Microsoft Research Showcases New Browser Prototype, "Gazelle"

Ars Technica reports that Microsoft has opened up about "Gazelle," a new browser prototype of theirs that is modeled after the underlying concepts of operating system design. "A research team led by Microsoft's Helen Wang recently published a report about an experimental browser prototype called 'Gazelle' that uses processes to isolate page content elements originating from different domains. It builds on the concept of multiprocess browsing but uses more fine-grained isolation to expand on the security advantages that are already delivered by existing multiprocess browsing models. But is it an operating system, Microsoft Research's analogue to Google's Chrome OS? Not quite."

New MS browser

[by Anonymous Coward]

Oh boy! A more secure browser from the pros at secure browsing, Microsoft.

Re:

[ocularDeathRay (760450)]

yes, but the cool thing about this browser is, if you need tech support there is a special number where you can call and talk to Tony Little!!

Re:

[Runaway1956 (1322357)]

Yeah. I read the FA. I see ActiveX. Wonderful. We all know that ActiveX is the most secure protocol on the face of the earth. /sarcasm

Re:

[gandhi_2 (1108023)]

ActiveX isn't a protocol. ActiveX != DCOM.

Re:

[Gerzel (240421)]

Except it isn't a browser. It is a paper, about a theoretical browser, with not even so much as a screen shot.

Re:New MS browser

[gmuslera (3436)]

Don't be so negative... they said "that is modeled after the underlying concepts of operating system design.". So it probably will be as secure as Microsoft Windows. At last Internet will be safe.

New Focus

[Haffner (1349071)]

Microsoft focusing on developing a browser-based OS is directly opposed to their current business model, which involves forcing users to purchase an operating system. Microsoft's focus has always been on for-pay, offline applications. Taking a precautionary foray into Google's future business model seems to show that they are at the very least wary of Google's future plans.

Re:

[tonyr60 (32153)]

Microsoft focusing on developing a browser-based OS is directly opposed to their current business model, which involves forcing users to purchase an operating system.

But not opposed to their business model of disrupting competition by any means possible. Significant competitor comes up with browser/OS combination, so lets tell the market that we are doing just that. Should keep the builders of those pesky netbook thingies from drifting away again.

Re:

[Joe Jay Bee (1151309)]

Uhh... what? I know of Xenix (which was a full fledged Unix) but are you sure you didn't see this on some pisspoor "geek humour" website?

Re:

[just_another_sean (919159)]

Well there was that odd time a few years back when they had Microsoft Linux available.... Just saying... (this isn't a joke, they DID)

[Citation needed]

Re:New Focus

[Andr T. (1006215)]

It happened when Microsoft invaded Cuba [mslinux.org].

Not an improvement

[Todd Knarr (15451)]

MS's idea is nice, but it's not going to help a lot of things very much. It'll help when plug-ins and helper apps go runaway, being in a separate process they won't be able to block the browser itself. But from a security standpoint the problem isn't that those embedded objects are in the same process, it's that they have access to the same page and the DOM elements in it and the data structures of the browser itself. And that won't be solved just by putting them in their own process, not without isolating them from the rest of the page and browser to a degree that'll break a lot of Microsoft's technologies.

Perhaps those technologies need to be broken.

[Kupfernigk (1190345)]

Some of Microsoft's technologies - like data files that can execute code - need to be broken. It is sometimes necessary to sacrifice convenience for a degree of security. The personal computer industry has been slowly coming to terms with this for the last 10 years or so, it would be nice if we don't have to wait another 10 before it all works properly.

Re:

[kestasjk (933987)]

If you're going to wait for an end to Office automation you'll be waiting for a long time.

Anyone else see the irony of this comment on a page full of AJAX tech by the way?

Re:

[girlintraining (1395911)]

it's that they have access to the same page and the DOM elements in it and the data structures of the browser itself.

Well, if that isn't convincing enough, threads usually inherit the permissions of the process creating it. So multi-threading only manages to increase complexity, without improving security. Any exploit made in the child process/thread can use those permissions to access the parent. It's not even a privilege escalation attack, because no permissions are changed to do it. Sad. Very sad.

Color me less excited :/

[Jugalator (259273)]

After reading that article, I'm much less excited than I was. I had assumed it was something similar to Google Chrome OS, but it's not even something that seems like it turned out very well for Microsoft, or something that can have yet undiscovered major issues on the horizon. The idea seems to have turned out overly complex to work around the limitations with the approach, and all that in a resource hungry .NET application. It says they're hopeful to get the per-tab RAM usage down from 16 MB, but I have to wonder by how much? This approach doesn't seem much better than running a process-separated browser written in Java. Ugh.

