Convinced that all modern Web browsers suffer from “fundamental design flaws” that expose users to nonstop hacker attacks, researchers at the University of Illinois at Urbana-Champaign are building a new browser from scratch, with security as the killer feature.
The project, code-named OP (for Opus Palladianum) as a tribute to the Mosaic browser, is the brainchild of Samuel King, an assistant professor in the computer science department at UIUC and a renowned security expert, who pioneered research around virtual machine rootkits while an intern at Microsoft.
“We believe Web browsers are the most important network-facing application, but the current browsers are fundamentally flawed from security perspective,” King said in an interview with eWEEK. “If you look at how the Web was originally designed, it was an application with static Web pages as data. Now, it has become a platform for hosting all kinds of important data and businesses, but unfortunately, [existing] browsers haven’t evolved to deal with this change and that’s why we have a big malware problem.”
The idea behind the OP security browser is to partition the browser into smaller subsystems and make all communication between subsystems simple and explicit.
“At the core of our design is a small browser kernel that manages the browser subsystems and interposes on all communications between them to enforce our new browser security features,” he said.
The research team has already created a full-blown prototype that will be introduced at the 2008 IEEE Symposium on Security and Privacy in May. The prototype currently runs on Linux with KHTML as the layout engine. The long-term plan is to create a cross-platform Webkit version that will be released to the open-source community, King said.
The creation of the OP security browser comes at a time when incumbent browser makers are scrambling to integrate anti-malware and anti-fraud mechanisms to deal with a dramatic rise in hacker attacks. Microsoft is using a Protected Mode sandboxing mechanism in its flagship Internet Explorer and plans to fit a drive-by malware blocker into the next iteration of IE. Mozilla has also used security features as its major sales pitch to compete with Microsoft, but despite those moves, vulnerabilities and malicious hacker attacks that use the browser as the entry point to desktops continue to rise.
This is where King and his team see a valuable need for the OP browser. To show the utility of the browser architecture design, he said, three novel security features will be used. For starters, OP uses flexible security policies that cater to the use of external plug-ins without putting the onus of security on the third-party developer.
OPs five main subsystems
“Our policy removes the burden of security from plug-in writers, and gives plug-ins the flexibility to use innovative network architectures to deliver content while still maintaining the confidentiality and integrity of our browser, even if attackers compromise the plug-in,” he said.
The OP security model also uses formal methods to prove that the address bar displayed within the browser UI always shows the correct address for the current Web page, a key anti-phishing mechanism aimed at reducing exposure to identity theft attacks.
The UIUI team has also designed a browser-level information-flow tracking system to enable post-mortem analysis of browser-based attacks.
“If an attacker is able to compromise our browser, we highlight the subset of total activity that is causally related to the attack, allowing users and system administrators to determine easily which Web site lead to the compromise and to assess the damage of a successful attack,” King said. “The biggest problem with existing browsers, whether it’s IE or Firefox, is that a browser exploit gives the attack access to everything on the system. It’s even more troublesome on browsers where plug-ins are being used. A single exploit from a single Web page sacrifices the security of the entire system. That’s unacceptable. What we do is break the browser into smaller sub-components. This could provide security in ways that others can’t.”
In its current form, OP consists of five main subsystems: the Web page subsystem, a network component, a storage component, a user-interface component, and a browser kernel.
Each sub-system runs within separate OS-level processes, and the Web page subsystem is broken into several different processes, King said. Beneath it all, the browser kernel manages the communication between each subsystem and between processes, and manages interactions with the underlying operating system.
In its current design, OP uses SELinux (security-enhanced Linux) to handle OS-level sandboxing to limit the interactions of each subsystem with the underlying operating system, but said other techniques-like AppArmor, Systrace or Janus-would be equally suitable.
The role of the OP browser kernel is significant, since it serves as the base with major responsibilities of managing the subsystems, managing the messages between the subsystems, and maintaining a detailed security audit log.
The browser kernel creates most processes when the browser first launches, but it creates Web page instances on demand whenever a user visits a new Web page, King said.
“The browser kernel implements message passing using OS-level pipes, and it maintains a mapping between subsystems and pipes,” he said, noting that the mapping allows the browser kernel to avoid source subsystem spoofing since the browser kernel can accurately identify the subsystem connected to a pipe when it receives a message.