Modern web browsers have evolved from simple document renderers to complex runtime environments for many types of web content. This makes them analogous to operating systems in many ways. My current research takes advantage of this analogy, using ideas from operating systems to improve the security and robustness of web browsers.
I am studying how to address several current threats on the web, including browser vulnerabilities, cross-site scripting, cross-site request forgeries, and resource contention between web sites. I have proposed a set of architectural principles to better support running web programs within the browser:
- Web programs and program instances must have clear boundaries on the network and within the web browser.
- It must be easy to specify which code is authorized to run in a web program, and to impose limitations on this code.
- Instances of programs must be isolated in the browser, to prevent interference between them.
- The behavior of program instances must be governed by uniform browser-level policies, independent of content types and browser extensions.
- Site Isolation: Process Separation for Web Sites within the Browser
USENIX Security, 2019.
This paper describes the challenges we overcame to launch Site Isolation in Chrome, to help defend web sites against Spectre attacks and compromised renderer processes. This work included performance and compatibility challenges to make it practical, as well as over 400,000 lines of code to update Chrome's architecture and feature set.
- App Isolation: Get the Security of Multiple Browsers with Just One
This paper crystallizes the security benefits of using separate browsers for different sites, and it shows how to achieve those benefits on an opt-in basis in a single web browser.
- Browser Security: Lessons from Google Chrome
ACM Queue, 2009.
This article describes how the Google Chrome team addressed security for web browsers in several ways, including limiting the severity of vulnerabilities, the window of vulnerability, and the frequency with which users are exposed to dangerous content.
- Isolating Web Programs in Modern Browser Architectures
This paper introduces abstractions that allow web browsers to identify and isolate "web programs" from each other, without breaking existing content. The browser can then put each web program instance in its own OS process to prevent interference between them. We have helped add support for our abstractions to Google Chrome, and we evaluate how its multi-process architecture improves robustness and performance.
- Detecting In-Flight Page Changes with Web Tripwires
- Architectural Principles for Safe Web Programs
This paper argues that current web security threats are symptoms of four fundamental problems in the ways web programs are defined and web browsers are built. It proposes architectural principles for addressing these problems.BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML
ACM Transactions on the Web, 2007.
This journal paper extends our OSDI paper on BrowserShield, providing more detail on the framework's policies and applications.BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML
- The Security Architecture of the Chromium Browser
This tech report describes how the Chromium web browser (from which Google Chrome is built) uses a sandbox to try to limit the damage that can be done if a vulnerability in Chromium's rendering engine is exploited. Joint work with Adam Barth and Collin Jackson.
- Using Processes to Improve the Reliability of Browser-based Applications
- Improving the Security and Robustness of Modern Web Browsers
General Exam Report, 2007.
This report is an informal thesis proposal. It describes how the current threats to web browser security can be addressed by improving the isolation between unrelated web pages and interposing on web page behavior.