Is There Room For a Secure Web Browser?

An anonymous reader points out an eWeek story about researchers from the University of Illinois at Urbana-Champaign who are designing a new web browser based on security. The new software, code-named OP for Opus Palladianum, will separate various components of the browser into subsystems which are monitored and managed by the browser kernel. Quoting: "'We believe Web browsers are the most important network-facing application, but the current browsers are fundamentally flawed from security perspective,' King said in an interview with eWEEK. 'If you look at how the Web was originally designed, it was an application with static Web pages as data. Now, it has become a platform for hosting all kinds of important data and businesses, but unfortunately, [existing] browsers haven't evolved to deal with this change and that's why we have a big malware problem.' The idea behind the OP security browser is to partition the browser into smaller subsystems and make all communication between subsystems simple and explicit."

Somewhat pointless?

[Izabael_DaJinn (1231856)]

I'm not sure if I get this. The key feature seems this:

"Our policy removes the burden of security from plug-in writers, and gives plug-ins the flexibility to use innovative network architectures to deliver content while still maintaining the confidentiality and integrity of our browser, even if attackers compromise the plug-in," he said.

Great! :)

But even if it works as planned...this new browser is going to enter the market and who is going to download it? A tiny percentage of internet users--those would be part of the same minority who would also know how to use Firefox (and other browsers) quite safely *right now*.

So who is this product for? Seems interesting from a design point of view, but unelss one of the big browsers adopts it, could it really make even a tiny dent on the security of the internet?

I predict no. The internet's main problem is between the monitor and keyboard ;-)

*iza

Re:Somewhat pointless?

[Bacon Bits (926911)]

Don't be so close-minded. The same could have been said for Gecko (Mozilla) or Webkit (Safari) or Opera back in the IE 5/6 heydays.

Re:Somewhat pointless?

[webmaster404 (1148909)]

No, how Gecko/WebKit got so popular was because of how bad both a) ActiveX was and b) How much of a pain it was to get IE to render simple things. What we need is less bloated browsers, those that don't use up 100+ MB of RAM, along with faster browsers, as for security, as long as it is open-source it will probably be patched and up to date well enough to deal with all the problems except the one typing on the keyboard.

Re:Somewhat pointless?

[Bacon Bits (926911)]

And why was ActiveX bad? Not just because it was platform specific, but because it was insecure and prone to malware abuse. The model behind ActiveX was inherently flawed because it had too much trust for remote code to be automatically executed. Firefox and Opera are both billed as more secure because they are not subject to the kinds of broad attacks that IE 5 and 6 were.

Mozilla, Safari, and Opera gained market traction by having features that users or developers wanted that were not otherwise available. Security is a feature that many users, developers, and particularly network administrators desire. Say you have a choice between deploying your workstations with Firefox or with Secure Firefox, which one do you pick?

We're nearly to the stage where interface features (bookmarks, tabs, toolbars, javascript, flash, java) are reasonably complete and rendering speed and quality (Acid2, Acid3) is reasonably complete. So we can assume that any modern browser (including this new one) will be fully-featured and acid-compliant when released. It would be inane to do otherwise. So how do you improve browsers from here? Security *is* still an issue with browsers because they are *the* platform of the decade. Why not improve that?

Prove to me that security in IE, Firefox, Opera, and Safari is "good enough".

Re:Somewhat pointless?

[hedwards (940851)]

Prove to me that security in IE, Firefox, Opera, and Safari is "good enough".

The current number of browser exploits clearly indicates that you are correct.

IE has both activeX and extensions to worry about, on top of being tightly integrated into the core OS. And Firefox has the additional burden of all those extensions that most people use. Removing the extensions makes it significantly easier to audit the code and assure that the end user browser experience is secure. With extensions, they can only QA the browser itself and ensure that the basic API allows sufficiently secure practices.

Personally I like the idea that's being pushed here, and have been wondering for quite some time why there isn't more separation between extensions/plugins and the browser itself. People will use whatever is cheap, fast, pretty, reliable and secure. There is no inherent reason why with all the processing power and extensions to the processor that a browser like this can't nail the other three while being close enough on performance that people don't notice a speed trade off.

