Rhino: Javascript for java. http://www.mozilla.org/rhino/.Google ScholarGoogle Scholar
  44. Novell. 2009. Apparmor Linux application security.Google ScholarGoogle Scholar
  45. Petrkov, P. D. Pdf pwns windows. http://www.gnucitizen.org/blog/0day-pdf-pwns-windows.Google ScholarGoogle Scholar
  46. Petrkov, P. D. Quicktime pwns firefox. http://www.gnucitizen.org/blog/0day-quicktime-pwns-firefox.Google ScholarGoogle Scholar
  47. Provos, N. 2003. Improving host security with system call policies. In Proceedings of the USENIX Security Symposium. 257--272. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Provos, N., McNamee, D., Mavrommatis, P., Wang, K., and Modadugu, N. 2007. The ghost in the browser: Analysis of Web-based malware. In Proceedings of the Workshop on Hot Topics in Understanding Botnets (HotBots). Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Provos, N., Mavrommatis, P., Rajab, M. A., and Monrose, F. 2008. All your iFRAMEs point to us. In Proceedings of the 17th USENIX Security Symposium. 1--15. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Qt Software. 2009. Qt -- a cross-platform application and UI framework. http://www.qtsoftware.com.Google ScholarGoogle Scholar
  51. Reis, C. and Gribble, S. D. 2009. Isolating web programs in modern browser architectures. In Proceedings of the EuroSys Conference. Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. Reis, C., Dunagan, J., Wang, H., Dubrovsky, O., and Esmeir, S. 2006. BrowserShield: Vulnerability-driven filtering of dynamic HTML. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation (OSDI). Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. Richardson, T., Stafford-Fraser, Q., Wood, K. R., and Hopper, A. 1998. Virtual network computing. IEEE Internet Comput. 2, 1 (Jan.), 33--38. Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. SopCast. 2009. Sopcast. http://www.sopcast.org/.Google ScholarGoogle Scholar
  55. Stamos, A. and Lackey, Z. 2006. Attaking ajax web applications. Presented at the Black Hat USA Conference.Google ScholarGoogle Scholar
  56. Sun. Java security architecture. http://java.sun.com/j2se/1.4.2/docs/guide/security/spec/security-spec.doc1.html.Google ScholarGoogle Scholar
  57. Turner, D. 2007. Symantec internet security threat report: Trends for january - june 07. http://www.symantec.com/business/theme.jsp?themeid=threatreport.Google ScholarGoogle Scholar
  58. Wang, H. J., Fan, X., Howell, J., and Jackson, C. 2007. Protection and communication abstractions for web browsers in MashupOS. In Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP). Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. Wang, H. J., Grier, C., Moshchuk, A., King, S. T., Choudhury, P., and Venter, H. 2009. The multi-principal OS construction of the Gazelle web browser. In Proceedings of the USENIX Security Symposium. Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. Wang, Y.-M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., and King, S. 2006. Automated web patrol with strider HoneyMonkeys: Finding web sites that exploit browser vulnerabilities. In Proceedings of the 2006 Network and Distributed System Security Symposium (NDSS).Google ScholarGoogle Scholar
  61. WebKit. 2009. The webkit open source project. http://www.webkit.org.Google ScholarGoogle Scholar
  62. Yu, D., Chander, A., Islam, N., and Serikov, I. 2007. JavaScript instrumentation for browser security. In Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. 237--249. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Designing and Implementing the OP and OP2 Web Browsers

    Recommendations

    Reviews

    Ahmed Patel

    Current popular Web browsers like Internet Explorer and Mozilla provide attackers with easy access to computer systems and user accounts, thus compromising security and protection. Various previous attempts to overcome this problem-mainly, retrofit updates-have largely failed. The paper is apt, although the title seems inappropriate since it does not contain the words "security" and/or "protection." The authors' goal is to provide improved security features for their OP/OP2 secure browsers using a plugin architecture platform. The paper is relatively well written, presenting good problem analysis, defining security policies, and model checking the implementation and its evaluation. At the heart of the design is the browser kernel that manages all of the surrounding components and their inter-process communication. This model approach provides a clear separation between the implementation of the core functions of the browser components and the supplementary security and protection policy features and functions, thus providing a neat demarcation of component isolation guarantees to avoid security breaches. The OP/OP2 Web browsers record, and can assist in digital forensic examinations of, attacks that they are otherwise unable to prevent. All of these properties enable the Web client to withstand attacks. I have learned new things from this paper; everything is explained reasonably well, with good examples to support the OP system design. Online Computing Reviews Service

    Access critical reviews of Computing literature here

    Become a reviewer for Computing Reviews.

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    • Published in

      cover image ACM Transactions on the Web
      ACM Transactions on the Web  Volume 5, Issue 2
      May 2011
      190 pages
      ISSN:1559-1131
      EISSN:1559-114X
      DOI:10.1145/1961659
      Issue’s Table of Contents

      Copyright © 2011 ACM

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 1 May 2011
      • Accepted: 1 September 2010
      • Revised: 1 August 2010
      • Received: 1 September 2008
      Published in tweb Volume 5, Issue 2

      Permissions

      Request permissions about this article.

      Request Permissions

      Check for updates

      Qualifiers

      • research-article
      • Research
      • Refereed

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!