Is There Room For a Secure Web Browser?

An anonymous reader points out an eWeek story about researchers from the University of Illinois at Urbana-Champaign who are designing a new web browser based on security. The new software, code-named OP for Opus Palladianum, will separate various components of the browser into subsystems which are monitored and managed by the browser kernel. Quoting: "'We believe Web browsers are the most important network-facing application, but the current browsers are fundamentally flawed from security perspective,' King said in an interview with eWEEK. 'If you look at how the Web was originally designed, it was an application with static Web pages as data. Now, it has become a platform for hosting all kinds of important data and businesses, but unfortunately, [existing] browsers haven't evolved to deal with this change and that's why we have a big malware problem.' The idea behind the OP security browser is to partition the browser into smaller subsystems and make all communication between subsystems simple and explicit."

part of the solution....

[owlnation]

One quick and easy way to make the web a safer place would be for ActiveX to be shunned by everyone. If you are a web developer, simply refuse to use it.

Ad-free version of article

[jroysdon]

Ad-free version of article [eweek.com].

How hard is it to look for the "Print version" w/o ads and link to that?

Re:I've got a secure web browser

[junner518]

Lynx has its problems as well...
http://www.ciac.org/ciac/bulletins/h-82.shtml [ciac.org]
http://securitydot.net/vuln/exploits/vulnerabilities/articles/14814/vuln.html [securitydot.net]

A link to the paper

[Sam King]

Here is a link to the full research paper [uiuc.edu], we hope you enjoy it!

Re:The less functionality the better

[Anonymous Coward]

Web browsers are already complex, and they've been designed without any regard whatsoever for security. It's impossible to go back to static HTML documents by now. So would you prefer that everyone just sticks their head in the sand, and pretends that it'll all go away?

This approach allows for complex browsers to actually become safer, by simplifying them. The browser is broken up into a set of components. Each component runs in a separate process, completely isolated (by the operating system) from the other components. In addition, each component is isolated from the rest of the system using mandatory access controls (SELinux in this case) which prevent the component from doing anything that it doesn't need to do.

The key aspect is that the components only have one way to communicate with each other - a single communications channel which is created by, controlled, and mediated by the kernel process. That means that all interactions between the components are simplified, and can be monitored by the kernel. The kernel itself can be small and simple enough that it's behaviour can be proven correct. The kernel then enforces a security policy.

This approach is known to work - it's similar to the approach used by operating system kernels.

Let's say you break into the rendering component, where the HTML rendering and JavaScript VM reside. You have absolutely no access to the operating system - your only link to the outside world is through the kernel, to the other components. Even if you manage to run native code inside the rendering engine, the operating system won't allow you to access the network, filesystem, or anything else. You only have access to the IPC mechanisms, and even then only to the connection between the rendering component and the kernel.

If your objective is to compromise the operating system through the browser, you can not do that from here. You can't just send a message to the component that handles file access, and get it to load malware onto the system - the kernel will prevent it. Even if you also find a hole in the kernel that allows you to run native code inside the kernel, the kernel doesn't have the ability to access the filesystem either. The filesystem component won't help either - it only has access to a small piece of the filesystem.

If your goal is to steal someone's bank password, you'll still have a tough time of it. The kernel will prevent you from doing anything that doesn't fit within the security policy. Even if you could access a bank password, you're not going to be able to send that information to anyone. If you do have the ability to send that information, you're not going to have access to the passwords.

The idea is not to add complexity - this browser should be no more complex than any other. The idea is to improve security by separating components, isolating them, and verifying that they are not doing anything that they're not supposed to.

It's called "defence in depth" - acknowledging that the system can never be made totally secure, and designing it in such a way that any security breaches won't be able to do any damange, and are able to be tracked for analysis later.

Re:Here's what I want

[recoiledsnake]

CANCELABLE javascript. Wha? Any time you get a javascript prompt, you'll have OK, cancel, and "stop all javascript right fucking now".

Opera already does this.

Re:We do not have a malware problem.

[Anonymous Coward]

You already posted [slashdot.org] in this article with one of your many sockpuppet accounts. Please don't game the moderation system or the posting limits for negative karma accounts. They exist for a reason.

M$ has a malware problem.

Since I run Windows and don't have a malware problem, it follows that "M$" doesn't, either. Users who download and run shit on their computers do, however. It also follows that if I had a malware problem in OS X or Linux, it would be my fault.

A main process calls and monitors subroutines that do different things on demand. Calling the main program a kernel and it's messaging "OS level" does not do much for me.

Let's put it this way. If this had come out of IBM or some other company, you'd be praising god and passing the ammo, mostly because it's obvious by what you wrote here that you have no understanding whatsoever of the topic at hand, and didn't even bother to RTFA. You're just pretending to be an "advocate" by mindlessly bashing Microsoft, which does not help us one bit, especially when you use "we". While I use and promote free software whenever I can, I'd rather not be associated in any way with people like you.

Re:Somewhat pointless?

[irc.goatse.cx troll]

If your university runs windows, try hitting alt+shit+numlock (alt/shift have to be the left side) to enable mouse keys, then with numlock on hit * and then 5 to middleclick.

Fuck silly restrictions.

Re:Here's what I want

[lithis]

When I press F12 in Opera (or pull down the Tools menu and choose Quick preferences), I get the following menu:

• Open all pop-ups
• Open pop-ups in background
• Block unwanted pop-ups
• Block all pop-ups
• Enable GIF/SVG animation
• Enable sound in webpages
• Enable Java
• Enable plug-ins
• Enable JavaScript
• Enable cookies
• Enable referrer logging
• Enable proxy servers
• Edit site preferences...

It's amazingly simple to enable and disable many irritating features. I keep plugins and animations off at all times, except when I want them.

Slashdot keeps deleting this story:

[Anonymous Coward]

Mac OS X gets hacked first in a contest to hack 3 notebooks, running Mac OS X, Ubuntu and Vista, earning the hacker $10,000. Network attacks failed against all three yesterday causing the $20,000 offered to go unclaimed, today browser attacks were tested and Mac OS X failed in 2 minutes, Vista running IE7 and Ubuntu running Firefox managed to deflect all attacks. Tommorow 3rd party applications will be added into the mix to increase the attack surface of the remaining contestants.

http://security.itworld.com/5013/mac-hacked-first-in-contest-080327/page_1.html [itworld.com]

Just goes to show the culture of the alternate OS types. Anything that proves them wrong is covered up and denied.

Re:Somewhat pointless?

[Anonymous Coward]

Addons. (And don't go about "Default installation". The point of Firefox is to be lightweight browser to which people add addons to add the functionality they want)

NoScript addon
-Prevents all scripting from sites not whitelisted (and nope, it isn't difficult. With most of the sites I visit in random browsing, I don't mind javascript working and when I care, it's two clicks away to permanently whitelist)
-Even if some site is whitelisted, it will as default prevent cross site scripting (nice bar in the upper corner, which lets you choose unsafe reload if you wish)

Really, one of the best plugins for firefox. I love it propably more than adblock. And it's pretty common too...

Re:Somewhat pointless?

[DKlineburg]

F2... That is keyboard shortcut to rename a file. I never right click a file name. To slow.