Is There Room For a Secure Web Browser?

An anonymous reader points out an eWeek story about researchers from the University of Illinois at Urbana-Champaign who are designing a new web browser based on security. The new software, code-named OP for Opus Palladianum, will separate various components of the browser into subsystems which are monitored and managed by the browser kernel. Quoting: "'We believe Web browsers are the most important network-facing application, but the current browsers are fundamentally flawed from security perspective,' King said in an interview with eWEEK. 'If you look at how the Web was originally designed, it was an application with static Web pages as data. Now, it has become a platform for hosting all kinds of important data and businesses, but unfortunately, [existing] browsers haven't evolved to deal with this change and that's why we have a big malware problem.' The idea behind the OP security browser is to partition the browser into smaller subsystems and make all communication between subsystems simple and explicit."

Somewhat pointless?

I'm not sure if I get this. The key feature seems this:

"Our policy removes the burden of security from plug-in writers, and gives plug-ins the flexibility to use innovative network architectures to deliver content while still maintaining the confidentiality and integrity of our browser, even if attackers compromise the plug-in," he said.

Great! :)

But even if it works as planned...this new browser is going to enter the market and who is going to download it? A tiny percentage of internet users--those would be part of the same minority who would also know how to use Firefox (and other browsers) quite safely *right now*.

So who is this product for? Seems interesting from a design point of view, but unelss one of the big browsers adopts it, could it really make even a tiny dent on the security of the internet?

I predict no. The internet's main problem is between the monitor and keyboard ;-)

*iza

Re:Somewhat pointless?

Don't be so close-minded. The same could have been said for Gecko (Mozilla) or Webkit (Safari) or Opera back in the IE 5/6 heydays.

Re:Somewhat pointless?

No, how Gecko/WebKit got so popular was because of how bad both a) ActiveX was and b) How much of a pain it was to get IE to render simple things. What we need is less bloated browsers, those that don't use up 100+ MB of RAM, along with faster browsers, as for security, as long as it is open-source it will probably be patched and up to date well enough to deal with all the problems except the one typing on the keyboard.

Re:Somewhat pointless?

And why was ActiveX bad? Not just because it was platform specific, but because it was insecure and prone to malware abuse. The model behind ActiveX was inherently flawed because it had too much trust for remote code to be automatically executed. Firefox and Opera are both billed as more secure because they are not subject to the kinds of broad attacks that IE 5 and 6 were.

Mozilla, Safari, and Opera gained market traction by having features that users or developers wanted that were not otherwise available. Security is a feature that many users, developers, and particularly network administrators desire. Say you have a choice between deploying your workstations with Firefox or with Secure Firefox, which one do you pick?

We're nearly to the stage where interface features (bookmarks, tabs, toolbars, javascript, flash, java) are reasonably complete and rendering speed and quality (Acid2, Acid3) is reasonably complete. So we can assume that any modern browser (including this new one) will be fully-featured and acid-compliant when released. It would be inane to do otherwise. So how do you improve browsers from here? Security *is* still an issue with browsers because they are *the* platform of the decade. Why not improve that?

Prove to me that security in IE, Firefox, Opera, and Safari is "good enough".

Re:Somewhat pointless?

What we need is less bloated browsers, those that don't use up 100+ MB of RAM

Ask not what else your 100 MB of RAM could have done for you, but what you could do with your other 1900 MB of RAM.

Like government, browsers could me more efficient with their resources. But think of your computer as a country in renaissance -- instead of worrying why you paid $100 for that hammer, question instead what the hammer may allow you to do whatever its cost.

(I'm only half-joking because I'm a satirist, not a realist...then I'd be half-serious.)

Re:Somewhat pointless?

or Opera back in the IE 5/6 heydays.

Or Opera in the IE 7/8 heydays, for that matter...

Re:Somewhat pointless?

If I was offered a browser that was able to contain flash or quicktime 0day, I would switch to it in a heartbeat. For all the security in firefox, 0day still exists, and is used frequently in the environments that I work in. These threats can be mitigated, and we really should be moving towards properly designed software.

link to the paper:
http://www.cs.uiuc.edu/homes/kingst/Research_files/grier08.pdf [uiuc.edu]

Re:Somewhat pointless?

I predict no. The internet's main problem is between the monitor and keyboard ;-)

The internet's main problem is a cup of coffee?

Re:Somewhat pointless?

