More Web Proxy on the site http://driver.im/

research-article

Designing and Implementing the OP and OP2 Web Browsers

Authors:

Samuel T. KingAuthors Info & Claims

ACM Transactions on the Web (TWEB), Volume 5, Issue 2

Article No.: 11, Pages 1 - 35

https://doi.org/10.1145/1961659.1961665

Published: 01 May 2011 Publication History

Abstract

Current web browsers are plagued with vulnerabilities, providing hackers with easy access to computer systems via browser-based attacks. Browser security efforts that retrofit existing browsers have had limited success because the design of modern browsers is fundamentally flawed. To enable more secure web browsing, we design and implement a new browser, called the OP web browser, that attempts to improve the state-of-the-art in browser security. We combine operating system design principles with formal methods to design a more secure web browser by drawing on the expertise of both communities. Our design philosophy is to partition the browser into smaller subsystems and make all communication between subsystems simple and explicit. At the core of our design is a small browser kernel that manages the browser subsystems and interposes on all communications between them to enforce our new browser security features.

To show the utility of our browser architecture, we design and implement three novel security features. First, we develop flexible security policies that allow us to include browser plugins within our security framework. Second, we use formal methods to prove useful security properties including user interface invariants and browser security policy. Third, we design and implement a browser-level information-flow tracking system to enable post-mortem analysis of browser-based attacks.

In addition to presenting the OP browser architecture, we discuss the design and implementation of a second version of OP, OP2, that includes features from other secure web browser designs to improve on the overall security and performance of OP. To evaluate our design, we implemented OP2 and tested both performance, memory, and filesystem impact while browsing popular pages. We show that the additional security features in OP and OP2 introduce minimal overhead.

References

[1]

Adobe. Flash player settings manager. http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html.

[2]

Adobe. Flash player update available to address security vulnerabilities. http://www.adobe.com/support/security/bulletins/apsb07-12.html.

[3]

Adobe. 2008. External data not accessible outside a macromedia flash movie’s domain. http://www.adobe.com/go/tn_14213.

[4]

Adobe. 2009a. Adobe flash player. http://www.adobe.com/products/flashplayer/.

[5]

Adobe. 2009b. Flash player penetration. http://www.adobe.com/products/player_census/flashplayer/.

[6]

Anupam, V. and Mayer, A. 1998. Security of web browser scripting languages: Vulnerabilities, attacks, and remedies. In Proceedings of the 7th USENIX Security Symposium.

Digital Library

[7]

Arora. 2009. Arora: Cross platform WebKit browser. http://code.google.com/p/arora/.

[8]

AusCERT. Sun java runtime environment vulnerability allows remote compromise. http://www.auscert.org.au/render.html?it=7664.

[9]

Barth, A., Jackson, C., and Mitchell, J. C. 2008. Securing frame communication in browsers. In Proceedings of the 17th USENIX Security Symposium. 17--30.

Digital Library

[10]

Barth, A., Caballero, J., and Song, D. 2009. Secure content sniffing for web browsers or how to stop papers from reviewing themselves. In Proceedings of the IEEE Symposium on Security and Privacy.

Digital Library

[11]

Chen, S., Meseguer, J., Sasse, R., Wang, H. J., and Wang, Y.-M. 2007a. A systematic approach to uncover security flaws in GUI logic. In Proceedings of the 2007 IEEE Symposium on Security and Privacy. 71--85.

Digital Library

[12]

Chen, S., Ross, D., and Wang, Y.-M. 2007b. An analysis of browser domain-isolation bugs and a light-weight transparent defense mechanism. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS). 2--11.

Digital Library

[13]

Chong, S., Liu, J., Myers, A. C., Qi, X., Vikram, K., Zheng, L., and Zheng, X. 2007a. Secure web applications via automatic partitioning. In Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP). 31--44.

Digital Library

[14]

Chong, S., Vikram, K., and Myers, A. C. 2007b. Sif: Enforcing confidentiality and integrity in web applications. In Proceedings of the 16th USENIX Security Symposium.

Digital Library

[15]

Clavel, M., Durán, F., Eker, S., Lincoln, P., Martí-Oliet, N., Meseguer, J., and Quesada, J. F. 2002. Maude: Specification and programming in rewriting logic. Theoret. Comput. Sci. 285, 2, 187--243.

Digital Library

[16]

Clavel, M., Durán, F., Eker, S., Lincoln, P., Martí-Oliet, N., Meseguer, J., and Talcott, C. 2007. Maude manual (version 2.3).

[17]

Cox, R. S., Hansen, J. G., Gribble, S. D., and Levy, H. M. 2006. A safety-oriented platform for web applications. In Proceedings of the IEEE Symposium on Security and Privacy. 350--364.

