with OP and Chrome

scacchicgardenSoftware and s/w Development

Dec 13, 2013 (4 years and 7 months ago)


Secure Web Browsing

with OP and Chrome


Mohan Dhawan

More Troubles

Current browsers are plagued by

Script based Attacks

XSS, drive by downloads, pharming attacks, DNS Rebinding

Compromised / malicious plugins and extensions

Statistics for 2007

Internet Explorer had 93 security vulnerabilities, Mozilla
browsers had 74, Safari had 29, and Opera had 9

301 reported vulnerabilities in browser plugins

[OP Browser]


The problem

Related Work

OP Web Browser



Way Forward ?


The problem

Malicious script execution

XSS, XSRF, etc.


Browsers are a multi
principal platform

data and code (lots of scripts) from mutually distrusting sites interact

iGoogle, Microsoft Live

application model provides little isolation or security

limited built
in security by enforcing same origin policy

too restrictive

Handling compromised / malicious plugins and extensions

have full browser privileges

plugin writers implement ad
hoc policies

Related Work

Language Abstractions




Helen Wang et al



<div class = “noexecute” >

Trevor Jim et al


Related Work (contd.)



web applications should not be trusted

browsers should not be trusted

Separate browser instances with VMs

Richard Cox et al

CCS 07

Related Work (contd.)

Modify the browser

Script Accent

Domain specific “accents” for scripts and HTML object names

“An Analysis of Browser Domain
Isolation Bugs and A Light
Transparent Defence Mechanism”

Shuo Chen et al.

CCS 07

Dynamic Tainting

Track flow of sensitive information inside the web browser

“Cross Site Scripting Prevention with Dynamic Tainting and Static

Phillip Vogt et al.


Different isolation policy

Enforces access using server’s X.509 certificates and keys

“Dynamic Pharming Attacks and Locked Same
origin Policies for
Web Browsers”

Chris Karlof et al.

CCS 07

New Solutions

Build browser from scratch

Keeping in mind

web 2.0 applications

secure script execution

Latest efforts


Chris Grier, Shuo Tang, Samuel King

Oakland 08



OP Web Browser

Primary Goal is to ensure Secure Web

prevent browser based attacks from happening

limit the damage in case of a successful

provide ability to recover from successful attacks

Threat Model & Assumptions

Designed to operate under malicious influence

Attacks originated from a web page could potentially
target any part of the browser

Attacker can have complete control over the content

Circle of Trust

OS and JVM to enforce isolation

DNS names for labelling security contexts

OP Guiding Principles

Simple and explicit communication between components

Clean separation of functionality and security

Explicit interfaces reduce number of control flow paths

Strong isolation between browser components

Prevents unanticipated and unaudited interactions

Monitor components to ensure faithful execution

Delegate some security logic

Compatible with existing technologies

Goal is to secure web browsing

OP Architecture

Main subsystems

the web page subsystem,

a network component,

a storage component,

a UI component, and

a browser kernel

Each subsystem runs within separate OS level

SELinux sand
boxing to limit subsystem interaction
with OS

OP Architecture (contd.)

Subsystem Privileges

Browser Kernel

Manage subsystems

Creates and deletes all processes and subsystems

Creates web
page instances on demand

Multiplexes between existing web
pages on user navigation

Manages communication between subsystems

interposes on all message communication

Use of OS level pipes

Mapping of subsystems and pipes prevents spoofing

Single threaded, event driven component

All messages have unique ID

Browser Kernel (contd.)

Manages access control

Browser processes tagged with a security context

Tag depends on initial messages intercepted

Maintains detailed security audit log

Records all messages between subsystem

Helps in forensic analysis in event of system compromise

Web Page Subsystem

HTML parsing and rendering Engine


JavaScript Interpreter

Rhino (Java based)

provides strong isolation

Plugins are separate OS level processes

provide better isolation

Xvnc server which renders the visual content

Web Page Subsystem (contd.)

