Trust and Protection in the Illinois Browser Operating System

Current web browsers are complex, have enormous trusted computing bases, and provide attackers with easy access to modern computer systems. In this paper we introduce the Illinois Browser Operating System (IBOS), a new operating system and a new browser that reduces the trusted computing base for web browsers. In our architecture we expose browser-level abstractions at the lowest software layer, enabling us to remove almost all traditional OS components and services from our trusted computing base by mapping browser abstractions to hardware abstractions directly. We show that this architecture is flexible enough to enable new browser security policies, can still support traditional applications, and adds little overhead to the overall browsing experience.

[1]  Adam Barth,et al.  The Security Architecture of the Chromium Browser , 2009 .

[2]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[3]  Stefan Götz,et al.  Unmodified Device Driver Reuse and Improved System Dependability via Virtual Machines , 2004, OSDI.

[4]  Sotiris Ioannidis,et al.  Sub-operating systems: a new approach to application security , 2002, EW 10.

[5]  Samuel T. King,et al.  Secure Web Browsing with the OP Web Browser , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[6]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[7]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[8]  Sotiris Ioannidis,et al.  Building a Secure Web Browser , 2001, USENIX Annual Technical Conference, FREENIX Track.

[9]  Xiao Ma,et al.  AutoISES: Automatically Inferring Security Specification and Detecting Violations , 2008, USENIX Security Symposium.

[10]  Robert Grimm,et al.  Application performance and flexibility on exokernel systems , 1997, SOSP.

[11]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[12]  Hermann Härtig,et al.  DOpE - a window server for real-time and embedded systems , 2003, RTSS 2003. 24th IEEE Real-Time Systems Symposium, 2003.

[13]  Jochen Liedtke,et al.  The performance of μ-kernel-based systems , 1997, SOSP.

[14]  Norman Feske,et al.  A Nitpicker’s guide to a minimal-complexity secure GUI , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[15]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[16]  Charles Reis,et al.  Isolating web programs in modern browser architectures , 2009, EuroSys '09.

[17]  Xuxian Jiang,et al.  Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities , 2006, NDSS.

[18]  Jonathan S. Shapiro,et al.  The KeyKOS Nanokernel Architecture , 1992, USENIX Workshop on Microkernels and Other Kernel Architectures.

[19]  Emin Gün Sirer,et al.  Device Driver Safety Through a Reference Validation Mechanism , 2008, OSDI.

[20]  Gernot Heiser,et al.  Towards Untrusted Device Drivers , 2003 .

[21]  Brian N. Bershad,et al.  Recovering device drivers , 2004, TOCS.

[22]  Alessandro Forin,et al.  UNIX as an Application Program , 1990, USENIX Summer.

[23]  Niels Provos,et al.  The Ghost in the Browser: Analysis of Web-based Malware , 2007, HotBots.

[24]  Jonathan M. Smith,et al.  EROS: a fast capability system , 1999, SOSP.

[25]  George C. Necula,et al.  SafeDrive: safe and recoverable extensions using language-based techniques , 2006, OSDI '06.

[26]  Yi-Min Wang,et al.  An analysis of browser domain-isolation bugs and a light-weight transparent defense mechanism , 2007, CCS '07.

[27]  Steven D. Gribble,et al.  A safety-oriented platform for Web applications , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[28]  Charles Reis,et al.  Architectural Principles for Safe Web Programs , 2007, HotNets.

[29]  Steven D. Gribble,et al.  A Crawler-based Study of Spyware in the Web , 2006, NDSS.

[30]  Dawson R. Engler,et al.  Exokernel: an operating system architecture for application-level resource management , 1995, SOSP.

[31]  Vikram S. Adve,et al.  Memory Safety for Low-Level Software/Hardware Interactions , 2009, USENIX Security Symposium.

[32]  Helen J. Wang,et al.  Resource Management for Web Applications in ServiceOS , 2010 .

[33]  Helen J. Wang,et al.  On the Incoherencies in Web Browser Access Control Policies , 2010, 2010 IEEE Symposium on Security and Privacy.

[34]  Herbert Bos,et al.  MINIX 3: a highly reliable, self-repairing operating system , 2006, OPSR.

[35]  Jonathan S. Shapiro,et al.  Design of the EROS Trusted Window System , 2004, USENIX Security Symposium.

[36]  Tal Garfinkel,et al.  Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools , 2003, NDSS.

[37]  David M. Nicol,et al.  TrustGraph: Trusted Graphics Subsystem for High Assurance Systems , 2009, 2009 Annual Computer Security Applications Conference.

[38]  Brian N. Bershad,et al.  Improving the reliability of commodity operating systems , 2005, TOCS.

[39]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[40]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[41]  Helen J. Wang,et al.  The Multi-Principal OS Construction of the Gazelle Web Browser , 2009, USENIX Security Symposium.

[42]  Dawn Xiaodong Song,et al.  Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing Themselves , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[43]  Helen J. Wang,et al.  A Systematic Approach to Uncover Security Flaws in GUI Logic , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).