sign in sign up
<<
Home , Blogger (service)

Isolating Programs in Modern Browser Architectures Charles Reis, Steven D. Gribble University of Washington / , Inc.

1 Web is Evolving

Pages Programs

More complex, active content Browser now in role of OS, but not designed for it Robustness and performance problems

2 Consider OS Landscape

Performance isolation Resource management Failure isolation

Clear program abstraction

3 Browsers Fall Short

Unresponsiveness Jumbled accounting Browser crashes

Unclear what a program is!

4 Outline

Looking for Programs

New Abstractions

Isolation in

Evaluation

5 Programs in the Browser

Mail Doc List Doc Consider an example Doc browsing session Several independent programs Mail News Article

6 Monolithic Browsers

Most browsers put all pages in one process Mail Doc List Doc Poor performance isolation

Blog Poor failure isolation Mail Poor security News Article Should re-architect the browser

7 Process per Window?

Mail Doc List Doc Breaks pages that directly communicate Shared access to Blog data structures, etc. Mail Fails as a program abstraction News Article

8 Need a Program Abstraction

Aim for new groupings that:

Match our intuitions Doc List Doc Preserve compatibility Take cues from browser’s existing rules Isolate each grouping in an OS process Will get performance and failure isolation, but not security between sites

9 Outline

Looking for Programs

New Abstractions

Isolation in Chromium

Evaluation

10 Ideal Abstractions

Web Program Set of pages and sub-resources providing a service Web Program Instance Live copy of a web program in the browser Will be isolated in the browser’s architecture

Intuitive, but how to define concretely?

11 Compatible Abstractions

Three ways to group pages into processes: 1. Site: based on browser’s access control policies 2. Browsing Instance: communication channels between pages 3. Site Instance: intersection of the first two

12 1. Sites

zoho.com zoho.com zoho.com mail.zoho.com docs.zoho.com docs.zoho.com Same Origin Policy dictates some isolation Mail Doc List Doc (host+protocol+port) http://blogger.com https://zoho.com Pages can change document.domain Blog Registry-controlled Mail limit News Article Site: RCDN + protocol http://bbc.co.uk

13 2. Browsing Instances

w = window.open(...) Not all pages can talk

Mail Doc List Doc References between “related” windows

window.opener Parents and children Blog Lifetime of window Mail Browsing Instance: News Article connected windows, regardless of site

14 3. Site Instances

Mail Doc List Doc Site Instance: Intersection of site & browsing instance

Blog Safe to isolate from any other pages Mail Compatible notion of a News Article web program instance

15 Outline

Looking for Programs

New Abstractions

Isolation in Chromium

Evaluation

16 Multi-Process Browser

Browser Kernel Storage, network, UI Rendering Rendering Engine Engine Plug-in Rendering Engines Web program and Browser Kernel runtime environment Plug-ins

Implemented in Chromium 17 Chromium Process Models

RenderingRendering Rendering 1. Monolithic Engine Engine EnginePlug-in Plug-in

2. Process-per-Browsing-Instance Browser Kernel New window = new renderer process 3. Process-per-Site-Instance (default) Create renderer process when navigating cross-site 4. Process-per-Site Combine instances: fewer processes, less isolation

18 Outline

Looking for Programs

New Abstractions

Isolation in Chromium

Evaluation

19 Robustness Benefits

Failure Isolation Accountability Memory Management

Some additional security Rendering Rendering (e.g., Chromium’s sandbox) Engine Engine Plug-in Sandbox Sandbox

Browser Kernel

20 Performance Isolation

Avg Click Delay on Blank Page 4,000 3,307 Responsive while other 3,000 web programs working 2,000 1,408 Time (ms) Time 1,000 6 6 0 With Top 5 Pages With

Monolithic Chromium Multi-Process Chromium

21 Other Performance Impact

Speedups More work done concurrently, leveraging cores e.g., Session restore of several windows Process Latency 100 ms, but masked by other speedups in practice

22 Memory Overhead

130.0

97.5 Robustness benefits do have a cost 65.0 Memory (MB) Reasonable for 32.5 many real users

0 1 2 3 4 5 6 7 8 9 10 Number of Popular Pages

Monolithic Chromium Multi-Process Chromium 23 Compatibility Evaluation

No known compat bugs due to architecture Some minor behavior changes e.g., Narrower scope of window names: browsing instance, not global

?

“Pandora” “Pandora”

24 Related Architecture Work

Internet Explorer 8 Multi-process architecture, no program abstractions Gazelle Like Chromium, but values security over compatibility Other research: OP, Tahoma, SubOS Break compatibility (isolation too fine-grained)

25 Conclusion

Browsers must recognize programs to support them Site Instances capture this Compatible with existing web content Can prevent interference with process isolation

Implemented in Chromium 26