UI, Network & Storage Subsystems

UI is built in Java

do not render content directly

Each web page instance renders its own content

File System is accessed only through UI system

Storage component uses sqlite
db to store persistent
data like cookies

Network subsystem implements HTTP

Browser Plugins

Allow browsers to view additional mime types

loaded as a DLLs or shared objects

Communicate with the browser through a well defined API

Run in the same address space as the browser

Complicates security as they are given unchecked access to
browser internals

Successful attack on a plugin can lead to a full system

Plugins writers may implement their own ad
hoc security

Plugins and OP

Each instance is treated as a separate process

assigned a label (security context) by the kernel

By inspecting the messages

Plugin Access Control done by browser kernel

Uses the same security mechanisms and policies as for
the rest of the browser subsystems

OP and Plugin Security

Plugin Security Policies

Provider domain policy

allows a plugin in a page to use the permissions of the plugin
content source

Plugin freedom policy

allows additional outgoing network accesses for plugins to
support peer
peer applications

can only talk to network and storage subsystems

Formal Verification

OP browser modeled using Maude (reasoning engine)

both interpreter and language

Formally specify browser components in terms of invariants over
finite space

Program invariants include access control policies

Visual invariants include UI tampering

Address bar spoofing

Maude checks for states that violate invariants

Attack Analysis

Build a dependency graph between browser level

Objects connected by causal events

Backtracker graph generation algorithm is used

Backward algorithm is used to find origin of an attack

Forward algorithm is used to track effects of an attack

Great analyzing tool once an attack has occurred

Performance Evaluation


Apply OS principles for security

Process abstraction to provide protection and isolation

Process management

How long to cache the web page instance ?

Messages to subsystems analogous to syscalls

Access to protected resources via the kernel

Browser kernel intercepts all messages

Plugins are like device drivers

Hard to secure

OP provides protection against buggy plugins

Not against malicious ones

Discussion (contd.)


No micro
benchmark performance figures

Comparative analysis of how OP stands out with other

combating the known web exploits (e.g. XSS, XSRF etc.)

Future works

Enhance OP browser to prevent common attacks

DNS rebinding

Automated detection of crashed and malfunctioning
subsystems to trigger recovery actions

Way Forward ?


Developed by Google

Apple’s WebKit

Open source rendering engine for chrome


Developed for web 2.0 applications

Browsers are multi

Design Goals

New Age browsers must be

More stable


More secure

Simpler user interface

Legacy Browsers

Chrome Design

Different processes for
different tabs

separate address space

No fragmentation of
memory unlike legacy

isolation offers

Separate thread for

Speed : WebKit and V8


Efficient memory usage

Easily adapted to embedded devices

Easy interface for developers


Virtual machine for JavaScript

Provides safety and platfrom independence

Hidden class transition

Hidden Class Transition

function Point(x,y){

this.x = x;

this.y = y;


Machine Code Generation

Speed (contd.)


Machine code generation

Dynamic code generation

Cache code for future reference

Garbage collection

Heap segmented as new space and old space

GC entails

Stop program execution

Process only part of the heap in most GC cycles

Always know precise location of all pointers and objects

Updates all pointers to object if it moves to old space

Chrome features

Separation of the browser and tabs processes

Tabs no longer bound to a window

Privacy mode

only mode

No logging

No history saved

Session cookies deleted on closing the window

Web apps have their own chrome

Security and Safe Browsing

Malware and Phishing

Huge monetary incentive

Chrome continuously downloads lists of phishing and malware sites


Security from malware

All processes stripped of their rights to read / write to sensitive areas

Cannot interact among themselves

Security Levels



Plugins run as a separate process

Unlike legacy browsers where plugins,
HTML and JavaScript run as a single process

Overall Picture

Google Gears

Adds a set of API to the browser for developers

Plugin that extends browser capabilities

Create web apps that can run offline

Key features

A local server, to cache and serve application

A database, to store and access data from within the browser

A worker thread pool, to make web apps more responsive

Open standard


Similarities with OP

Browser split into components

Each within its own protection domain

Both have a main process

Browser Kernel, Chrome Process

Plugins are executed as separate processes

No details about extension handling

Differences with OP

Separate thread for JavaScript VM

Separation of browser and tabs

Discussion (contd.)

New Features

Dynamic code generation

Phishing and Malware protection


Open Issues

Secure script execution

Handling malicious plugins and extensions

Framework for web 2.0 applications


OP uses OS features to secure web browsers

Chrome extends OP, adds security and speed

Thank You