These guys are researchers, why do you think their goal is to make a separate, competing browser? Generally, that only happens if the market is dumb enough to miss potential, if indeed it has some.
If they show the security advantages can be achieved without hurting other aspects of browser performance, something like Firefox or IE could implement their strategy and claim a big win for security over their competitors. This idea is at least a couple of years old. It would surprise me if it isn't simmering on the back burner of the IE team or someone influential at Mozilla.
As for everyone saying silly things about how programmers should just code better...go take an OS class. Browsers are becoming more like operating systems. Imagine if every program on your computer was essentially working with the same address space except for a few hard-coded rules. Even Windows long ago (like in DOS times) realized that's a broken approach.

Re:Somewhat pointless?

An other web browser that no one willl use, for the reasons you mention.

Like it's that hard to securely receive and render webpages. It's a trivial task. Anyone who says the contrary should get a reality check. It's very possible to program without bugs. That's what correctness tests are for. An if your tolkit sucks so much it has security holes, code your own lib from scratch.

Re:Somewhat pointless?

If your university runs windows, try hitting alt+shit+numlock (alt/shift have to be the left side) to enable mouse keys, then with numlock on hit * and then 5 to middleclick.

Fuck silly restrictions.

Re:Somewhat pointless?

Replying to myself, I just got a look at the technical paper. [uiuc.edu]

On a browse through I don't see anything directly tied to Trusted Computing in there. So maybe I jumped the gun, but this group *is* deep into the Trusted Computing stuff, and the Palladium-esque name sure seems like more than a coincidence, and looking the paper it is exactly the sort of design you'd want to adapt into a Trusted Computing browser.

So I'm still rather suspicious of the intent and connections behind it, but I will retract my positive tagging that it *does* explicitly intend to involve Trusted Computing.

-

part of the solution....

One quick and easy way to make the web a safer place would be for ActiveX to be shunned by everyone. If you are a web developer, simply refuse to use it.

Ad-free version of article

Ad-free version of article [eweek.com].

How hard is it to look for the "Print version" w/o ads and link to that?

In other news...

...emacs is getting a browser. Still no word on the implementation of a usable editor.

I've got a secure web browser

Lynx [isc.org].

Re:I've got a secure web browser

Lynx has its problems as well...
http://www.ciac.org/ciac/bulletins/h-82.shtml [ciac.org]
http://securitydot.net/vuln/exploits/vulnerabilities/articles/14814/vuln.html [securitydot.net]

Such a great idea

Divide your software into subsystems managed by a kernel. That's certainly guaranteed to make things more secure -- just look how well it worked for Windows.

The super-duper-secure safe OS

OK, if you really want a truly secure safe OS (and by extension, to a browser mapped to the same address space), this is what you need in your OS:

Not one microkernel, for extra safety you need redundant nanokernels, with a microkernel over those, then the user kernel. To prevent buffer overruns, all messages passed between these are sent as emails, with spamassassin checking lest any of them get any ideas about sending spams.

OK, next you need lots of verification. Every time you write to disk there should be a second process to verify that what was written is correct. Then you need a process to check that the verifier process is checking things correctly. If memory doesn't run out while doing this, a body of processes should vote democratically as to whether the whole thing finished correctly. In case of collusion between the processes, some of them will be strictly dice rolls.

The least trusted part of the computer is the user, otherwise known as the "owner" of said computer. Thus, that person should not be allowed to do anything because that is a sure way to introduce problems. Harass that person with questions and popups at every opportunity. That will make sure they go out and read a book and not get in the way of the important things that the operating system is trying to do.

To prevent hardware from crashing any of the kernels, they must be separated by a special interface layer that works a lot like a chat room (IRC). What this means is that devices that speak the protocol correctly can connect and be listened to by the kernel(s). Those that misbehave or that use foul language are kicked off by the watchdog process. The watchdog process is watched by a bulldog process. Sometimes the bulldog just barks, other times the two are wrestling it out on the ground while the rest of the system waits for them to sort out their differences. Alas, such is the price of progress.

To further prevent buffer overruns, a new character encoding is introduced where a previously one-byte code now needs ten bytes to encode it. This means that buffers have to be ten times bigger and thus there is a lot more space before an overrun occurs.

Let me know if you can think of any more features to add to this future super-OS.

The less functionality the better

The solution for a more secure browser isn't to guild it with ever-growing layers of security and virtual machines, quite the reverse, it's to keep things simple.

If we allow an internet to exist without the need for complex interpreted languages, if people open mostly static HTML documents when they open web pages instead of opening a pandora's box of plugins, languages, interpreted bytecodes, activeX gotchas and other unnecessary exploitable garbage, then the entire internet will be more secure.

By making it more complex, exploits and backdoors are virtually guaranteed. But well, that's just *my* ignorant opinion.

