Convinced that all modern Web browsers suffer from "fundamental design flaws" that expose users to nonstop hacker attacks, researchers at the University of Illinois at Urbana-Champaign are building a new browser from scratch, with security as the killer feature.
The project, code-named OP (for Opus Palladianum) as a tribute to the Mosaic browser, is the brainchild of Samuel King, an assistant professor in the computer science department at UIUC and a renowned security expert, who pioneered research around virtual machine rootkits while an intern at Microsoft.
"We believe Web browsers are the most important network-facing application, but the current browsers are fundamentally flawed from security perspective," King said in an interview with eWEEK. "If you look at how the Web was originally designed, it was an application with static Web pages as data. Now, it has become a platform for hosting all kinds of important data and businesses, but unfortunately, [existing] browsers haven't evolved to deal with this change and that's why we have a big malware problem."
The idea behind the OP security browser is to partition the browser into smaller subsystems and make all communication between subsystems simple and explicit.
"At the core of our design is a small browser kernel that manages the browser subsystems and interposes on all communications between them to enforce our new browser security features," he said.
The research team has already created a full-blown prototype that will be introduced at the 2008 IEEE Symposium on Security and Privacy in May. The prototype currently runs on Linux with KHTML as the layout engine. The long-term plan is to create a cross-platform Webkit version that will be released to the open-source community, King said.
The creation of the OP security browser comes at a time when incumbent browser makers are scrambling to integrate anti-malware and anti-fraud mechanisms to deal with a dramatic rise in hacker attacks. Microsoft is using a Protected Mode sandboxing mechanism in its flagship Internet Explorer and plans to fit a drive-by malware blocker into the next iteration of IE. Mozilla has also used security features as its major sales pitch to compete with Microsoft, but despite those moves, vulnerabilities and malicious hacker attacks that use the browser as the entry point to desktops continue to rise.
This is where King and his team see a valuable need for the OP browser. To show the utility of the browser architecture design, he said, three novel security features will be used. For starters, OP uses flexible security policies that cater to the use of external plug-ins without putting the onus of security on the third-party developer.