Web browsers as operating systems: supporting robust and secure web programs

The World Wide Web has changed significantly since its introduction, facing a shift in its workload from passive web pages to active programs. Current web browsers were not designed for this demanding workload, and web content formats were not designed to express programs. As a result, the platform faces numerous robustness and security problems, ranging from interference between programs to script injection attacks to browser exploits. This dissertation presents a set of contributions that adapt lessons from operating systems to make the web a more suitable platform for deploying and running programs. These efforts are based upon four architectural principles for supporting programs First, we must recognize web programs and precisely identify the boundaries between them, while preserving compatibility with existing content. Second, we must improve browser architectures to effectively isolate web programs from each other at runtime. Third, publishers must have the ability to authorize the code that runs within the programs they deploy. Fourth, users must be able to enforce policies on the programs they run within their browser. In this work, I incorporate these architectural principles into web browsers and web content, and I use experiments to quantify the improvements to robustness and performance while preserving backward compatibility. Additionally, some of these efforts have been incorporated into the Google Chrome web browser, demonstrating their practicality.

[1]  Richard Sharp,et al.  Abstracting application-level web security , 2002, WWW.

[2]  Randall B. Smith,et al.  Self: The power of simplicity , 1987, OOPSLA 1987.

[3]  Alain J. Mayer,et al.  Security of Web Browser Scripting Languages: Vulnerabilities, Attacks, and Remedies , 1998, USENIX Security Symposium.

[4]  Dan S. Wallach,et al.  Extensible security architectures for Java , 1997, SOSP.

[5]  Tal Garfinkel,et al.  Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools , 2003, NDSS.

[6]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[7]  Ajay Chander,et al.  JavaScript instrumentation for browser security , 2007, POPL '07.

[8]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[9]  Wilson C. Hsieh,et al.  Processes in KaffeOS: isolation, resource management, and sharing in java , 2000, OSDI.

[10]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[11]  David E. Evans,et al.  Flexible policy-directed code safety , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[12]  Helen J. Wang,et al.  The Multi-Principal OS Construction of the Gazelle Web Browser , 2009, USENIX Security Symposium.

[13]  Dawn Xiaodong Song,et al.  Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing Themselves , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[14]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[15]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[16]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[17]  Sophie Engle,et al.  AN INTRODUCTION TO ARP SPOOFING , 2001 .

[18]  Charles Reis,et al.  Isolating web programs in modern browser architectures , 2009, EuroSys '09.

[19]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[20]  Helen J. Wang,et al.  Shield: vulnerability-driven network filters for preventing known vulnerability exploits , 2004, SIGCOMM 2004.

[21]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[22]  Helen J. Wang,et al.  Live Monitoring: Using Adaptive Instrumentation and Analysis to Debug and Maintain Web Applications , 2007, HotOS.

[23]  Jerri L. Ledford,et al.  Google Analytics , 2006 .

[24]  Roy T. Fielding,et al.  The Apache HTTP Server Project , 1997, IEEE Internet Comput..

[25]  Helen J. Wang,et al.  Subspace: secure cross-domain communication for web mashups , 2007, WWW '07.

[26]  John K. Ousterhout,et al.  The Safe-Tcl Security Model , 1998, USENIX Annual Technical Conference.

[27]  Tal Garfinkel,et al.  Ostia: A Delegating Architecture for Secure System Call Interposition , 2004, NDSS.

[28]  Tadayoshi Kohno,et al.  Detecting In-Flight Page Changes with Web Tripwires , 2008, NSDI.

[29]  Christopher Krügel,et al.  Preventing Cross Site Request Forgery Attacks , 2006, 2006 Securecomm and Workshops.

[30]  Brian N. Bershad,et al.  Improving the reliability of commodity operating systems , 2005, TOCS.

[31]  Nathaniel S. Borenstein,et al.  EMail With A Mind of Its Own: The Safe-Tcl Language for Enabled Mail , 1994, ULPAA.

[32]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[33]  Sotiris Ioannidis,et al.  Building a Secure Web Browser , 2001, USENIX Annual Technical Conference, FREENIX Track.

