OPs five main subsystems
"Our policy removes the burden of security from plug-in writers, and gives plug-ins the flexibility to use innovative network architectures to deliver content while still maintaining the confidentiality and integrity of our browser, even if attackers compromise the plug-in," he said.
The OP security model also uses formal methods to prove that the address bar displayed within the browser UI always shows the correct address for the current Web page, a key anti-phishing mechanism aimed at reducing exposure to identity theft attacks.
The UIUI team has also designed a browser-level information-flow tracking system to enable post-mortem analysis of browser-based attacks. "If an attacker is able to compromise our browser, we highlight the subset of total activity that is causally related to the attack, allowing users and system administrators to determine easily which Web site lead to the compromise and to assess the damage of a successful attack," King said. "The biggest problem with existing browsers, whether it's IE or Firefox, is that a browser exploit gives the attack access to everything on the system. It's even more troublesome on browsers where plug-ins are being used. A single exploit from a single Web page sacrifices the security of the entire system. That's unacceptable. What we do is break the browser into smaller sub-components. This could provide security in ways that others can't."
In its current form, OP consists of five main subsystems: the Web page subsystem, a network component, a storage component, a user-interface component, and a browser kernel.
Each sub-system runs within separate OS-level processes, and the Web page subsystem is broken into several different processes, King said. Beneath it all, the browser kernel manages the communication between each subsystem and between processes, and manages interactions with the underlying operating system.
In its current design, OP uses SELinux (security-enhanced Linux) to handle OS-level sandboxing to limit the interactions of each subsystem with the underlying operating system, but said other techniques-like AppArmor, Systrace or Janus-would be equally suitable.
The role of the OP browser kernel is significant, since it serves as the base with major responsibilities of managing the subsystems, managing the messages between the subsystems, and maintaining a detailed security audit log.
The browser kernel creates most processes when the browser first launches, but it creates Web page instances on demand whenever a user visits a new Web page, King said. "The browser kernel implements message passing using OS-level pipes, and it maintains a mapping between subsystems and pipes," he said, noting that the mapping allows the browser kernel to avoid source subsystem spoofing since the browser kernel can accurately identify the subsystem connected to a pipe when it receives a message.