The Multi-Principal OS Construction of the Gazelle Web Browser
Helen J. Wang∗, Chris Grier†, Alexander Moshchuk‡, Samuel T. King†, Piali Choudhury∗, Herman Venter∗ ∗Microsoft Research † University of Illinois at Urbana-Champaign ‡ University of Washington {helenw,pialic,hermanv}@microsoft.com, {grier,kingst}@uiuc.edu, [email protected]
Abstract sources. In this paper, we focus only on resource pro- Original web browsers were applications designed to tection in Gazelle. view static web content. As web sites evolved into dy- In Gazelle, the browser kernel runs in a separate pro- namic web applications that compose content from mul- tection domain (an OS process in our implementation), tiple web sites, browsers have become multi-principal interacts with the underlying OS directly, and exposes a operating environments with resources shared among set of system calls for web site principals. We use the mutually distrusting web site principals. Nevertheless, same web site principal as defined in the same-origin no existing browsers, including new architectures like IE policy (SOP), which is labeled by a web site’s origin, 8, Google Chrome, and OP, have a multi-principal oper- the triple of
) ()
may be from
-
+2
1
¤ ¥
content-type
¤
. /0
&
§
URL
*(
"
§
? ,- : Fetch the script or
;
: Fetch the content at ¨ ©
: Delegate a display
* +
¤
' ()
:
$%
!
§
URL
= >
!
#
<
"
(
-
!
;
3
:
*
#
¥
5
¥¡
)
3
,
!
9
6
£¤
, 45
!
§
7 8
-
¨ ©
¢
, 3
+
1
¤
¡
¦ §
that has the same origin as the issuing princi-
Figure 2: Supporting legacy protection
getSameOriginContent (URL) URL pal regardless of the content type. getCrossOriginContent (URL) style sheet content from different origin thancontent the type is issuing determinedheader principal. by of the the HTTP response. The delegate (URL, windowSpec) area to a differentcontent principal for that of principal. URL and fetch the • The semantics of these system calls is that the browser A key question to answer is that whether a script The browser kernel supports the following system • •
kernel can return cross-origin scriptprincipal or based style on content the to content-typeresponse, a but header returns of other the content HTTP iftent and has only if the the same con- ing the origin same-origin as policy. All themade the issuing and security enforced decisions principal, are by abid- the browser kernel alone. 4.2 Supporting Legacy Protection The system call semanticsone in subtle issue: the cross-origin basic script orare architecture style readable sheet has by sources the issuing principal, whichform does with the not existing con- SOP. The SOPcan dictates that be a executed script in ato cross-origin its fashion, source but code the is restricted access to same origin only. should be processed in the protection domain of its promise the principal withlicious plugin the content, same but originbrowser kernel. not as any the other ma- principals nor calls related tomore content complete fetching system call in table is this shown architecture in Table (a 3):
3
/
H
)
K
C
JK
12
.
O
-
MT
F G
.
§
RS
?
*0
¤
#
E
(
¥¦
"
/
PQ
¢
¢
¤
£
.
#
D
LJ
"
"
"
¦
!
C
0
>
©
!
*
NO
£
¢ £
'
$
>
8
=
LM
¡
&'
£
¨
*B ,-.
I JK
;<
%
$
+
.
@ A
9 :
)*
6 78 45 Figure 1: The Gazelle architecture The runtime of a principal instance performs con- It is necessary that the protection domain of a princi- This architecture can be efficient. By putting all Unlike all existing browsers except OP, this architec- kernel is agnostic ofhas a DOM relatively simple and logic. content semantics and tent processing and isbrowser essentially an components instance including ofparser, HTML today’s JavaScript and engine, style layoutplugins. sheet renderer, The and only browser wayact for with a system principal resources, instancetent state, to such and inter- as display, is networking,calls. to persis- use Principals browser can kernel’s communicateing system with message one passing another through us- same the fashion browser as inter-process kernel, communications in (IPC). the pal instance is a restricted oruse sandboxed of OS process process. guarantees The the isolationin of the principals face of even attacks thatThe exploit process memory must vulnerabilities. be further restrictedtion so that with any system interac- resources isnel limited system to calls. the browser Native ker- established the Client feasibility [47] of and such Xax process sandboxing. [15] have browser components including plugins intothey one process, can interact withmately one and another efficiently as throughThis is they DOM unlike do inti- the inall OP existing browser’s browser approach browsers. [21] components inchatty are which DOM separated interactions intothrough must the processes; OP beoverhead browser layered without kernel, added over security. incurring IPCs unnecessary ture can enforcenamely, browser plugin security content from policies differentgated on into origins different plugins, are processes. Any segre- pluginable installed to is interact un- with the operatingvided system and access is to only pro- systemkernel resources allowing subject that to access. the Inload browser this architecture, that the exploits pay- plugin vulnerabilities will only com- provider (indicated in “src”), in the same way as frames, less than browser software. Therefore, for protecting or in the protection domain of the host page that embeds cross-origin script or style sheet source, we place more the script. To answer this question, we must examine the trust in the browser code and let the browser code retrieve primary intent of the script element abstraction. Script and protect cross-origin script or style sheet sources: for is primarily a library abstraction (which is a necessary each principal, we run browser code and plugin code and useful abstraction) for web programmers to include in two separate processes. The plugin instance process in their sites and runs with the privilege of the includer cannot issue the getCrossOriginContent() and it can sites [43]. This is in contrast with the frame abstractions: only interact with cross-origin scripts and style sheets Programmers put content into cross-origin frames so that through the browser instance process. the content runs as the principal of its own provider and In this architecture, the quality of protecting cross- be protected from other principals. Therefore, a script origin script and style-sheet source relies on the browser should be handled by the protection domain of its in- code quality. While this protection is not perfect with na- cluder. tive browser code implementation, the architecture offers In fact, it is a flaw of the existing SOP to offer protec- the same protection as OP, and stronger protection than tion for cross-origin script source. Evidence has shown the rest of existing browsers. The separation of browser that it is extremely dangerous to hide sensitive data inside code and plugin code into separate processes also im- a script [22]. Numerous browser vulnerabilities exist for proves reliability by containing plugin failures. failing to provide the protection. In recent work, Native Client [47] and Xax [15] have Unfortunately, web sites that rely on cross-origin presented a plugin model that uses sandboxed processes script source protection, exist today. For example, to contain each browser principal’s plugin content. Their GMail’s contact list is stored in a script file, at the time plugin model works perfectly in our browser architec- of writing. Furthermore, it is increasingly common for ture. We do not provide further discussions on plugins in web programmers to adopt JavaScript Object Notation our paper. (JSON) [31] as the preferred data-interchange format. Web sites often demand such data to be same-origin ac- cess only. To prevent such data from being accidentally 5 Cross-Principal, Cross-Process Display accessed through