Digital Library

[18]

Erlingsson, U., Livshits, B., and Xie, Y. 2007. End-to-end web application security. In Proceedings of the Workshop on Hot Topics in Operating Systems (HotOS XI).

Digital Library

[19]

Goel, A., Po, K., Farhadi, K., Li, Z., and del Lara, E. 2005. The Taser intrusion recovery system. In Proceedings of ACM Symposium on Operating Systems Principles (SOSP). 163--176.

Digital Library

[20]

Goldberg, I., Wagner, D., Thomas, R., and Brewer, E. A. 1996. A secure environment for untrusted helper applications. In Proceedings of the 1996 USENIX Security Symposium. 1--13.

Digital Library

[21]

Google. 2008. Process models (Chromium developer documentation). http://dev.chromium.org/developers/design-documents/process-models.

[22]

Google. 2009. Google chrome. http://www.google.com/chrome.

[23]

GreenBorder. 2007. Greenborder desktop DMZ solutions. http://www.greenborder.com.

[24]

Grier, C., Tang, S., and King, S. T. 2008. Secure web browsing with the OP web browser. In Proceedings of the IEEE Symposium on Security and Privacy. 402--416.

Digital Library

[25]

Grier, C., King, S. T., and Wallach, D. S. 2009. How I learned to stop worrying and love plugins. In Web 2.0 Security and Privacy.

[26]

Hickson, I. 2009. Acid tests - the web standards project. http://www.acidtests.org.

[27]

Ioannidis, S. and Bellovin, S. M. 2001. Building a secure web browser. In Proceedings of the USENIX Annual Technical Conference (FREENIX Track).

Digital Library

[28]

Jackson, C. and Wang, H. J. 2007. Subspace: Secure cross-domain communication for web mashups. In Proceedings of the 16th International World Wide Web Conference (WWW). 611--620.

Digital Library

[29]

Jackson, C., Bortz, A., Boneh, D., and Mitchell, J. C. 2006. Protecting browser state from web privacy attacks. In Proceedings of the 15th International Conference on World Wide Web (WWW). 737--744.

Digital Library

[30]

Jackson, C., Barth, A., Bortz, A., Shao, W., and Boneh, D. 2007. Protecting browsers from DNS rebinding attacks. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS).

Digital Library

[31]

Jim, T., Swamy, N., and Hicks, M. 2007. Defeating script injection attacks with browser-enforced embedded policies. In Proceedings of the 16th International Conference on World Wide Web. 601--610.

Digital Library

[32]

Jovanovic, N., Kirda, E., and Kruegel, C. 2006. Preventing cross site request forgery attacks. In Proceedings of the IEEE International Conference on Security and Privacy for Emerging Areas in Communication Networks (Securecomm).

[33]

Karlof, C., Tygar, J., Wagner, D., and Shankar, U. 2007. Dynamic pharming attacks and locked same-origin policies for web browsers. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS). 58--71.

Digital Library

[34]

KDE. 2009. The konqueror web browser. http://www.konqueror.org/features/browser.php.

[35]

King, S. T. and Chen, P. M. 2003. Backtracking intrusions. In Proceedings of the Symposium on Operating Systems Principles (SOSP). 223--236.

Digital Library

[36]

King, S. T., Mao, Z. M., Lucchetti, D. G., and Chen, P. M. 2005. Enriching intrusion alerts through multi-host causality. In Proceedings of the Network and Distributed System Security Symposium (NDSS).

[37]

Lampson, B. W. 1973. A note on the confinement problem. Comm. ACM 16, 10, (Oct.), 613--615.

Digital Library

[38]

Loscocco, P. and Smalley, S. 2001. Integrating flexible support for security policies into the Linux operating system. In Proceedings of the USENIX Annual Technical Conference FREENIX Track.

Digital Library

[39]

Meseguer, J. 1992. Conditional rewriting logic as a united model of concurrency. Theoret. Comput. Sci. 96, 73--155.

Digital Library

[40]

Microsoft. Activex security: Improvements and best practices. http://msdn2.microsoft.com/en-us/library/bb250471.aspx.

[41]

Moshchuk, A., Bragin, T., Gribble, S. D., and Levy, H. M. 2006. A crawler-based study of spyware on the web. In Proceedings of the Network and Distributed System Security Symposium (NDSS).

[42]

Mozilla. 2004. Netscape plugin API. http://www.mozilla.org/projects/plugins/.

[43]

Mozilla. 2009. Rhino: Javascript for java. http://www.mozilla.org/rhino/.