I have a hard time understanding the decision to use .NET, but perhaps it was a security decision? Anyway, it doesn't sound like the optimal choice, when the project all revolves around low-level features like isolating the tabs even further.

Re:

[LO0G (606364)]

I actually think it's closer to the OP browser [uiuc.edu] than it is Chrome OS.

Re:Color me less excited :/

[PsychicX (866028)]

But it's not supposed to be a product! MS --> Research --. It's an architectural experiment, and sure, a lot of projects graduate from Research to an actual product group. The goal is NOT to make something you can take to the open market though. It's a proper research lab, and so of course its stuff is frequently lacking. If it were to be converted to a product, it'd be staffed up with a full team who would spend a year or two -- or seven in the case of some unfortunate victims -- making it viable for public consumption.

Re:

[Grishnakh (216268)]

But sometimes, MS Research's projects do become actual products. Here's a famous example: link [youtube.com]

With a track record including successful products like this, I'm sure this MS Research project is sure to be a giant and resounding success.

Re:

[HermMunster (972336)]

OMG, that was horrible. Welcome to the new MS. And it took 4+ minutes to show us that.

Re:Color me less excited :/

[Colonel Korn (1258968)]

After reading that article, I'm much less excited than I was. I had assumed it was something similar to Google Chrome OS, but it's not even something that seems like it turned out very well for Microsoft, or something that can have yet undiscovered major issues on the horizon. The idea seems to have turned out overly complex to work around the limitations with the approach, and all that in a resource hungry .NET application. It says they're hopeful to get the per-tab RAM usage down from 16 MB, but I have to wonder by how much? This approach doesn't seem much better than running a process-separated browser written in Java. Ugh.

I have a hard time understanding the decision to use .NET, but perhaps it was a security decision? Anyway, it doesn't sound like the optimal choice, when the project all revolves around low-level features like isolating the tabs even further.

Read the article a bit more and you'll discover that the purpose of this project was to find the limitations of taking the separate process model to an extreme, with every element on a single page living in its own process. This was low level research, not an attempt to spark a new product.

Re:

[b4dc0d3r (1268512)]

How would you think it was related to Chrome OS?

I came here expecting to ask why they added this line But is it an operating system, Microsoft Research's analogue to Google's Chrome OS? Not quite. but you had already made this comment. Why would a browser prototype be like an operating system?

And.. using .NET more has always been their plan, to convince people you can write useful apps in it. I thought Vista was supposed to have large portions written in .NET - right along with the database-like filesyste

Will this keep the browser from "stalling"?

[wisebabo (638845)]

I am far from an expert on browsers so I am genuinely curious to know if this will keep the browser from occasionally "stalling". Will it allow the browser to keep downloading/processing the parts of the web page that it can even when certain elements are unavailable? If so, sounds like a good advance!

Standards

[doishmere (1587181)]

IE doesn't support web standards, but people still use it because it has Microsoft's name. Maybe this will get people to switch to a (hopefully) standards-compliant browser.

Wait, they did WHAT for HOW MANY COOKIES?

[girlintraining (1395911)]

It builds on the concept of multiprocess browsing but uses more fine-grained isolation to expand on the security advantages that are already delivered by existing multiprocess browsing models.

That's a new definition of security of which I was previously unaware. Just about anyone who's spent five minutes trying to do multi-process, multi-thread, unsyncronized accesses, cloud, spin-locks, etc., will tell you that no, there are no inherent security advantages. It'll be less secure unless you make a dedicated effort from project start just to keep it on par with single-threaded. The only "advantage" it has is that when it fails it'll crash more slowly, with a wider variety of obscure error messages, hammering the operating system as it tanks with the extra overhead as it does so. Yes, it might be slightly harder to develop an exploit because it's not using a generic flaw, but some complicated and obscure flaw -- but that's not more secure; Only badly designed.

Re:

[Tanman (90298)]

It's more secure because if one browser instance gets compromised, you don't automatically compromise all of the data currently in other browser instances.

At least that's my understanding. I could just as easily be wrong.

Re:

[Cyberax (705495)]

Yes. There ARE inherent advantages.

You can make RPC protocols with time-outs, so a supervisor process can kill offending child tab. Of course, you'll need to design your protocol to support timeouts, but I assume that Google and Microsoft developers are not stupid.

Next, you can easily isolate a process. Operating systems are GOOD at that, especially Linux with SELinux, seccomp and other _kernel-level_ sandboxing solutions.

Empirically, Google Chrome which also uses multi-process approach works _faster_ than

Re:

[ChatHuant (801522)]

You realize that IPC implies shared memory right?

Geeze, no, it absolutely doesn't. Shared memory is one of the possible mechanisms, but it's certainly not the only one [wikipedia.org]. You can do interprocess communication between processes running on different machines, on different architectures, on different continents, ferchrissake!

Unless you call the data itself "memory", in which case I suggest you should take up plastering, since computers are clearly too complex for you (no insult to plasterers intended, wonderful

Trident?

[Dotren (1449427)]

It's largely a .NET application that uses Internet Explorer's "Trident" rendering engine.

Granted, it has made significant improvements but I still haven't been that impressed by the Trident engine. Sometimes I wish they'd use someone else's engine so that they'd be kept up-to-date on standards AND you'd have the same browsing experience on multiple browsers.

I guess I can understand why they don't though... they'd be up a creek without a paddle if they used Webkit and people stopped developing for it or licensed Gecko from Firefox and they went under or yanked Microsoft's license.

Re:

[SanityInAnarchy (655584)]

I don't see how either of these are true.

Licensing Gecko -- is it out of the question for them to just go open source? And certainly Webkit proves you're wrong, by its very existence -- Apple adopted KHTML and started developing for it. As long as Apple continues shipping Safari, I don't see development stopping, but even in some imaginary world where Apple stopped caring, Microsoft could simply adopt the code themselves.

There is no technical or real business reason not to do it that way.

The real reason is

Re:

[nine-times (778537)]

they'd be up a creek without a paddle if they used Webkit and people stopped developing for it or licensed Gecko from Firefox and they went under or yanked Microsoft's license.

Well for one thing, if it adheres to standards, there shouldn't have to be that much concerns about whether people "stop developing for" a particular rendering engine. Also, can Mozilla yank someone's license for Gecko? Isn't it open source? Why should people stop using Webkit?

There are a few real reasons that Microsoft isn't using one of the existing open source rendering engines:

1. it would be acknowledging the validity and value of open source software
2. having a dominant but incompatible browser has

Re:

[BitZtream (692029)]

Wow, WTF do you think open source is for? You've managed to imply that the two most important advantages to open source don't exist for two very large open source projects.

Gecko is open source. They can't yank the license out from under you any more than they can from Webkit because the OSS license implies that you can continue to use it forever.

Second, Webkit, like Gecko can stop development right this instant and they won't be any worse off than using Trident. They'll just have to do the webkit or gec

Re:

[Dotren (1449427)]

Wow, WTF do you think open source is for?

The two items you're thinking of in my original post were just some rather bad assumptions on my part due mostly to being in a hurry when I was thinking about this and looking the info up.

When I looked up Gecko today I saw that it was developed by Mozilla and I assumed it was proprietary for their browser. I completed missed the following which is a few paragraphs down:

Its development is now overseen by the Mozilla Foundation. Licensed by a tri-license of the Mozilla Public License (MPL), GNU General Public License (GPL) and GNU Lesser General Public License (LGPL), Gecko is free and open source software.

My bad assumption on Webkit was due to forgetting that there are already other companies contributing back to it and that, therefore, SOMEO

Gazelle? How about Tree Sloth?

[MCSEBear (907831)]

Ummm... Isn't a Gazelle kind of a fast animal?

Since this browser runs at half the speed of the not exactly quick IE 7, shouldn't it be given a code name more in keeping with it's actual speed? I've always thought Ubuntu had a cute naming scheme going. I hereby dub this software Turgid Tortoise

Re:Gazelle? How about Tree Sloth?

[fuzzyfuzzyfungus (1223518)]

What they don't tell you is that the part of the gazelle it most closely emulates is the stomach; which, in ruminants, implements four-chambered process isolation in order to safely digest large quantities of low-quality input. This seemed like a valuable feature for a web browser.

Re:

[$RANDOMLUSER (804576)]

Ummm... Isn't a Gazelle kind of a fast animal?

Well, "Fronkensteen" (stitched together from discarded rotting corpses) was already in use, and "Staggering Fat Man" was voted down by the focus groups.

Re:Gazelle? How about Tree Sloth?

[finiteSet (834891)]

Ummm... Isn't a Gazelle kind of a fast animal?

Clearly they named it Gazelle because ultimately they expect it to be killed off by safari.

Not new

[BitZtream (692029)]

Unless if by new you mean:
From february at least, seems older to me: http://research.microsoft.com/apps/pubs/default.aspx?id=79655 [microsoft.com]

Has already appeared on slashdot and a hundred other tech sites.

http://tech.slashdot.org/article.pl?sid=09/02/22/1724244 [slashdot.org]

Its hard to google before you run to try and get a story submitted isn't it?

Cool! I am totally there!

[zmollusc (763634)]

Sounds neat. I shall get it immediately.
Well, right after I get Windows 7, which will be after I get Vista, which will be after i get XP which will be after I decide microsoft have done anything worthwhile after Windows 2000.

Boy, don't we miss x86 segments!

[tjstork (137384)]

Well, we were so eager to get rid of segments that by the time 80386 more or less perfected them, we dumped them for flat mode. Now they are gone in x86-64, likely never to return. What a terrible mistake! If we had different segments, we could have a lightweight browser process with user space threads assigning segments to different domains on the page. Instead of trying to get protection by wrapping software sandboxes around everything like Java, C# or something else does, we could have the CPU actually doing it. If only I could go back in time and say to myself, as I fumed over the likes of ES:CX... and say, no no, this will actually turn about to be a good thing in the future!

Re:

[BitZtream (692029)]

Uhm ... segmenting didn't sandbox shit. It just made it annoying to get in between, not impossible as shown by the many different libraries that help programmers do exactly that.

The Virtual Memory Manager support built into processors on the other hand DOES segment blocks of ram. This is why kernel space can be protected from random attacks in user space.

Perhaps an OS that takes more advantage of the VMU would accomplish what you want, but jumping back to segmented addressing just means that the hackers

Re:

[tjstork (137384)]

Uhm ... segmenting didn't sandbox shit. It just made it annoying to get in between, not impossible as shown by the many different libraries that help programmers do exactly tha

In 16 bit, it surely didn't, but you could set up a 386 to have a segmented memory model where each segment within a process got its own permissions. So basically, within a process, you could make sure that data from two different pointers, aka segments, would not overwrite each other.

Re:

[ergo98 (9391)]

I think you're confusing concepts. Segmented memory was a hack, and protected nothing. Then they added protected mode, giving OS' the option of acting as the cop of memory. That has been on the x86 since the 286, and is of course widely used.

Everything that any process on your machine does in user-space has to be effectively "allowed" by the operating system. It is purely due to non-granular permission structures that modern OS' don't allow you to fine-tune every permission of even "native" executables.

Re:

[tjstork (137384)]

confusing concepts..

No, I'm just looking at it from an instruction set point of view. In 16 bit world, ES,DS and the other segment registers were just annoyances that you had to deal with in order to get at data over 64k in length. In C you could choose a couple of ways to handle this - there was the small and tiny memory models which locked down the segments to be the start of the program and data, the medium and large, which lets you change the segments occasionally, and then the huge, which gave you an

What year is this?

[FranTaylor (164577)]

How long have we had browsers? How obvious is all of this? This reads like an article from 1997.

We are still debating the best way to multi-thread a browser!

One might have thought that we would be a little further along with this kind of stuff.

back to the 1970's

[jipn4 (1367823)]

The UNIX designers were adamant about process-based isolation, to the degree that UNIX for a long time did not have kernel threads (early versions of Java had to emulate threads even in the mid-90's). Macintosh and Windows were much quicker to adopt threads.

It's kind of ironic that Microsoft now is pushing for process-based isolation. Their window system, of course, has also moved to a client/server architecture and asynchronous calls now, like X11 already did 20 years ago. Why don't they just go all the

Here's the truth

[CherniyVolk (513591)]

A research team led by Microsoft's Helen Wang discovered how to rebrand and skin a theme for the widely used Firefox. "Since most people already think we stole Firefox code to render webpages correctly with IE 8, we got to thinking..." Helen Wang stated in a call yesterday. "Our next IE release will be simply to rebrand and change the default skin of the latest Firefox web browser! So we can then say, finally, that Internet Explorer correctly renders web pages according to W3C published standards." This

Re:

[Grishnakh (216268)]

Actually, the PP has a point, why don't they rename themselves "Bing"? After all, "Microsoft" is not only a stupid-sounding name (wow, a portmanteau of "microcomputer software", how clever. They must have found someone with a lot of imagination to come up with that. Probably the same genius that came up with the totally non-obvious name "Internet Explorer".), but it's pretty obsolete-sounding too since no one uses the term microcomputer any more.

However, Bing Crosby's spirit might take offense, if he has

Re:

[BitZtream (692029)]

Why?

The DOM is a programming technique. DOM is independent of HTML and HTML doesn't require DOM. DOM is how an app interacts and deals with HTML in general in its own memory.

SAX is another common alternative.

Then you can do what companies like Google, Yahoo! and MS do right now which is completely custom and has very little in common with a DOM implementation because a DOM implementation doesn't work on the scale they deal with.

Re:

[Viol8 (599362)]

Err yes, and?

The point is they're talking this up as some sort of new approach to programming a browser (or any app). It isn't. At least not outside the Windows world.