[34]  Helen J. Wang,et al.  BrowserShield: vulnerability-driven filtering of dynamic HTML , 2006, OSDI '06.

[35]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[36]  Mike Hibler,et al.  An integrated experimental environment for distributed systems and networks , 2002, OSDI '02.

[37]  Jerome H. Saltier,et al.  Protection of information in computer systems , 1975, IEEE CSIT Newsletter.

[38]  Youki Kadobayashi,et al.  A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability , 2004, 18th International Conference on Advanced Information Networking and Applications, 2004. AINA 2004..

[39]  Eric A. Brewer,et al.  Reducing WWW Latency and Bandwidth Requirements by Real-Time Distillation , 1996, Comput. Networks.

[40]  Xuxian Jiang,et al.  Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities , 2006, NDSS.

[41]  Dan Boneh,et al.  Protecting browser state from web privacy attacks , 2006, WWW '06.

[42]  Sean W. Smith,et al.  Trusted paths for browsers , 2002, TSEC.

[43]  Helen J. Wang,et al.  MashupOS: Operating System Abstractions for Client Mashups , 2007, HotOS.

[44]  Charles Reis,et al.  Architectural Principles for Safe Web Programs , 2007, HotNets.

[45]  J. Doug Tygar,et al.  The battle against phishing: Dynamic Security Skins , 2005, SOUPS '05.

[46]  Spyros Antonatos,et al.  Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure , 2008, TSEC.

[47]  Jesse James Garrett Ajax: A New Approach to Web Applications , 2007 .

[48]  Shih-Kun Huang,et al.  Web application security assessment by fault injection and behavior monitoring , 2003, WWW '03.

[49]  F. Piessens,et al.  Requestrodeo: Client Side Protection against Session Riding , 2006 .

[50]  Steven D. Gribble,et al.  A Crawler-based Study of Spyware in the Web , 2006, NDSS.

[51]  Robert A. Martin,et al.  Vulnerability Type Distributions in CVE , 2007 .

[52]  Benjamin Livshits,et al.  AjaxScope: A Platform for Remotely Monitoring the Client-Side Behavior of Web 2.0 Applications , 2010, ACM Trans. Web.

[53]  Crispin Cowan,et al.  Timing the Application of Security Patches for Optimal Uptime , 2002, LISA.

[54]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[55]  Michael Hicks,et al.  Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.

[56]  B. Bershad,et al.  Using Processes to Improve the Reliability of Browser-based Applications , 2007 .

[57]  Charles Babcock Yahoo Mail Worm May Be First Of Many As Ajax Proliferates , 2006 .

[58]  David A. Wagner,et al.  A Secure Environment for Untrusted Helper Applications , 1996, USENIX Security Symposium.

[59]  E. Felten,et al.  Cross-Site Request Forgeries : Exploitation and Prevention , 2008 .

[60]  Emin Gün Sirer,et al.  Design and implementation of a distributed virtual machine for networked computers , 2000, OPSR.

[61]  Christopher Krügel,et al.  Noxes: a client-side solution for mitigating cross-site scripting attacks , 2006, SAC '06.

[62]  Neha Narula,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, IEEE Symposium on Security and Privacy.

[63]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[64]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[65]  Steven D. Gribble,et al.  A safety-oriented platform for Web applications , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[66]  Edward W. Felten,et al.  Timing attacks on Web privacy , 2000, CCS.

[67]  Alec Wolman,et al.  The structure and performance of interpreters , 1996, ASPLOS VII.

[68]  Amir Herzberg,et al.  TrustBar: Protecting (even Naïve) Web Users from Spoofing and Phishing Attacks , 2004 .

[69]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[70]  Dan Boneh,et al.  Protecting browsers from DNS rebinding attacks , 2009, ACM Trans. Web.

[71]  Peter Szor,et al.  HUNTING FOR METAMORPHIC , 2001 .

[72]  Samuel T. King,et al.  Secure Web Browsing with the OP Web Browser , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).