A Quantitative Evaluation of Privilege Separation in Web Browser Designs

Privilege separation is a fundamental security concept that has been used in designing many secure systems. A number of recent works propose re-designing web browsers with greater privilege separation for better security. In practice, however, privilege-separated designs require a fine balance between security benefits and other competing concerns, such as performance. In fact, performance overhead has been a main cause that prevents many privilege separation proposals from being adopted in real systems. In this paper, we develop a new measurement-driven methodology that quantifies security benefits and performance costs for a given privilege-separated browser design. Our measurements on a large corpus of web sites provide key insights on the security and performance implications of partitioning dimensions proposed in 9 recent browser designs. Our results also provide empirical guidelines to resolve several design decisions being debated in recent browser re-design efforts.

[1]  Steven D. Gribble,et al.  A safety-oriented platform for Web applications , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[2]  Andrew C. Myers,et al.  Programming Languages for Information Security , 2002 .

[3]  David Lie,et al.  Splitting interfaces: making trust between applications and operating systems configurable , 2006, OSDI '06.

[4]  Dawn Xiaodong Song,et al.  Towards a Formal Foundation of Web Security , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[5]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[6]  Helen J. Wang,et al.  The Multi-Principal OS Construction of the Gazelle Web Browser , 2009, USENIX Security Symposium.

[7]  Dawn Xiaodong Song,et al.  A Learning-Based Approach to Reactive Security , 2009, IEEE Transactions on Dependable and Secure Computing.

[8]  Samuel T. King,et al.  Designing and Implementing the OP and OP2 Web Browsers , 2011, TWEB.

[9]  Adam Barth,et al.  Protecting Browsers from Extension Vulnerabilities , 2010, NDSS.

[10]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[11]  Daniel J. Bernstein,et al.  Some thoughts on security after ten years of qmail 1.0 , 2007, CSAW '07.

[12]  Bin Liu,et al.  WebShield: Enabling Various Web Defense Techniques without Client Side Modifications , 2011, NDSS.

[13]  Anas N. Al-Rabadi,et al.  A comparison of modified reconstructability analysis and Ashenhurst‐Curtis decomposition of Boolean functions , 2004 .

[14]  Marsha Chechik,et al.  Security Benchmarking using Partial Verification , 2008, HotSec.

[15]  Samuel T. King,et al.  Secure Web Browsing with the OP Web Browser , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[16]  Joseph Bonneau,et al.  What's in a Name? , 2020, Financial Cryptography.

[17]  Dawn Xiaodong Song,et al.  Data-Confined HTML5 Applications , 2013, ESORICS.

[18]  Samuel T. King,et al.  Trust and Protection in the Illinois Browser Operating System , 2010, OSDI.

[19]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[20]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[21]  Dawn Xiaodong Song,et al.  Privilege Separation in HTML5 Applications , 2012, USENIX Security Symposium.

[22]  Adam Barth,et al.  The Security Architecture of the Chromium Browser , 2009 .

[23]  Dawn Xiaodong Song,et al.  Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and Defense , 2009, USENIX Security Symposium.

[24]  Mark Handley,et al.  Wedge: Splitting Applications into Reduced-Privilege Compartments , 2008, NSDI.

[25]  David Brumley,et al.  Privtrans: Automatically Partitioning Programs for Privilege Separation , 2004, USENIX Security Symposium.

[26]  David A. Wagner,et al.  Diesel: applying privilege separation to database access , 2011, ASIACCS '11.

[27]  Mahadev Satyanarayanan,et al.  Quantifying the Strength of Security Systems , 2007, HotSec.

[28]  Helen J. Wang,et al.  User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems , 2012, 2012 IEEE Symposium on Security and Privacy.