[44]

Novell. 2009. Apparmor Linux application security.

[45]

Petrkov, P. D. Pdf pwns windows. http://www.gnucitizen.org/blog/0day-pdf-pwns-windows.

[46]

Petrkov, P. D. Quicktime pwns firefox. http://www.gnucitizen.org/blog/0day-quicktime-pwns-firefox.

[47]

Provos, N. 2003. Improving host security with system call policies. In Proceedings of the USENIX Security Symposium. 257--272.

Digital Library

[48]

Provos, N., McNamee, D., Mavrommatis, P., Wang, K., and Modadugu, N. 2007. The ghost in the browser: Analysis of Web-based malware. In Proceedings of the Workshop on Hot Topics in Understanding Botnets (HotBots).

Digital Library

[49]

Provos, N., Mavrommatis, P., Rajab, M. A., and Monrose, F. 2008. All your iFRAMEs point to us. In Proceedings of the 17th USENIX Security Symposium. 1--15.

Digital Library

[50]

Qt Software. 2009. Qt -- a cross-platform application and UI framework. http://www.qtsoftware.com.

[51]

Reis, C. and Gribble, S. D. 2009. Isolating web programs in modern browser architectures. In Proceedings of the EuroSys Conference.

Digital Library

[52]

Reis, C., Dunagan, J., Wang, H., Dubrovsky, O., and Esmeir, S. 2006. BrowserShield: Vulnerability-driven filtering of dynamic HTML. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation (OSDI).

Digital Library

[53]

Richardson, T., Stafford-Fraser, Q., Wood, K. R., and Hopper, A. 1998. Virtual network computing. IEEE Internet Comput. 2, 1 (Jan.), 33--38.

Digital Library

[54]

SopCast. 2009. Sopcast. http://www.sopcast.org/.

[55]

Stamos, A. and Lackey, Z. 2006. Attaking ajax web applications. Presented at the Black Hat USA Conference.

[56]

Sun. Java security architecture. http://java.sun.com/j2se/1.4.2/docs/guide/security/spec/security-spec.doc1.html.

[57]

Turner, D. 2007. Symantec internet security threat report: Trends for january - june 07. http://www.symantec.com/business/theme.jsp?themeid=threatreport.

[58]

Wang, H. J., Fan, X., Howell, J., and Jackson, C. 2007. Protection and communication abstractions for web browsers in MashupOS. In Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP).

Digital Library

[59]

Wang, H. J., Grier, C., Moshchuk, A., King, S. T., Choudhury, P., and Venter, H. 2009. The multi-principal OS construction of the Gazelle web browser. In Proceedings of the USENIX Security Symposium.

Digital Library

[60]

Wang, Y.-M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., and King, S. 2006. Automated web patrol with strider HoneyMonkeys: Finding web sites that exploit browser vulnerabilities. In Proceedings of the 2006 Network and Distributed System Security Symposium (NDSS).

[61]

WebKit. 2009. The webkit open source project. http://www.webkit.org.

[62]

Yu, D., Chander, A., Islam, N., and Serikov, I. 2007. JavaScript instrumentation for browser security. In Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. 237--249.

Digital Library

Cited By

Gumarac M(2024)Extent of spending behavior, problems encountered, and financial knowledge across generational cohorts among state universities and colleges employeesInternational Journal of ADVANCED AND APPLIED SCIENCES10.21833/ijaas.2024.02.02411:2(230-237)Online publication date: Feb-2024
https://doi.org/10.21833/ijaas.2024.02.024
Kim YLee BCalandrino JTroncoso C(2023)Extending a hand to attackersProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620632(7055-7071)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620632
Narayan SDisselkoen CGarfinkel TFroyd NRahm ELerner SShacham HStefan DCapkun SRoesner F(2020)Retrofitting fine grain isolation in the firefox rendererProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489252(699-716)Online publication date: 12-Aug-2020
https://dl.acm.org/doi/10.5555/3489212.3489252
Show More Cited By

Index Terms

Designing and Implementing the OP and OP2 Web Browsers
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Secure Web Browsing with the OP Web Browser
SP '08: Proceedings of the 2008 IEEE Symposium on Security and Privacy

Current web browsers are plagued with vulnerabilities, providing hackers with easy access to computer systems via browser-based attacks. Browser security efforts that retrofit existing browsers have had limited success because the design of modern ...
Protection and communication abstractions for web browsers in MashupOS
SOSP '07: Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles

Web browsers have evolved from a single-principal platform on which one site is browsed at a time into a multi-principal platform on which data and code from mutually distrusting sites interact programmatically in a single page at the browser. Today's "...
Better security and privacy for web browsers: a survey of techniques, and a new implementation
FAST'11: Proceedings of the 8th international conference on Formal Aspects of Security and Trust

The web browser is one of the most security critical software components today. It is used to interact with a variety of important applications and services, including social networking services, e-mail services, and e-commerce and e-health ...

