Isolating Programs in Modern Browser Architectures Charles Reis, Steven D. Gribble University of Washington / Google, Inc. 1 Web is Evolving Pages Programs More complex, active content Browser now in role of OS, but not designed for it Robustness and performance problems 2 Consider OS Landscape Performance isolation Resource management Failure isolation Clear program abstraction 3 Browsers Fall Short Unresponsiveness Jumbled accounting Browser crashes Unclear what a program is! 4 Outline Looking for Programs New Abstractions Isolation in Chromium Evaluation 5 Programs in the Browser Mail Doc List Doc Consider an example Doc browsing session Blog Several independent programs Mail News Article 6 Monolithic Browsers Most browsers put all pages in one process Mail Doc List Doc Poor performance isolation Blog Poor failure isolation Mail Poor security News Article Should re-architect the browser 7 Process per Window? Mail Doc List Doc Breaks pages that directly communicate Shared access to Blog data structures, etc. Mail Fails as a program abstraction News Article 8 Need a Program Abstraction Aim for new groupings that: Match our intuitions Doc List Doc Preserve compatibility Take cues from browser’s existing rules Isolate each grouping in an OS process Will get performance and failure isolation, but not security between sites 9 Outline Looking for Programs New Abstractions Isolation in Chromium Evaluation 10 Ideal Abstractions Web Program Set of pages and sub-resources providing a service Web Program Instance Live copy of a web program in the browser Will be isolated in the browser’s architecture Intuitive, but how to define concretely? 11 Compatible Abstractions Three ways to group pages into processes: 1. Site: based on browser’s access control policies 2. Browsing Instance: communication channels between pages 3. Site Instance: intersection of the first two 12 1. Sites zoho.com zoho.com zoho.com mail.zoho.com docs.zoho.com docs.zoho.com Same Origin Policy dictates some isolation Mail Doc List Doc (host+protocol+port) http://blogger.com https://zoho.com Pages can change document.domain Blog Registry-controlled Mail domain name limit News Article Site: RCDN + protocol http://bbc.co.uk 13 2. Browsing Instances w = window.open(...) Not all pages can talk Mail Doc List Doc References between “related” windows window.opener Parents and children Blog Lifetime of window Mail Browsing Instance: News Article connected windows, regardless of site 14 3. Site Instances Mail Doc List Doc Site Instance: Intersection of site & browsing instance Blog Safe to isolate from any other pages Mail Compatible notion of a News Article web program instance 15 Outline Looking for Programs New Abstractions Isolation in Chromium Evaluation 16 Multi-Process Browser Browser Kernel Storage, network, UI Rendering Rendering Engine Engine Plug-in Rendering Engines Web program and Browser Kernel runtime environment Plug-ins Implemented in Chromium 17 Chromium Process Models RenderingRendering Rendering 1. Monolithic Engine Engine EnginePlug-in Plug-in 2. Process-per-Browsing-Instance Browser Kernel New window = new renderer process 3. Process-per-Site-Instance (default) Create renderer process when navigating cross-site 4. Process-per-Site Combine instances: fewer processes, less isolation 18 Outline Looking for Programs New Abstractions Isolation in Chromium Evaluation 19 Robustness Benefits Failure Isolation Accountability Memory Management Some additional security Rendering Rendering (e.g., Chromium’s sandbox) Engine Engine Plug-in Sandbox Sandbox Browser Kernel 20 Performance Isolation Avg Click Delay on Blank Page 4,000 3,307 Responsive while other 3,000 web programs working 2,000 1,408 Time (ms) 1,000 6 6 0 With Top 5 Pages With Gmail Monolithic Chromium Multi-Process Chromium 21 Other Performance Impact Speedups More work done concurrently, leveraging cores e.g., Session restore of several windows Process Latency 100 ms, but masked by other speedups in practice 22 Memory Overhead 130.0 97.5 Robustness benefits do have a cost 65.0 Memory (MB) Reasonable for 32.5 many real users 0 1 2 3 4 5 6 7 8 9 10 Number of Popular Pages Monolithic Chromium Multi-Process Chromium 23 Compatibility Evaluation No known compat bugs due to architecture Some minor behavior changes e.g., Narrower scope of window names: browsing instance, not global ? “Pandora” “Pandora” 24 Related Architecture Work Internet Explorer 8 Multi-process architecture, no program abstractions Gazelle Like Chromium, but values security over compatibility Other research: OP, Tahoma, SubOS Break compatibility (isolation too fine-grained) 25 Conclusion Browsers must recognize programs to support them Site Instances capture this Compatible with existing web content Can prevent interference with process isolation Implemented in Chromium 26 Relevant for security? Pages are free to embed evil.com objects from any site mail.com images.com Scripts, images, plugins Carry user’s credentials Inaccessible info within each Site Instance Compatibility makes us evil.com rely on internal logic Back... 28 Compatibility Compromises Coarse granularity Some logical apps grouped together (instances help) Imperfect isolation Shared cookies, some window-level JS calls Not a secure boundary Must still rely on renderer to prevent certain leaks More on Security... 29 Implementation Caveats Sites may sometimes share processes Frames still in parent process Not all cross-site navigations fork processes Process limit (20), then randomly re-used 30 .