This kind of thing can already be done presently. Just in a less efficient and less fine grained manner. Linux or similar in a VM.

Re:

[Bacon Bits (926911)]

Personally, I'm hoping they come up with a good model for combating cross-site scripting (which AFAIK is still a problem in every browser... except perhaps lynx).

Re:Somewhat pointless?

[lymond01 (314120)]

What we need is less bloated browsers, those that don't use up 100+ MB of RAM

Ask not what else your 100 MB of RAM could have done for you, but what you could do with your other 1900 MB of RAM.

Like government, browsers could me more efficient with their resources. But think of your computer as a country in renaissance -- instead of worrying why you paid $100 for that hammer, question instead what the hammer may allow you to do whatever its cost.

(I'm only half-joking because I'm a satirist, not a realist...then I'd be half-serious.)

Re:Somewhat pointless?

[Dahamma (304068)]

or Opera back in the IE 5/6 heydays.

Or Opera in the IE 7/8 heydays, for that matter...

Re:Somewhat pointless?

[denton420 (1235028)]

What is the point in bashing their project? Do you not realize that even if no one uses this particular browser, it sets a precedent that others are likely to follow? Sometimes, you have to create just for the sake of creating. Beyond that, who really knows, this browser could be the next big hit with a little bit of mainstream media exposure. A product that delivers on all of its promises (more so in the IT genre) will have its day.

Plan 9

[spidr_mnky (1236668)]

As parent says, the product doesn't have to gain great popularity to have a great effect on the field, especially after a few years.

Plan 9 never "made it big", but it wasn't supposed to. Now most Unix systems have adopted ideas from Plan 9, like the /proc filesystem, and more concepts are being ported still, such as PortalFS, applying the theory that everything should be a file to network sockets.

Plan 9 isn't a superstar, and in my personal opinion it's a pain to try to use, but it's considered a highly successful project. I'd like to try this browser, just because it sounds cool, even if it isn't my new browser of choice. I hear people praise Firefox, not because it's the best browser ever, but because it put pressure on Explorer to keep up with the market.

Proof of concept is worth a lot.

Re:Somewhat pointless?

[Deanalator (806515)]

If I was offered a browser that was able to contain flash or quicktime 0day, I would switch to it in a heartbeat. For all the security in firefox, 0day still exists, and is used frequently in the environments that I work in. These threats can be mitigated, and we really should be moving towards properly designed software.

link to the paper:
http://www.cs.uiuc.edu/homes/kingst/Research_files/grier08.pdf [uiuc.edu]

Re:Somewhat pointless?

[RuBLed (995686)]

I predict no. The internet's main problem is between the monitor and keyboard ;-)

The internet's main problem is a cup of coffee?

Re:

[ModernGeek (601932)]

What is between the monitor and keyboard that causes issues with the internet?

Re:

[Heembo (916647)]

The internet's main problem is between the monitor and keyboard ;-)

I know you meant well, but that is a very ignorant statement. I can be casually surfing the web with a modern browser, and if I hit a site that was hijacked by an attacker, even if I have modern security software installed, I can get hit with JavaScript code that can escape the sandbox, break single origin policy, or (in the past) flat out run OS commands. The browser is an operating system. And a very insecure one at that.

Re:Somewhat pointless?

[AnonymousCactus (810364)]

These guys are researchers, why do you think their goal is to make a separate, competing browser? Generally, that only happens if the market is dumb enough to miss potential, if indeed it has some.
If they show the security advantages can be achieved without hurting other aspects of browser performance, something like Firefox or IE could implement their strategy and claim a big win for security over their competitors. This idea is at least a couple of years old. It would surprise me if it isn't simmering on the back burner of the IE team or someone influential at Mozilla.
As for everyone saying silly things about how programmers should just code better...go take an OS class. Browsers are becoming more like operating systems. Imagine if every program on your computer was essentially working with the same address space except for a few hard-coded rules. Even Windows long ago (like in DOS times) realized that's a broken approach.

