A safety-oriented platform for Web applications

This paper describes the architecture and implementation of the Tahoma Web browsing system. Key to Tahoma is the browser operating system (BOS), a new trusted software layer on which Web browsers execute. The benefits of this architecture are threefold. First, the BOS runs the client-side component of each Web application (e.g., on-line banking, Web mail) in its own virtual machine. This provides strong isolation between Web services and the user's local resources. Second, Tahoma lets Web publishers limit the scope of their Web applications by specifying which URLs and other resources their browsers are allowed to access. This limits the harm that can be caused by a compromised browser. Third, Tahoma treats Web applications as first-class objects that users explicitly install and manage, giving them explicit knowledge about and control over downloaded content and code. We have implemented a prototype of Tahoma using Linux and the Xen virtual machine monitor. Our security evaluation shows that Tahoma can prevent or contain 87% of the vulnerabilities that have been identified in the widely used Mozilla browser. In addition, our measurements of latency, throughput, and responsiveness demonstrate that users need not sacrifice performance for the benefits of stronger isolation and safety

[1]  Stefan Saroiu,et al.  Measurement and Analysis of Spyware in a University Environment , 2004, NSDI.

[2]  Alexander I. Rudnicky,et al.  A performance model of system delay and user strategy selection , 1992, CHI.

[3]  Dan S. Wallach,et al.  Java security: Web browsers and beyond , 1997 .

[4]  Hermann Härtig,et al.  DOpE - a window server for real-time and embedded systems , 2003, RTSS 2003. 24th IEEE Real-Time Systems Symposium, 2003.

[5]  Anurag Acharya,et al.  MAPbox: Using Parameterized Behavior Classes to Confine Untrusted Applications , 2000, USENIX Security Symposium.

[6]  J. D. Tygar,et al.  WWW electronic commerce and java trojan horses , 1996 .

[7]  Andrew Berman,et al.  TRON: Process-Specific File Protection for the UNIX Operating System , 1995, USENIX.

[8]  Mark Bartel,et al.  Xml-Signature Syntax and Processing , 2000 .

[9]  T. Mitchem,et al.  Using kernel hypervisors to secure applications , 1997, Proceedings 13th Annual Computer Security Applications Conference.

[10]  Jonathan S. Shapiro,et al.  Design of the EROS Trusted Window System , 2004, USENIX Security Symposium.

[11]  Donald E. Eastlake,et al.  XML-Signature Syntax and Processing , 2001, RFC.

[12]  Dan S. Wallach,et al.  Web Spoofing: An Internet Con Game , 1997 .

[13]  Atul Prakash,et al.  Building systems that flexibly control downloaded executable context , 1996 .

[14]  Monica S. Lam,et al.  Virtual Appliances in the Collective: A Road to Hassle-Free Computing , 2003, HotOS.

[15]  Beng-Hong Lim,et al.  Virtualizing I/O Devices on VMware Workstation's Hosted Virtual Machine Monitor , 2001, USENIX Annual Technical Conference, General Track.

[16]  B R Schatz,et al.  NCSA Mosaic and the World Wide Web: Global Hypermedia Protocols for the Internet , 1994, Science.

[17]  David A. Wagner,et al.  A Secure Environment for Untrusted Helper Applications , 1996, USENIX Security Symposium.

[18]  Daniel R. Simon,et al.  WindowBox: a simple security model for the connected desktop , 2000 .

[19]  Richard Sharp,et al.  Abstracting application-level web security , 2002, WWW.

[20]  Alain J. Mayer,et al.  Security of Web Browser Scripting Languages: Vulnerabilities, Attacks, and Remedies , 1998, USENIX Security Symposium.

[21]  Sotiris Ioannidis,et al.  Building a Secure Web Browser , 2001, USENIX Annual Technical Conference, FREENIX Track.

[22]  S. Gribble,et al.  Scale and performance in the Denali isolation kernel , 2002, OSDI '02.

[23]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[24]  Robert N. M. Watson,et al.  Jails: confining the omnipotent root , 2000 .

[25]  J. Shapiro,et al.  EROS: a fast capability system , 2000, OPSR.

[26]  Matt Bishop,et al.  A Flexible Containment Mechanism for Executing Untrusted Code , 2002, USENIX Security Symposium.

[27]  Calton Pu,et al.  SubDomain: Parsimonious Server Security , 2000, LISA.

[28]  Sean W. Smith,et al.  Trusted paths for browsers , 2002, TSEC.

[29]  Peter J. Denning,et al.  Internet Besieged: Countering Cyberspace Scofflaws , 1997 .

[30]  Dan S. Wallach,et al.  Extensible security architectures for Java , 1997, SOSP.