Re:The less functionality the better

Web browsers are already complex, and they've been designed without any regard whatsoever for security. It's impossible to go back to static HTML documents by now. So would you prefer that everyone just sticks their head in the sand, and pretends that it'll all go away?

This approach allows for complex browsers to actually become safer, by simplifying them. The browser is broken up into a set of components. Each component runs in a separate process, completely isolated (by the operating system) from the other components. In addition, each component is isolated from the rest of the system using mandatory access controls (SELinux in this case) which prevent the component from doing anything that it doesn't need to do.

The key aspect is that the components only have one way to communicate with each other - a single communications channel which is created by, controlled, and mediated by the kernel process. That means that all interactions between the components are simplified, and can be monitored by the kernel. The kernel itself can be small and simple enough that it's behaviour can be proven correct. The kernel then enforces a security policy.

This approach is known to work - it's similar to the approach used by operating system kernels.

Let's say you break into the rendering component, where the HTML rendering and JavaScript VM reside. You have absolutely no access to the operating system - your only link to the outside world is through the kernel, to the other components. Even if you manage to run native code inside the rendering engine, the operating system won't allow you to access the network, filesystem, or anything else. You only have access to the IPC mechanisms, and even then only to the connection between the rendering component and the kernel.

If your objective is to compromise the operating system through the browser, you can not do that from here. You can't just send a message to the component that handles file access, and get it to load malware onto the system - the kernel will prevent it. Even if you also find a hole in the kernel that allows you to run native code inside the kernel, the kernel doesn't have the ability to access the filesystem either. The filesystem component won't help either - it only has access to a small piece of the filesystem.

If your goal is to steal someone's bank password, you'll still have a tough time of it. The kernel will prevent you from doing anything that doesn't fit within the security policy. Even if you could access a bank password, you're not going to be able to send that information to anyone. If you do have the ability to send that information, you're not going to have access to the passwords.

The idea is not to add complexity - this browser should be no more complex than any other. The idea is to improve security by separating components, isolating them, and verifying that they are not doing anything that they're not supposed to.

It's called "defence in depth" - acknowledging that the system can never be made totally secure, and designing it in such a way that any security breaches won't be able to do any damange, and are able to be tracked for analysis later.

What I want to know is...

What the hell makes these UIUC people think that they know how to make a browser? You'd think they'd leave this kind of thing to people who've done it before. Sheesh! :)

Yes, if it's standards-compliant

I don't see why this couldn't fly. Samuel King appears to be a well-established professor with solid credentials. It's based on SELinux at present, but they've designed it to work with various other resource segmenting programs (they named AppArmor).

I'd say the key to finding a market will be standards-compliance. If it supports HTML 4 and XHTML reasonably well (like anyone can do it perfectly) and has ECMAScript, then it can work with a properly-designed webapp. While they're designing plugin support, I don't think it matters much whether Flash will be supported. People who care about security don't tend to be distracted by shiny things.

Sure, it won't even come close to top of the browser list. The purpose of this browser, however, is to bring web browsers to locations that can't use them because of security concerns. As a developer, I can certainly say that my productivity is improved with web access - forums, developer documentation, bug reports. I've been at companies that won't let their developers work on the Internet at all, probably for fear of espionage. The web browser is probably the second largest target (after e-mail clients) for malware writers. Web browsers are ubiquitous now, so spending some time researching "white-hat" web techniques is a worthwhile effort regardless, and I'm sure there are some who will find this browser useful. I will continue to use Firefox, despite the security concerns associated with JavaScript and Flash. My tin-foil hat is back in the closet, and I want to keep it there.

A link to the paper

Here is a link to the full research paper [uiuc.edu], we hope you enjoy it!

Here's what I want

How about simply throttling the CPU usage Flash can use in Firefox? The whole system can slow down to a crawl just from ONE ad-laden web page. I'm not on some slouch of a computer, but every once in a while I wonder why things are sluggish. I close the suspect tab and everything's back to normal.

To me a secure browser would be non-modular, and be pretty slim on the list of features.

NO activeX
NO plug-ins, period. Once you introduce a 3rd party software entry point, it's spoiled
No giving out referrer info unless you say so
strict cookie control
mike's ad blocking hosts file built in, and configurable(or something similar)
CANCELABLE javascript. Wha? Any time you get a javascript prompt, you'll have OK, cancel, and "stop all javascript right fucking now".
Javscript turn off URL bars, resizing of windows? I don't think so. Leave that to the user.

And I'm betting there's 20 other things I haven't thought of that's mandatory. The web browser has become so fluidic that there's tons of entry points to a user's system now.