Is There Room For a Secure Web Browser?

An anonymous reader points out an eWeek story about researchers from the University of Illinois at Urbana-Champaign who are designing a new web browser based on security. The new software, code-named OP for Opus Palladianum, will separate various components of the browser into subsystems which are monitored and managed by the browser kernel. Quoting: "'We believe Web browsers are the most important network-facing application, but the current browsers are fundamentally flawed from security perspective,' King said in an interview with eWEEK. 'If you look at how the Web was originally designed, it was an application with static Web pages as data. Now, it has become a platform for hosting all kinds of important data and businesses, but unfortunately, [existing] browsers haven't evolved to deal with this change and that's why we have a big malware problem.' The idea behind the OP security browser is to partition the browser into smaller subsystems and make all communication between subsystems simple and explicit."

Somewhat pointless?

[Izabael_DaJinn]

I'm not sure if I get this. The key feature seems this:

"Our policy removes the burden of security from plug-in writers, and gives plug-ins the flexibility to use innovative network architectures to deliver content while still maintaining the confidentiality and integrity of our browser, even if attackers compromise the plug-in," he said.

Great! :)

But even if it works as planned...this new browser is going to enter the market and who is going to download it? A tiny percentage of internet users--those would be part of the same minority who would also know how to use Firefox (and other browsers) quite safely *right now*.

So who is this product for? Seems interesting from a design point of view, but unelss one of the big browsers adopts it, could it really make even a tiny dent on the security of the internet?

I predict no. The internet's main problem is between the monitor and keyboard ;-)

*iza

Re:Somewhat pointless?

[Anonymous Coward]

Cool! A super slow browser that will lose all the performance wars to FF and Opera. Like anyone would use it. Compatible with what? One web page? Give me a break. If people in general actually cared about security we would already havesecurity. Duh!

Re:Somewhat pointless?

[Deanalator]

If I was offered a browser that was able to contain flash or quicktime 0day, I would switch to it in a heartbeat. For all the security in firefox, 0day still exists, and is used frequently in the environments that I work in. These threats can be mitigated, and we really should be moving towards properly designed software.

link to the paper:
http://www.cs.uiuc.edu/homes/kingst/Research_files/grier08.pdf [uiuc.edu]

Doomed by Expediency

[bill_mcgonigle]

They're using a rendering engine written in a language that gets its stack smashed by buffer overflows. Nearly all browser security bugs that aren't of the XSS-type are due to buffer overflows.

Next.

Seriously, yes, I'd love to see a secure browser I could recommend for my family's computers, but it's alot of hard ground-up work. (It might actually be faster to write a tool to port the current Gecko/Webkit tree to another language automatically than to start in on a whole new rendering engine in a secure language).

Get started now and the silicon will be fast enough by time the browser is ready.

Re:Somewhat pointless?

[Bacon Bits]

And why was ActiveX bad? Not just because it was platform specific, but because it was insecure and prone to malware abuse. The model behind ActiveX was inherently flawed because it had too much trust for remote code to be automatically executed. Firefox and Opera are both billed as more secure because they are not subject to the kinds of broad attacks that IE 5 and 6 were.

Mozilla, Safari, and Opera gained market traction by having features that users or developers wanted that were not otherwise available. Security is a feature that many users, developers, and particularly network administrators desire. Say you have a choice between deploying your workstations with Firefox or with Secure Firefox, which one do you pick?

We're nearly to the stage where interface features (bookmarks, tabs, toolbars, javascript, flash, java) are reasonably complete and rendering speed and quality (Acid2, Acid3) is reasonably complete. So we can assume that any modern browser (including this new one) will be fully-featured and acid-compliant when released. It would be inane to do otherwise. So how do you improve browsers from here? Security *is* still an issue with browsers because they are *the* platform of the decade. Why not improve that?

Prove to me that security in IE, Firefox, Opera, and Safari is "good enough".

Re:Somewhat pointless?

[Heembo]

The internet's main problem is between the monitor and keyboard ;-)

I know you meant well, but that is a very ignorant statement. I can be casually surfing the web with a modern browser, and if I hit a site that was hijacked by an attacker, even if I have modern security software installed, I can get hit with JavaScript code that can escape the sandbox, break single origin policy, or (in the past) flat out run OS commands. The browser is an operating system. And a very insecure one at that.

Re:Somewhat pointless?

[denton420]

What is the point in bashing their project? Do you not realize that even if no one uses this particular browser, it sets a precedent that others are likely to follow? Sometimes, you have to create just for the sake of creating. Beyond that, who really knows, this browser could be the next big hit with a little bit of mainstream media exposure. A product that delivers on all of its promises (more so in the IT genre) will have its day.

Re:part of the solution....

[mnmn]

I'll give you an alternative.

Run the browser in a Virtual Machine along with its plugins. When you close it flush all changes to the binaries and keep the changes to the history and cache.

You might not even need VMware to do this, just virtualize the files available to the browser and the memory available to the process. I dont think this will have a performance hit.

Re:Somewhat pointless?

[Bacon Bits]

Personally, I'm hoping they come up with a good model for combating cross-site scripting (which AFAIK is still a problem in every browser... except perhaps lynx).

Re:Somewhat pointless?

[piojo]

They disabled right clicking in general. To rename a file, I have to do "file -> rename". There is no way to look at a folder's properties, because "file -> properties" is also disabled (so good luck freeing up disk on your network space when you can't see the folder sizes). Apparently, it's harder to mess up the computers without right clicking. These restrictions do not seem to apply to Firefox, Java, and some other non-Microsoft apps. Thank God they are written in a way that ignores stupid settings.

Re:Somewhat pointless?

[Alsee]

Replying to myself, I just got a look at the technical paper. [uiuc.edu]

On a browse through I don't see anything directly tied to Trusted Computing in there. So maybe I jumped the gun, but this group *is* deep into the Trusted Computing stuff, and the Palladium-esque name sure seems like more than a coincidence, and looking the paper it is exactly the sort of design you'd want to adapt into a Trusted Computing browser.

So I'm still rather suspicious of the intent and connections behind it, but I will retract my positive tagging that it *does* explicitly intend to involve Trusted Computing.

-

anchient debate

[x2A]

Just because it runs as seperate 'modules' which communicate using set message passing functions, that can't directly mess with each others memory or the rest of the system, making it a zillion times more stable and secure than Other Browsers(tm), does not mean that it's going to be loads slower, or more complicated to develop for, or harder to find developers that will commit to developing for it. Monolithic browsers are a thing of the past. It's all about the micro-browser now. Just you watch. The Hirp of Internet Replacing Plugins (HIRP) browser will be what drives all of our web needs in the next 2-5 years/decades. You'll see.

Re:The less functionality the better

[Jim McCoy]

> This approach allows for complex browsers to actually become safer, by simplifying them. The browser is broken up into a set of components. Each component runs in a separate process, completely isolated (by the operating system) from the other components. In addition, each component is isolated from the rest of the system using mandatory access controls (SELinux in this case) which prevent the component from doing anything that it doesn't need to do.
[...]
> This approach is known to work - it's similar to the approach used by operating system kernels.

Unfortunately, this approach is also known to have several big problems. Take a quick spin through google for the "confused deputy" problem and you will see one of the primary complaints of ACL-based security. Capability-security researchers think they have a solution and in fact created a capability-secure browser called CapDesk several years ago. If anyone is actually interested in the problem they should check it out.