MS Publishes Papers For a Modern, Secure Browser 296
V!NCENT writes with an excerpt from a new publication by Microsoft:
"As web sites evolved into dynamic web applications composing content from various web sites, browsers have become multi-principal operating environments with resources shared among mutually distrusting web site principals. Nevertheless, no existing browsers, including new architectures like IE 8, Google Chrome, and OP, have a multi-principal operating system construction that gives a browser-based OS the exclusive control to manage the protection of all system resources among web site principals. In this paper, we introduce Gazelle, a secure web browser constructed as a multi-principal OS. Gazelle's Browser Kernel is an operating system that exclusively manages resource protection and sharing across web site principals."
Here's the full research paper (PDF).
Re:Does it really (Score:5, Informative)
Highlights:
Re:Does it really (Score:5, Informative)
i've done event-driven vehicle simulators; i've clean-room network-reverse-engineered MSRPC and NT domains protocols; i've ported freedce to win32; i've added glib bindings to webkit and on top of that, ported a port of GWT to python even _more_ into python by adding DOM manipulation to pywebkitgtk.
in amongst all that mindless drivel of alphabet soup you should be getting a pretty clear picture that i'm not a stranger to complexity.
i've learned that if someone says "surely it doesn't have to be as complicated as all that", it's time to run like stink as fast as possible, out of the conversation and the room, and never look back.
browsers are effectively desktop technology within a desktop (and damn good at displaying widgets), except you're letting the web site dictate what "programs" are allowed to be "run" on your desktop^H^H^H^H^H^H^Hbrowser.
browsers are no longer "just HTML displayers", they are actually executing applications - _real_ applications - that in many instances happen to be written in javascript. GWT [google.com], Pyjamas [pyjs.org] and RubyJS [rubyforge.org] should all hammer that point home.
with that in mind, why is it so hard to then imagine that, given that the "browser" is doing everything that you can also do with desktop widget UI toolkits, why is it so hard to appreciate that you need the full range of OS technology to support that desktop^H^H^H^H^H^H^H^Hbrowser technology?
Re:Does it really (Score:5, Informative)
i've learned that if someone says "surely it doesn't have to be as complicated as all that", it's time to run like stink as fast as possible, out of the conversation and the room, and never look back.
So you've never encountered a situation where someone added complexity because they couldn't see a simpler way to do something? I sure have. Dismissing the idea that something is too complicated and could be made far simpler out of hand simply seems wrong to me.
why is it so hard to then imagine that, given that the "browser" is doing everything that you can also do with desktop widget UI toolkits, why is it so hard to appreciate that you need the full range of OS technology to support that desktop
I could see a case for it. I could also see a case for doing it WITHOUT modifying the full range of OS technology. Why is it so hard to see that a secure browser could be done using existing operating systems?
Re:Dear MS, (Score:4, Informative)
This is a paper co-authored by security researchers from MS *Research*, UIUC, and UWash. It is *not* a white paper let alone some kind of release announcement from MS. Security for web browsers in light of Web 2.0 technology is a major research topic, and I've seen a number of papers which propose similar ideas. What happens at MS Research (which has some darn good scientists) does not have to and often doesn't make it into a MS product. For example there is a lot of impressive research on privacy done by Cynthia Dwork at MS Research: haven't seen it or heard of it being implemented or even considered for implementation.
So, chill out - this is a research paper, not news about MS's new browser.
the short version .. (Score:3, Informative)
Run the OS in a separate process using a restricted set of system calls and sandbox from the rest of the system. In other words don't do what we did with Internet Explorer and embed it into the core OS kernel.
Re:Does it really (Score:5, Informative)
Same reason that thread creation is cheap in Windows but expensive in Linux - different designs to suit different usage methodologies. In the *nix world, its very common to fork off new processes to deal with tasks, whereas in Windows, the trend is to keep everything within the same process, with multiple threads handling various tasks. Either methodology will work in either OS, and Microsoft could redesign Windows to favour processes instead of threads, and Linus et al could redesign Linux to favour threads instead of processes, but due to the way the OS's are currently used, it would be pointless.
Re:Err (Score:3, Informative)
Actually, seeing as it is from Microsoft research, there is little chance that it will ever be implemented.
Re:Does it really (Score:3, Informative)
Thread creation in Linux is not expensive.
Re:Server already down? (Score:2, Informative)
Get the facts, you FUD-spewing Linux zealot! Downtime is good! It gives the servers time to rest!
Re:Does it really (Score:5, Informative)
short answer: the ACL-based security model, which is transparently networked onto "NT Domain Security".
the design comprises:
* the evaluation of the security descriptor, which is a binary blob that needs to be decoded
* the creation of a process, where the parent has a security descriptor "inheritance" chain to its parent, to its parent etc. etc.
* the possibility for evaluating an individual ACE that could be on a remote machine (a PDC)
* just the _possibility_ of having to contact the remote machine (the PDC) leaves a design where the creation even of a local process requires the use of MSRPC (on "local rpc" pipes - ncalrpc) in order to not drastically overcomplicate the code any more than it already is.
goodness knows what else is going on, but it's very very powerful but unfortunately with that power and flexibility of design comes a whopping great overhead.
and no you can't cache the results very much because someone might revoke a user's right to CREATE_PROCESS and they'd get a bit unhappy about that not being obeyed.
Re:Does it really (Score:3, Informative)
To add to this, threads are considered to be inexpensive in terms of RAM usage. Historically windows was designed for smaller computers with little amount of RAM.
Looking back its almost comical to think how much RAM each of MS OSes required. Although the architecture has significantly changed from windows 95 to windows nt/2000/xp, the requirement to make programs designed to work on older OSes kept the threading mechanism almost the same and therefore, more thread friendly environment.
probably old info (Score:5, Informative)
Linux threads were relatively heavyweight in early implementations, just about as much so as processes; the current implementation is much lighter weight. So some books still floating around contain that info, since it used to be true.
A sort of separate issue is that, for a variety of reasons, most Linux distros on x86 ship with a default 8MB pthread stack size, which is fairly high--- spawning a mere 50 threads gets you a nice 400MB of control stacks. You can set the stacksize smaller with pthread_attr_setstacksize, and the unused parts of those stacks can mostly live harmlessly in non-resident virtual memory, but it still makes threads seem heavier weight than they ought to seem.
Re:Princi-what? (Score:3, Informative)
I'm sorry, but did you actually use Netscape 4 and IE 4??
I did. I even programmed in them. And hell, all the cool features did not work in IE!
DHTML? JavaScript? They were in the same horrible state as they are today.
And IE did not even have a mail client, calendar, or anything else.
I used Opera in the time between Netscape 4.51 died and Mozilla/Firefox got fast enough and had enough applications to use it for more than development.
They did win for one simple reason: They gave their browser away with their os. Ror free. Knowing that Netscape needed the money. And when that did not help enough, they tried their usual mafia tactics, like offering Netscape developers money and the double salary to come over to them. Like with Borland, or Sun, or others.
They did neither win fair nor square (whatever that means), they won trough EEE [wikipedia.org]. So stop talking out of your ass.
Re:Right idea, wrong source (Score:3, Informative)
> #1. Registry is fine
Nope. Bill Gates says it is crap.
http://blog.seattlepi.nwsource.com/microsoft/archives/141821.asp
"Someone decided to trash the one part of Windows that was usable? The file system is no longer usable. The registry is not usable. This program listing was one sane place but now it is all crapped up."