Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • Networking
    • Servers

    Is There Room for a Security Browser?

    Written by

    Ryan Naraine
    Published March 26, 2008
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Convinced that all modern Web browsers suffer from “fundamental design flaws” that expose users to nonstop hacker attacks, researchers at the University of Illinois at Urbana-Champaign are building a new browser from scratch, with security as the killer feature.
      The project, code-named OP (for Opus Palladianum) as a tribute to the Mosaic browser, is the brainchild of Samuel King, an assistant professor in the computer science department at UIUC and a renowned security expert, who pioneered research around virtual machine rootkits while an intern at Microsoft.
      “We believe Web browsers are the most important network-facing application, but the current browsers are fundamentally flawed from security perspective,” King said in an interview with eWEEK. “If you look at how the Web was originally designed, it was an application with static Web pages as data. Now, it has become a platform for hosting all kinds of important data and businesses, but unfortunately, [existing] browsers haven’t evolved to deal with this change and that’s why we have a big malware problem.”
      The idea behind the OP security browser is to partition the browser into smaller subsystems and make all communication between subsystems simple and explicit.

      “At the core of our design is a small browser kernel that manages the browser subsystems and interposes on all communications between them to enforce our new browser security features,” he said.
      The research team has already created a full-blown prototype that will be introduced at the 2008 IEEE Symposium on Security and Privacy in May. The prototype currently runs on Linux with KHTML as the layout engine. The long-term plan is to create a cross-platform Webkit version that will be released to the open-source community, King said.
      The creation of the OP security browser comes at a time when incumbent browser makers are scrambling to integrate anti-malware and anti-fraud mechanisms to deal with a dramatic rise in hacker attacks. Microsoft is using a Protected Mode sandboxing mechanism in its flagship Internet Explorer and plans to fit a drive-by malware blocker into the next iteration of IE. Mozilla has also used security features as its major sales pitch to compete with Microsoft, but despite those moves, vulnerabilities and malicious hacker attacks that use the browser as the entry point to desktops continue to rise.
      This is where King and his team see a valuable need for the OP browser. To show the utility of the browser architecture design, he said, three novel security features will be used. For starters, OP uses flexible security policies that cater to the use of external plug-ins without putting the onus of security on the third-party developer.

      OPs five main subsystems

      “Our policy removes the burden of security from plug-in writers, and gives plug-ins the flexibility to use innovative network architectures to deliver content while still maintaining the confidentiality and integrity of our browser, even if attackers compromise the plug-in,” he said.

      The OP security model also uses formal methods to prove that the address bar displayed within the browser UI always shows the correct address for the current Web page, a key anti-phishing mechanism aimed at reducing exposure to identity theft attacks.

      The UIUI team has also designed a browser-level information-flow tracking system to enable post-mortem analysis of browser-based attacks.

      “If an attacker is able to compromise our browser, we highlight the subset of total activity that is causally related to the attack, allowing users and system administrators to determine easily which Web site lead to the compromise and to assess the damage of a successful attack,” King said. “The biggest problem with existing browsers, whether it’s IE or Firefox, is that a browser exploit gives the attack access to everything on the system. It’s even more troublesome on browsers where plug-ins are being used. A single exploit from a single Web page sacrifices the security of the entire system. That’s unacceptable. What we do is break the browser into smaller sub-components. This could provide security in ways that others can’t.”
      In its current form, OP consists of five main subsystems: the Web page subsystem, a network component, a storage component, a user-interface component, and a browser kernel.
      Each sub-system runs within separate OS-level processes, and the Web page subsystem is broken into several different processes, King said. Beneath it all, the browser kernel manages the communication between each subsystem and between processes, and manages interactions with the underlying operating system.
      In its current design, OP uses SELinux (security-enhanced Linux) to handle OS-level sandboxing to limit the interactions of each subsystem with the underlying operating system, but said other techniques-like AppArmor, Systrace or Janus-would be equally suitable.
      The role of the OP browser kernel is significant, since it serves as the base with major responsibilities of managing the subsystems, managing the messages between the subsystems, and maintaining a detailed security audit log.
      The browser kernel creates most processes when the browser first launches, but it creates Web page instances on demand whenever a user visits a new Web page, King said.

      “The browser kernel implements message passing using OS-level pipes, and it maintains a mapping between subsystems and pipes,” he said, noting that the mapping allows the browser kernel to avoid source subsystem spoofing since the browser kernel can accurately identify the subsystem connected to a pipe when it receives a message.

      Ryan Naraine
      Ryan Naraine

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×