In this talk, we will cover our deployment of the Site Isolation architecture to Chrome users. This pushes the browser security model forward, mitigating entire classes of attacks: from same-process Spectre exploits to UXSS to arbitrary code execution in the renderer sandbox. We will discuss how the browser's architecture has changed, what security properties it offers, what limitations still exist, and how we preserved compatibility and performance to scale it to all Chrome desktop users. Finally, we will give examples of new types of Site Isolation bypass bugs that fall into Chrome's Vulnerability Rewards Program, for those motivated to help us make this defense stronger.
- Black Hat Europe 2019. December 5, 2019. Nasko Oskov and Charlie Reis.
- Dagstuhl Seminar on Web Application Security. March 31, 2009.
I will focus on two recent projects: multi-process browser architectures and web tripwires. First, I will show how current web browser architectures allow disruptive interference between web-based applications. I have identified backwards compatible abstractions that can be used in the browser's architecture to isolate such programs in a robust way, and I have helped incorporate these abstractions into the Google Chrome browser. I will present an evaluation of how this architecture improves the browser's robustness against interference.
Second, I will present a web tripwire mechanism for detecting in-flight changes to web content. We have used web tripwires to show that many clients receive pages that have been altered before reaching the browser, with consequences ranging from injected advertisements to new security vulnerabilities. Many sites are unwilling to bear the costs of switching to SSL for integrity, so I will show how web publishers can use web tripwires to detect such changes to their own content.
I will conclude with an overview of my other research, including the BrowserShield interposition system, as well as future directions for improving the safety of programs on the web.
In this talk, I will discuss how the architecture used by the Chromium browser (from which Google Chrome is built) can help mitigate these high-severity attacks. Chromium has two modules in separate protection domains: a browser kernel, which interacts with the operating system, and a rendering engine, which runs with restricted privileges in a sandbox. I will show what types of attacks this architecture can help mitigate as well as what challenges it faces for addressing other threats.
- Stanford Security Seminar. December 2, 2008.
After this, I will talk more broadly about my research on web browser security, focusing on the deficiencies of today's web as an application platform. Starting from my prior work on BrowserShield, I will show how we need a safer architecture for running programs within the browser. Like an operating system, this new architecture will need effective mechanisms to define, isolate, and enforce policies on these web programs.