Re:Somewhat pointless?

[Alsee (515537)]

I'm not sure if I get this. The key feature seems this:

The key feature is Trusted Computing.

So who is this product for?

The RIAA, MPAA, and all those people who want to make DRM locked websites where no one can save copies of pictures or any other content from the page, where you can't copy-paste text or anything else, where you can't run any ad-blockers, where you can't view the webpage source, where you can't "deep link", where they can securely track your identity, etc etc etc.

He's this guy's page [uiuc.edu] at The Information Trust Institute (ITI). [uiuc.edu]

Their definition of "secure" is securing computers against the owner.

They do Trusted Comptuting, Trusted Platform Models, DRM, they are even working on a Trusted DRM P2P system. Oh joy, I can't wait to get me some of that Trusted DRM P2P! Woohoo! Yummy! to ensure that distributed multimedia protocols' trustworthiness is enforced in terms of security... security when delivering voice, music... trusted peer-to-peer (P2P) streaming protocols in large-scale ad hoc distributed systems for efficient content distribution... Issues of digital rights management [uiuc.edu]

Come on, don't tell me no one noticed the project name "Opus Palladianum" and thought, "Damn, that sounds like Palladium!" Yep, this is the scheme for a DRM locked down browser running on a DRM hardware locked Palladium system. And yeah, the article mentions that this guy came from Microsoft. Who here is surprised at that? Yeah, me neither.

Yeah, tag this article trustedcomputing. Or treacherouscomputing if you prefer.

-

Re:Somewhat pointless?

[Alsee (515537)]

Replying to myself, I just got a look at the technical paper. [uiuc.edu]

On a browse through I don't see anything directly tied to Trusted Computing in there. So maybe I jumped the gun, but this group *is* deep into the Trusted Computing stuff, and the Palladium-esque name sure seems like more than a coincidence, and looking the paper it is exactly the sort of design you'd want to adapt into a Trusted Computing browser.

So I'm still rather suspicious of the intent and connections behind it, but I will retract my positive tagging that it *does* explicitly intend to involve Trusted Computing.

-

Re:Somewhat pointless?

[Corwn of Amber (802933)]

An other web browser that no one willl use, for the reasons you mention.

Like it's that hard to securely receive and render webpages. It's a trivial task. Anyone who says the contrary should get a reality check. It's very possible to program without bugs. That's what correctness tests are for. An if your tolkit sucks so much it has security holes, code your own lib from scratch.

Re:Somewhat pointless?

[piojo (995934)]

This browser seems like the sort of thing that big companies might like to install on their workstations. After all, they don't care that much about usability (my university currently has right clicking disabled--there are quite a few things that are harder or impossible if you can't right click). I don't mean to say that this browser will be unusable--it's just that a corporation might sacrifice speed and flexibility for security. This browser might also be good for kiosks.

Re:Somewhat pointless?

[irc.goatse.cx troll (593289)]

If your university runs windows, try hitting alt+shit+numlock (alt/shift have to be the left side) to enable mouse keys, then with numlock on hit * and then 5 to middleclick.

Fuck silly restrictions.

part of the solution....

[owlnation (858981)]

One quick and easy way to make the web a safer place would be for ActiveX to be shunned by everyone. If you are a web developer, simply refuse to use it.

Re:part of the solution....

[mnmn (145599)]

I'll give you an alternative.

Run the browser in a Virtual Machine along with its plugins. When you close it flush all changes to the binaries and keep the changes to the history and cache.

You might not even need VMware to do this, just virtualize the files available to the browser and the memory available to the process. I dont think this will have a performance hit.

Please don't link to eWeek

[Animats (122034)]

Users with strong privacy protections can't get past the stupid ad screen. Find another source, please.

no

[Kohath (38547)]

Security is low on the list of features people notice, so sacrificing anything higher on that list for the sake of security will be perceived as a negative feature.

So no.

Ad-free version of article

[jroysdon (201893)]

Ad-free version of article [eweek.com].

How hard is it to look for the "Print version" w/o ads and link to that?

Man, if only Samuel L Jackson were here...

[by Anonymous Coward]

He'd know what to say...

Whiny-bitch-free version of the motherfucking link provided by parent. [eweek.com]

or

Really fucking easy, which is why we don't need a karma whoring bitch such as yourself providing the motherfucking thing.

or

About as easy as shutting your editorializing bitchass mouth motherfucker.

In other news...

[ruinevil (852677)]

...emacs is getting a browser. Still no word on the implementation of a usable editor.

Re:

[Constantine XVI (880691)]

Everyone always seems to forget viper-mode

I've got a secure web browser

[dudeman2 (88399)]

Lynx [isc.org].

Re:I've got a secure web browser

[junner518 (1235322)]

Lynx has its problems as well...
http://www.ciac.org/ciac/bulletins/h-82.shtml [ciac.org]
http://securitydot.net/vuln/exploits/vulnerabilities/articles/14814/vuln.html [securitydot.net]

Such a great idea

[rudy_wayne (414635)]

Divide your software into subsystems managed by a kernel. That's certainly guaranteed to make things more secure -- just look how well it worked for Windows.

The super-duper-secure safe OS

[sweet_petunias_full_ (1091547)]

OK, if you really want a truly secure safe OS (and by extension, to a browser mapped to the same address space), this is what you need in your OS:

Not one microkernel, for extra safety you need redundant nanokernels, with a microkernel over those, then the user kernel. To prevent buffer overruns, all messages passed between these are sent as emails, with spamassassin checking lest any of them get any ideas about sending spams.

OK, next you need lots of verification. Every time you write to disk there should be a second process to verify that what was written is correct. Then you need a process to check that the verifier process is checking things correctly. If memory doesn't run out while doing this, a body of processes should vote democratically as to whether the whole thing finished correctly. In case of collusion between the processes, some of them will be strictly dice rolls.

The least trusted part of the computer is the user, otherwise known as the "owner" of said computer. Thus, that person should not be allowed to do anything because that is a sure way to introduce problems. Harass that person with questions and popups at every opportunity. That will make sure they go out and read a book and not get in the way of the important things that the operating system is trying to do.

To prevent hardware from crashing any of the kernels, they must be separated by a special interface layer that works a lot like a chat room (IRC). What this means is that devices that speak the protocol correctly can connect and be listened to by the kernel(s). Those that misbehave or that use foul language are kicked off by the watchdog process. The watchdog process is watched by a bulldog process. Sometimes the bulldog just barks, other times the two are wrestling it out on the ground while the rest of the system waits for them to sort out their differences. Alas, such is the price of progress.

To further prevent buffer overruns, a new character encoding is introduced where a previously one-byte code now needs ten bytes to encode it. This means that buffers have to be ten times bigger and thus there is a lot more space before an overrun occurs.

Let me know if you can think of any more features to add to this future super-OS.

Re:The super-duper-secure safe OS

[Zebra_X (13249)]

With all those kernels lying around all you are going to get out that design is *popcorn*

Government model

[Mr. Underbridge (666784)]

I thin that's the security model our government uses. Wrap everything in massive layers of bureaucracy and nothing bad happens. Of course, nothing good happens either, but that's OK.

Re:

[jhol13 (1087781)]

Free market!

Let all the processes be fully independent, evolving and with absolutely no regulations whatsoever. Give them 100 bucvk (virtual money). They will, according to economists, evolve into free market practically immediately. After that the free market will solve every problem in the most efficient way possible. Security will therefore be better than is possible with any other method.

Re:

[raddan (519638)]

I'm not sure if you're being witty or just naive, but this really does appear to be a general software engineering strategy that works. I don't know much about how Windows' kernel works, so I can't say whether their implementation is any good-- I suspect that their business imperative to provide backward compatibility and rich APIs have probably hindered their efforts on the security front.

But if you go out and look at software that is written to be secure, the subsystem approach is how it is done. Pos

The less functionality the better

[sweet_petunias_full_ (1091547)]

The solution for a more secure browser isn't to guild it with ever-growing layers of security and virtual machines, quite the reverse, it's to keep things simple.

If we allow an internet to exist without the need for complex interpreted languages, if people open mostly static HTML documents when they open web pages instead of opening a pandora's box of plugins, languages, interpreted bytecodes, activeX gotchas and other unnecessary exploitable garbage, then the entire internet will be more secure.

By making it more complex, exploits and backdoors are virtually guaranteed. But well, that's just *my* ignorant opinion.

Re:The less functionality the better

[by Anonymous Coward]

Web browsers are already complex, and they've been designed without any regard whatsoever for security. It's impossible to go back to static HTML documents by now. So would you prefer that everyone just sticks their head in the sand, and pretends that it'll all go away?

This approach allows for complex browsers to actually become safer, by simplifying them. The browser is broken up into a set of components. Each component runs in a separate process, completely isolated (by the operating system) from the other components. In addition, each component is isolated from the rest of the system using mandatory access controls (SELinux in this case) which prevent the component from doing anything that it doesn't need to do.

The key aspect is that the components only have one way to communicate with each other - a single communications channel which is created by, controlled, and mediated by the kernel process. That means that all interactions between the components are simplified, and can be monitored by the kernel. The kernel itself can be small and simple enough that it's behaviour can be proven correct. The kernel then enforces a security policy.

This approach is known to work - it's similar to the approach used by operating system kernels.

Let's say you break into the rendering component, where the HTML rendering and JavaScript VM reside. You have absolutely no access to the operating system - your only link to the outside world is through the kernel, to the other components. Even if you manage to run native code inside the rendering engine, the operating system won't allow you to access the network, filesystem, or anything else. You only have access to the IPC mechanisms, and even then only to the connection between the rendering component and the kernel.

If your objective is to compromise the operating system through the browser, you can not do that from here. You can't just send a message to the component that handles file access, and get it to load malware onto the system - the kernel will prevent it. Even if you also find a hole in the kernel that allows you to run native code inside the kernel, the kernel doesn't have the ability to access the filesystem either. The filesystem component won't help either - it only has access to a small piece of the filesystem.

If your goal is to steal someone's bank password, you'll still have a tough time of it. The kernel will prevent you from doing anything that doesn't fit within the security policy. Even if you could access a bank password, you're not going to be able to send that information to anyone. If you do have the ability to send that information, you're not going to have access to the passwords.

The idea is not to add complexity - this browser should be no more complex than any other. The idea is to improve security by separating components, isolating them, and verifying that they are not doing anything that they're not supposed to.

It's called "defence in depth" - acknowledging that the system can never be made totally secure, and designing it in such a way that any security breaches won't be able to do any damange, and are able to be tracked for analysis later.

What I want to know is...

[jemenake (595948)]

What the hell makes these UIUC people think that they know how to make a browser? You'd think they'd leave this kind of thing to people who've done it before. Sheesh! :)

Re:

[rthille (8526)]

Next thing you know, CERN will want to produce one!

Security is an annoyance to most peopl

[icepick72 (834363)]

Security isn't important enough to people right now to make the change away from IE (or older versions of it). A new browser deemed more secure will be met with less interest because those people not wanting to deal with current secure features in Firefox like NoScript and AdBlock plugins, surely they won't want to fiddle with something having even more restraints.

Yes, if it's standards-compliant

[mandelbr0t (1015855)]

I don't see why this couldn't fly. Samuel King appears to be a well-established professor with solid credentials. It's based on SELinux at present, but they've designed it to work with various other resource segmenting programs (they named AppArmor).

I'd say the key to finding a market will be standards-compliance. If it supports HTML 4 and XHTML reasonably well (like anyone can do it perfectly) and has ECMAScript, then it can work with a properly-designed webapp. While they're designing plugin support, I don't think it matters much whether Flash will be supported. People who care about security don't tend to be distracted by shiny things.

Sure, it won't even come close to top of the browser list. The purpose of this browser, however, is to bring web browsers to locations that can't use them because of security concerns. As a developer, I can certainly say that my productivity is improved with web access - forums, developer documentation, bug reports. I've been at companies that won't let their developers work on the Internet at all, probably for fear of espionage. The web browser is probably the second largest target (after e-mail clients) for malware writers. Web browsers are ubiquitous now, so spending some time researching "white-hat" web techniques is a worthwhile effort regardless, and I'm sure there are some who will find this browser useful. I will continue to use Firefox, despite the security concerns associated with JavaScript and Flash. My tin-foil hat is back in the closet, and I want to keep it there.

A link to the paper

[Sam King (1263550)]

Here is a link to the full research paper [uiuc.edu], we hope you enjoy it!

Doomed by Expediency

[bill_mcgonigle (4333)]

They're using a rendering engine written in a language that gets its stack smashed by buffer overflows. Nearly all browser security bugs that aren't of the XSS-type are due to buffer overflows.

Next.

Seriously, yes, I'd love to see a secure browser I could recommend for my family's computers, but it's alot of hard ground-up work. (It might actually be faster to write a tool to port the current Gecko/Webkit tree to another language automatically than to start in on a whole new rendering engine in a secure language).

Get started now and the silicon will be fast enough by time the browser is ready.

Here's what I want

[British (51765)]

How about simply throttling the CPU usage Flash can use in Firefox? The whole system can slow down to a crawl just from ONE ad-laden web page. I'm not on some slouch of a computer, but every once in a while I wonder why things are sluggish. I close the suspect tab and everything's back to normal.

To me a secure browser would be non-modular, and be pretty slim on the list of features.

NO activeX
NO plug-ins, period. Once you introduce a 3rd party software entry point, it's spoiled
No giving out referrer info unless you say so
strict cookie control
mike's ad blocking hosts file built in, and configurable(or something similar)
CANCELABLE javascript. Wha? Any time you get a javascript prompt, you'll have OK, cancel, and "stop all javascript right fucking now".
Javscript turn off URL bars, resizing of windows? I don't think so. Leave that to the user.

And I'm betting there's 20 other things I haven't thought of that's mandatory. The web browser has become so fluidic that there's tons of entry points to a user's system now.

Re:

[recoiledsnake (879048)]

CANCELABLE javascript. Wha? Any time you get a javascript prompt, you'll have OK, cancel, and "stop all javascript right fucking now".

Opera already does this.

Re:Here's what I want

[lithis (5679)]

When I press F12 in Opera (or pull down the Tools menu and choose Quick preferences), I get the following menu:

• Open all pop-ups
• Open pop-ups in background
• Block unwanted pop-ups
• Block all pop-ups
• Enable GIF/SVG animation
• Enable sound in webpages
• Enable Java
• Enable plug-ins
• Enable JavaScript
• Enable cookies
• Enable referrer logging
• Enable proxy servers
• Edit site preferences...

It's amazingly simple to enable and disable many irritating features. I keep plugins and animations off at all times, except when I want them.

Re:

[n6kuy (172098)]

What I'd like to know is who's the asshole that designed the functionality into JavaScript that allows it to take control of stuff that it has no business taking control of, such as window decorations, URL bar, status bar, right click menu, etc.

That person oughtta be lynched.

Yes, it's called IE 7 on Vista (seriously)

[ThinkFr33ly (902481)]

I know, I know... this is Slashdot, I shouldn't bother. But IE 7 on Vista (running in Protected Mode [msdn.com]) is pretty damn secure [washington.edu].

While there have been exploits for IE 7, not a single one of them could successfully bypass Protected Mode. I'd say that's a pretty damn good track record for a browser that has been out for about a year and a half and has undoubtedly been targeted by many, many bad guys. (And good guys, for that matter.)

A decent solution

[kylehase (982334)]

Just take Firefox Portable [portableapps.com] and disable many of the nasty defaults like third-party cookies etc. Then load all the paranoia extensions like no-script, safecache, safehistory, refcontrol, cslite etc. and you can create a pretty secure browser without having to develop one yourself.