Reviews

Reviewer: Ahmed Patel

Current popular Web browsers like Internet Explorer and Mozilla provide attackers with easy access to computer systems and user accounts, thus compromising security and protection. Various previous attempts to overcome this problem-mainly, retrofit updates-have largely failed. The paper is apt, although the title seems inappropriate since it does not contain the words "security" and/or "protection." The authors' goal is to provide improved security features for their OP/OP2 secure browsers using a plugin architecture platform. The paper is relatively well written, presenting good problem analysis, defining security policies, and model checking the implementation and its evaluation. At the heart of the design is the browser kernel that manages all of the surrounding components and their inter-process communication. This model approach provides a clear separation between the implementation of the core functions of the browser components and the supplementary security and protection policy features and functions, thus providing a neat demarcation of component isolation guarantees to avoid security breaches. The OP/OP2 Web browsers record, and can assist in digital forensic examinations of, attacks that they are otherwise unable to prevent. All of these properties enable the Web client to withstand attacks. I have learned new things from this paper; everything is explained reasonably well, with good examples to support the OP system design. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Transactions on the Web

ACM Transactions on the Web Volume 5, Issue 2

May 2011

190 pages

ISSN:1559-1131

EISSN:1559-114X

DOI:10.1145/1961659

Issue’s Table of Contents

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 May 2011

Accepted: 01 September 2010

Revised: 01 August 2010

Received: 01 September 2008

Published in TWEB Volume 5, Issue 2

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

19
Total Citations
View Citations
809
Total Downloads

Downloads (Last 12 months)6
Downloads (Last 6 weeks)1

Reflects downloads up to 11 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Gumarac M(2024)Extent of spending behavior, problems encountered, and financial knowledge across generational cohorts among state universities and colleges employeesInternational Journal of ADVANCED AND APPLIED SCIENCES10.21833/ijaas.2024.02.02411:2(230-237)Online publication date: Feb-2024
https://doi.org/10.21833/ijaas.2024.02.024
Kim YLee BCalandrino JTroncoso C(2023)Extending a hand to attackersProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620632(7055-7071)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620632
Narayan SDisselkoen CGarfinkel TFroyd NRahm ELerner SShacham HStefan DCapkun SRoesner F(2020)Retrofitting fine grain isolation in the firefox rendererProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489252(699-716)Online publication date: 12-Aug-2020
https://dl.acm.org/doi/10.5555/3489212.3489252
Reis CMoshchuk AOskov NHeninger NTraynor P(2019)Site isolationProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361454(1661-1678)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361454
Bugliesi MCalzavara SFocardi R(2017)Formal methods for web securityJournal of Logical and Algebraic Methods in Programming10.1016/j.jlamp.2016.08.00687(110-126)Online publication date: Feb-2017
https://doi.org/10.1016/j.jlamp.2016.08.006
Ren XZhang JLi YNiu J(2017)Application of a Parallel FSM Parsing Algorithm for Web EnginesSmart Computing and Communication10.1007/978-3-319-52015-5_14(133-143)Online publication date: 13-Jan-2017
https://doi.org/10.1007/978-3-319-52015-5_14
Jia YChua ZHu HChen SSaxena PLiang ZWeippl EKatzenbeisser SKruegel CMyers AHalevi S(2016)"The Web/Local" Boundary Is FuzzyProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security10.1145/2976749.2978414(791-804)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2976749.2978414
Saini AGaur MLaxmi VConti M(2016)Colluding browser extension attack on user privacy and its implication for web browsersComputers & Security10.1016/j.cose.2016.09.00363(14-28)Online publication date: Nov-2016
https://doi.org/10.1016/j.cose.2016.09.003
Saini AGaur MLaxmi VNanda PMakarevich OPoet RElçi AGaur MOrgun MBabenko LFerdous SHo ALaxmi VPieprzyk J(2015)sandFOXProceedings of the 8th International Conference on Security of Information and Networks10.1145/2799979.2800000(20-27)Online publication date: 8-Sep-2015
https://dl.acm.org/doi/10.1145/2799979.2800000
Bauer LCai SJia LPassaro TTian Y(2014)Analyzing the dangers posed by Chrome extensions2014 IEEE Conference on Communications and Network Security10.1109/CNS.2014.6997485(184-192)Online publication date: Oct-2014
https://doi.org/10.1109/CNS.2014.6997485
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents