Is There Room For a Secure Web Browser? 222
An anonymous reader points out an eWeek story about researchers from the University of Illinois at Urbana-Champaign who are designing a new web browser based on security. The new software, code-named OP for Opus Palladianum, will separate various components of the browser into subsystems which are monitored and managed by the browser kernel. Quoting:
"'We believe Web browsers are the most important network-facing application, but the current browsers are fundamentally flawed from security perspective,' King said in an interview with eWEEK. 'If you look at how the Web was originally designed, it was an application with static Web pages as data. Now, it has become a platform for hosting all kinds of important data and businesses, but unfortunately, [existing] browsers haven't evolved to deal with this change and that's why we have a big malware problem.' The idea behind the OP security browser is to partition the browser into smaller subsystems and make all communication between subsystems simple and explicit."
part of the solution.... (Score:5, Informative)
Ad-free version of article (Score:4, Informative)
How hard is it to look for the "Print version" w/o ads and link to that?
Re:I've got a secure web browser (Score:4, Informative)
http://www.ciac.org/ciac/bulletins/h-82.shtml [ciac.org]
http://securitydot.net/vuln/exploits/vulnerabilities/articles/14814/vuln.html [securitydot.net]
A link to the paper (Score:5, Informative)
Re:The less functionality the better (Score:5, Informative)
This approach allows for complex browsers to actually become safer, by simplifying them. The browser is broken up into a set of components. Each component runs in a separate process, completely isolated (by the operating system) from the other components. In addition, each component is isolated from the rest of the system using mandatory access controls (SELinux in this case) which prevent the component from doing anything that it doesn't need to do.
The key aspect is that the components only have one way to communicate with each other - a single communications channel which is created by, controlled, and mediated by the kernel process. That means that all interactions between the components are simplified, and can be monitored by the kernel. The kernel itself can be small and simple enough that it's behaviour can be proven correct. The kernel then enforces a security policy.
This approach is known to work - it's similar to the approach used by operating system kernels.
Let's say you break into the rendering component, where the HTML rendering and JavaScript VM reside. You have absolutely no access to the operating system - your only link to the outside world is through the kernel, to the other components. Even if you manage to run native code inside the rendering engine, the operating system won't allow you to access the network, filesystem, or anything else. You only have access to the IPC mechanisms, and even then only to the connection between the rendering component and the kernel.
If your objective is to compromise the operating system through the browser, you can not do that from here. You can't just send a message to the component that handles file access, and get it to load malware onto the system - the kernel will prevent it. Even if you also find a hole in the kernel that allows you to run native code inside the kernel, the kernel doesn't have the ability to access the filesystem either. The filesystem component won't help either - it only has access to a small piece of the filesystem.
If your goal is to steal someone's bank password, you'll still have a tough time of it. The kernel will prevent you from doing anything that doesn't fit within the security policy. Even if you could access a bank password, you're not going to be able to send that information to anyone. If you do have the ability to send that information, you're not going to have access to the passwords.
The idea is not to add complexity - this browser should be no more complex than any other. The idea is to improve security by separating components, isolating them, and verifying that they are not doing anything that they're not supposed to.
It's called "defence in depth" - acknowledging that the system can never be made totally secure, and designing it in such a way that any security breaches won't be able to do any damange, and are able to be tracked for analysis later.
Re:Here's what I want (Score:3, Informative)
Re:We do not have a malware problem. (Score:1, Informative)
M$ has a malware problem.
Since I run Windows and don't have a malware problem, it follows that "M$" doesn't, either. Users who download and run shit on their computers do, however. It also follows that if I had a malware problem in OS X or Linux, it would be my fault.
A main process calls and monitors subroutines that do different things on demand. Calling the main program a kernel and it's messaging "OS level" does not do much for me.
Let's put it this way. If this had come out of IBM or some other company, you'd be praising god and passing the ammo, mostly because it's obvious by what you wrote here that you have no understanding whatsoever of the topic at hand, and didn't even bother to RTFA. You're just pretending to be an "advocate" by mindlessly bashing Microsoft, which does not help us one bit, especially when you use "we". While I use and promote free software whenever I can, I'd rather not be associated in any way with people like you.
Re:Somewhat pointless? (Score:5, Informative)
Fuck silly restrictions.
Re:Here's what I want (Score:4, Informative)
Slashdot keeps deleting this story: (Score:1, Informative)
http://security.itworld.com/5013/mac-hacked-first-in-contest-080327/page_1.html [itworld.com]
Just goes to show the culture of the alternate OS types. Anything that proves them wrong is covered up and denied.
Re:Somewhat pointless? (Score:1, Informative)
NoScript addon
-Prevents all scripting from sites not whitelisted (and nope, it isn't difficult. With most of the sites I visit in random browsing, I don't mind javascript working and when I care, it's two clicks away to permanently whitelist)
-Even if some site is whitelisted, it will as default prevent cross site scripting (nice bar in the upper corner, which lets you choose unsafe reload if you wish)
Really, one of the best plugins for firefox. I love it propably more than adblock. And it's pretty common too...
Re:Somewhat pointless? (Score:2, Informative)