Part of Sharon Yang's interview series with Chromium engineers about the inner workings of the browser.

For work on Site Isolation for Chrome, with Nasko Oskov, Daniel Cheng, Alex Moshchuk, and Łukasz Anforowicz.

Web browsers face a challenging security landscape, where complex legacy codebases are expected to safely run untrustworthy code. This talk will outline some of our recent efforts to improve Chrome's security architecture to make the browser safer for users. Using Site Isolation as an example, I will highlight the benefits and challenges of adopting research architecture ideas in production, the importance of aligning a system's security architecture with underlying OS-provided abstractions, and the role of evolving the platform itself to respect challenges in the system's architecture.

In the late 2000s, web browsers moved from single-process to multi-process architectures, introducing a sandbox boundary between untrustworthy code from the web and local resources. While effective at the time, the security landscape has changed and a stronger architecture is now needed.

In this talk, we will cover our deployment of the Site Isolation architecture to Chrome users. This pushes the browser security model forward, mitigating entire classes of attacks: from same-process Spectre exploits to UXSS to arbitrary code execution in the renderer sandbox. We will discuss how the browser's architecture has changed, what security properties it offers, what limitations still exist, and how we preserved compatibility and performance to scale it to all Chrome desktop users. Finally, we will give examples of new types of Site Isolation bypass bugs that fall into Chrome's Vulnerability Rewards Program, for those motivated to help us make this defense stronger.

Today's browsers are being placed in the role of operating systems for complex programs from the web. Recent versions of browsers are starting to reflect this new workload, providing better performance and greater robustness to failures. Improving security is an important challenge as well, given the valuable private data that now lives on the web. In this talk, I will discuss how new browser architectures can help protect the user's local computer with sandboxed rendering engines, as in Google Chrome. I will also describe challenges for architecturally isolating a user's web accounts from each other, and ideas about how we might achieve it.

Web content has shifted from simple documents to active programs, but web browsers and protocols have not evolved adequately to support them. As a result, safety problems in web browsers and web sites now regularly make headlines, from browser exploits to ISPs that modify web pages. In this talk, I will discuss my research in improving the safety and reliability of web browsers and web content.

I will focus on two recent projects: multi-process browser architectures and web tripwires. First, I will show how current web browser architectures allow disruptive interference between web-based applications. I have identified backwards compatible abstractions that can be used in the browser's architecture to isolate such programs in a robust way, and I have helped incorporate these abstractions into the Google Chrome browser. I will present an evaluation of how this architecture improves the browser's robustness against interference.

Second, I will present a web tripwire mechanism for detecting in-flight changes to web content. We have used web tripwires to show that many clients receive pages that have been altered before reaching the browser, with consequences ranging from injected advertisements to new security vulnerabilities. Many sites are unwilling to bear the costs of switching to SSL for integrity, so I will show how web publishers can use web tripwires to detect such changes to their own content.

I will conclude with an overview of my other research, including the BrowserShield interposition system, as well as future directions for improving the safety of programs on the web.

Web browsers must often handle untrusted or malicious code while protecting the user. However, most current browsers have a monolithic architecture that combines "the user" and "the web" into a single protection domain. In these browsers, an attacker who exploits an arbitrary code execution vulnerability can install malware or steal sensitive files from the user's computer.

In this talk, I will discuss how the architecture used by the Chromium browser (from which Google Chrome is built) can help mitigate these high-severity attacks. Chromium has two modules in separate protection domains: a browser kernel, which interacts with the operating system, and a rendering engine, which runs with restricted privileges in a sandbox. I will show what types of attacks this architecture can help mitigate as well as what challenges it faces for addressing other threats.

Web content has shifted from simple documents to active programs, but web protocols and browsers have not evolved adequately to support them. As a result, safety problems in web sites and web browsers now regularly make headlines, from browser exploits to ISPs that modify web pages. In this talk, I will discuss my research into improving the security and reliability of web content and browsers.

For most of this talk, I will focus on one particular problem: the ability for intermediaries to modify web content in-flight. Our recent measurement study shows that many clients now receive web pages that have been altered before reaching the browser. The changes range from injected advertisements to popup blocking code to malware, often affecting the user's privacy and security. Some of these changes introduce bugs and even vulnerabilities into the pages they modify. Most sites are unwilling to switch to SSL for reasons of cost and performance, so I will show how web servers can use "web tripwires" to detect in-flight page changes with inexpensive JavaScript code.

After this, I will talk more broadly about my research on web browser security, focusing on the deficiencies of today's web as an application platform. Starting from my prior work on BrowserShield, I will show how we need a safer architecture for running programs within the browser. Like an operating system, this new architecture will need effective mechanisms to define, isolate, and enforce policies on these web programs.