On the Design of a Web Browser: Lessons learned from Operating Systems Kapil Singh and Wenke Lee Georgia Institute of Technology Web 2.0 Security and Privacy.

On the Design of a Web Browser: Lessons learned from Operating Systems

Kapil Singh and Wenke Lee

Georgia Institute of Technology

Web 2.0 Security and Privacy – 2008

2

Motivation

Browser has evolved from rendering static web pages to a host of variety of applications.

Browser size has grown and is running much more application code.

Effectively building up into a mini-OS.

… … so why not think of browser design based so why not think of browser design based on known OS designs?on known OS designs?

3

What we have today?

All browser components run in one isolation boundary. Minimum or no isolation among components Problem of plug-ins

increased code size Source of increasing browser

vulnerabilities bad maintainability

lack of flexibility Not much freedom to customize your browser

4

…Have we already seen these issues somewhere?

Monolithic kernel design suffers from similar limitations!

Can we do something better? Micro-kernel, Exokernel, SpinOS…

Can the lessons from OS be applied to the browser design?

5

Design Principles

Isolation between browser componentsIntegrity of communication channelsSeparation between policy and

mechanismCustomization and Flexibility

6

Browser Design

Goal: To leverage known OS designs to develop Goal: To leverage known OS designs to develop a secure and flexible web browser.a secure and flexible web browser.

Utilize the μ-kernel OS design [Leitdke95] Layered architecture with a “kernel” mode and a

“user” mode. β-kernel provides complete mediation. All applications run on the layer on top of the β-

kernel.

7

Browser from an OS view

μ-kernel based OS β-kernel based browser

8

β-kernel: primitives

Address spaceCommunication between browser

componentsIdentity of browser components

9

β-kernel primitives: Address Space

Enable isolation and customized access control.

Memory management module owns complete address space at browser startup.

Grant, Map and Flush operations.Applicable to browser cache and file

system.

10

Example: Same Origin Policy

X.com MemoryManagement

AccessControl

grantRequest

Y.com

RequestAccess X.com

X

map

β-kernel

Access Y.com

X

11

Design Directions

Single process browser better performance and memory management

Intra-address space isolation [Ford08, Chiueh99] Vx32 provides lightweight sandbox for guest

code in the host address space. Can control the systems calls from the guest

code.

12

Single process: Performance (?)

W W

OS Kernel mode

W W W

β-kernel

OS Kernel mode

13

Tackling browser extensions

Browser design allows flexibility to develop your own memory management, access control, etc. on top of the kernel.

Installation of new extensions mediated by the β-kernel. Communication interfaces verified according to

the user policies.Execution verification and isolation

Intra-process sandboxing

14

Conclusions

Presented a new browser design based on the learnings from a μ-kernel design.

Design shows potential, feasibility depends on performance and usability.

Attempt to bridge the gap between OS designs and browser designs. Might be useful to utilize other experiences from

the OS field.

15

Thank You.

Questions?

Kapil Singh

[email protected]