Isolating Programs in Modern Browser Architectures Charles Reis, Steven D. Gribble University of Washington / Google, Inc.
1 Web is Evolving
Pages Programs
More complex, active content Browser now in role of OS, but not designed for it Robustness and performance problems
2 Consider OS Landscape
Performance isolation Resource management Failure isolation
Clear program abstraction
3 Browsers Fall Short
Unresponsiveness Jumbled accounting Browser crashes
Unclear what a program is!
4 Outline
Looking for Programs
New Abstractions
Isolation in Chromium
Evaluation
5 Programs in the Browser
Mail Doc List Doc Consider an example Doc browsing session Blog Several independent programs Mail News Article
6 Monolithic Browsers
Most browsers put all pages in one process Mail Doc List Doc Poor performance isolation
Blog Poor failure isolation Mail Poor security News Article Should re-architect the browser
7 Process per Window?
Mail Doc List Doc Breaks pages that directly communicate Shared access to Blog data structures, etc. Mail Fails as a program abstraction News Article
8 Need a Program Abstraction
Aim for new groupings that:
Match our intuitions Doc List Doc Preserve compatibility Take cues from browser’s existing rules Isolate each grouping in an OS process Will get performance and failure isolation, but not security between sites
9 Outline
Looking for Programs
New Abstractions
Isolation in Chromium
Evaluation
10 Ideal Abstractions
Web Program Set of pages and sub-resources providing a service Web Program Instance Live copy of a web program in the browser Will be isolated in the browser’s architecture
Intuitive, but how to define concretely?
11 Compatible Abstractions
Three ways to group pages into processes: 1. Site: based on browser’s access control policies 2. Browsing Instance: communication channels between pages 3. Site Instance: intersection of the first two
12 1. Sites
zoho.com zoho.com zoho.com mail.zoho.com docs.zoho.com docs.zoho.com Same Origin Policy dictates some isolation Mail Doc List Doc (host+protocol+port) http://blogger.com https://zoho.com Pages can change document.domain Blog Registry-controlled Mail domain name limit News Article Site: RCDN + protocol http://bbc.co.uk
13 2. Browsing Instances
w = window.open(...) Not all pages can talk
Mail Doc List Doc References between “related” windows
window.opener Parents and children Blog Lifetime of window Mail Browsing Instance: News Article connected windows, regardless of site
14 3. Site Instances
Mail Doc List Doc Site Instance: Intersection of site & browsing instance
Blog Safe to isolate from any other pages Mail Compatible notion of a News Article web program instance
15 Outline
Looking for Programs
New Abstractions
Isolation in Chromium
Evaluation
16 Multi-Process Browser
Browser Kernel Storage, network, UI Rendering Rendering Engine Engine Plug-in Rendering Engines Web program and Browser Kernel runtime environment Plug-ins
Implemented in Chromium 17 Chromium Process Models
RenderingRendering Rendering 1. Monolithic Engine Engine EnginePlug-in Plug-in
2. Process-per-Browsing-Instance Browser Kernel New window = new renderer process 3. Process-per-Site-Instance (default) Create renderer process when navigating cross-site 4. Process-per-Site Combine instances: fewer processes, less isolation
18 Outline
Looking for Programs
New Abstractions
Isolation in Chromium
Evaluation
19 Robustness Benefits
Failure Isolation Accountability Memory Management
Some additional security Rendering Rendering (e.g., Chromium’s sandbox) Engine Engine Plug-in Sandbox Sandbox
Browser Kernel
20 Performance Isolation
Avg Click Delay on Blank Page 4,000 3,307 Responsive while other 3,000 web programs working 2,000 1,408 Time (ms) Time 1,000 6 6 0 With Top 5 Pages With Gmail
Monolithic Chromium Multi-Process Chromium
21 Other Performance Impact
Speedups More work done concurrently, leveraging cores e.g., Session restore of several windows Process Latency 100 ms, but masked by other speedups in practice
22 Memory Overhead
130.0
97.5 Robustness benefits do have a cost 65.0 Memory (MB) Reasonable for 32.5 many real users
0 1 2 3 4 5 6 7 8 9 10 Number of Popular Pages
Monolithic Chromium Multi-Process Chromium 23 Compatibility Evaluation
No known compat bugs due to architecture Some minor behavior changes e.g., Narrower scope of window names: browsing instance, not global
?
“Pandora” “Pandora”
24 Related Architecture Work
Internet Explorer 8 Multi-process architecture, no program abstractions Gazelle Like Chromium, but values security over compatibility Other research: OP, Tahoma, SubOS Break compatibility (isolation too fine-grained)
25 Conclusion
Browsers must recognize programs to support them Site Instances capture this Compatible with existing web content Can prevent interference with process isolation
Implemented in Chromium 26