App Isolation: Get the Security of Multiple Browsers with Just One Eric Y. Chen Jason Bau Carnegie Mellon University Stanford University Mountain View, CA Stanford, CA [email protected] [email protected] Charles Reis Adam Barth Collin Jackson Google, Inc. Google, Inc. Carnegie Mellon University Seattle, WA Mountain View, CA Mountain View, CA [email protected] [email protected] [email protected] ABSTRACT 1. INTRODUCTION Many browser-based attacks can be prevented by using sepa- Security experts often advise users to use more than one rate browsers for separate web sites. However, most users browser: one for surfing the wild web and others for visit- access the web with only one browser. We explain the secu- ing \sensitive" web sites, such as online banking web sites rity benefits that using multiple browsers provides in terms [1, 2]. This advice raises a number of questions. Can us- of two concepts: entry-point restriction and state isolation. ing more than one browser actually improve security? If We combine these concepts into a general app isolation mech- so, which properties are important? Can we realize these anism that can provide the same security benefits in a single security benefits without resorting to the use of more than browser. While not appropriate for all types of web sites, one browser? many sites with high-value user data can opt in to app In this paper, we seek to answer these questions by crystal- isolation to gain defenses against a wide variety of browser- lizing two key security properties of using multiple browsers, based attacks. We implement app isolation in the Chromium which we refer to as entry-point restriction and state isola- browser and verify its security properties using finite-state tion. We find that these two properties are responsible for model checking. We also measure the performance overhead much of the security benefit of using multiple browsers, and of app isolation and conduct a large-scale study to evaluate we show how to achieve these security benefits in a single its adoption complexity for various types of sites, demon- browser by letting web sites opt in to these behaviors. strating how the app isolation mechanisms are suitable for Consider a user who diligently uses two browsers for secu- protecting a number of high-value Web applications, such as rity. This user designates one browser as \sensitive" and one online banking. as \non-sensitive". She uses the sensitive browser only for accessing her online bank (through known URLs and book- Categories and Subject Descriptors marks) and refrains from visiting the general Web with the sensitive browser. Meanwhile, she uses only the non-sensitive H.4.3 [Information Systems Applications]: Communica- browser for the rest of the Web and does not use it to visit tions Applications|Information browsers; K.6.5 [Management high-value sites. of Computing and Information Systems]: Security and Using two browsers in this manner does have security Protection benefits. For example, consider the case of reflected cross-site scripting (XSS). In a reflected XSS attack, the attacker crafts General Terms a malicious URL containing an attack string and navigates the user's browser to that URL, tricking the honest web site Security, Design, Verification into echoing back the attack string in a dangerous context. The attack has more difficulty succeeding if the user runs Keywords more than one browser because the attack relies on which of Web Browser Architecture, Isolation, Web Application Secu- the user's browsers the attacker navigates. If the attacker rity, Security Modeling, Cross-Site Request Forgery, Cross- navigates the user's non-sensitive browser to a maliciously Site Scripting crafted URL on the user's bank, the attack will have no access to the user's banking-related state, which resides in another browser. From this discussion, one might conclude that isolation Permission to make digital or hard copies of all or part of this work for of credentials and other state is the essential property that personal or classroom use is granted without fee provided that copies are makes using two browsers more secure. However, another not made or distributed for profit or commercial advantage and that copies security property provided by using multiple browsers is bear this notice and the full citation on the first page. To copy otherwise, to equally important: entry-point restriction. To illustrate republish, to post on servers or to redistribute to lists, requires prior specific entry-point restriction by its absence, imagine if the attacker permission and/or a fee. could arbitrarily coordinate navigation of the users' two CCS’11, October 17–21, 2011, Chicago, Illinois, USA. Copyright 2011 ACM 978-1-4503-0948-6/11/10 ...$10.00. browsers and open an arbitrary bank URL in the sensitive browser. Now, the attacker's maliciously crafted URL and • We provide a security mechanism that grants a sin- attack string can be transplanted from the non-sensitive gle browser the security benefits of multiple browsers, browser to the sensitive browser, leading to disaster. compatible with certain types of existing sites. In reality, it is extremely difficult for Web attackers to coordinate the navigation of two different browsers on the • We validate the security of our mechanism using formal users' computer. This isolation between the two browsers modeling, adjusting our design to patch uncovered provides the entry-point restriction property. Namely, ses- vulnerabilities. sions in the sensitive browser with an honest web site always • We evaluate the compatibility of our mechanism using begin with a fixed set of entry points (e.g., the site's home Mozilla's Test Pilot platform. We are the first to utilize page or a set of bookmarks) and then proceed only to URLs this platform to conduct an academic study. chosen by the web site itself, not those chosen by a third party. Because the bank's entry points are restricted, the 1.1 Organization. attacker is unable to inject the attack string into the user's The rest of this paper is organized as follows. Section 2 session with the bank. presents related app isolation work. Section 3 identifies the State isolation, in turn, augments the security provided key security benefits of using multiple browsers. Section 4 by entry-point restriction when using two browsers. State discusses how browsers can identify apps that have opted isolation plays a critical role, for example, in preventing in to our proposal. Section 5 and Section 6 describe our history sniffing [3, 4] and cache timing attacks [4, 5] because design in detail. Section 7 evaluates our proposal in terms of these attacks do not rely upon the attacker navigating the its security, complexity to adopt, and performance, and we user's browser to a maliciously crafted URL. State isolation conclude in Section 8. between browsers can even protect a user's high-value session data against exploits of browser vulnerabilities that give the 2. BACKGROUND attacker control of the rendering process [6, 7]. In concert, In this section, we examine how the security properties of entry-point restriction and state isolation provide the lion's using multiple browsers have surfaced in related work and share of the security benefits of using two browsers. compare them to our proposal. In our example above, we use a single high-value site to illustrate the security benefit of isolation using two browsers, 2.1 Isolation with multiple browsers but the isolation benefits extend naturally to accessing mul- For users who choose to browse the web using multiple tiple sites, each in their own browser. In this paper, we show browsers, site-specific browsers (SSBs) can make the brows- that we can realize these security benefits within a single ing experience simpler and more convenient. SSBs provide browser by allowing web sites to whitelist their entry points customized browsers that are each dedicated to accessing and request isolated storage. This is not a pinpoint defense pages from a single web application. Examples of SSBs against a specific attack but rather a general approach that include Prism [10] and Fluid [11]. has benefits in a number of attack scenarios. SSBs are simply special-purpose browsers and can pro- The security benefits of our mechanism do come with a vide the security benefits of using multiple general-purpose compatibility cost for certain types of web sites, as it places browsers. However, SSBs can become difficult to manage some limitations on deep links and third-party cookies. To when users interact with and navigate between a large num- avoid disrupting existing web sites, we advocate deploying ber of different web applications. We show that a single our mechanism as an opt in feature. Furthermore, we hy- browser can realize the security benefits of SSBs without the pothesize and experimentally verify the types of web sites management burden on the user. For example, our proposal that are suitable for our mechanism. Our experiments mea- allows users to seamlessly and securely follow a link from sured the number of entry points used by popular sites in a one app to another, even in a single browser tab. study of 10,551 browsers running Mozilla's Test Pilot plat- form [8]. Over 1 million links were included in our study. 2.2 Isolation within a single browser We discovered that many security sensitive sites such as on- The concept of finer-grained isolation inside a single browser line banking applications can easily deploy our mechanisms. has been explored by many researchers. However, prior work However, highly social or content-driven applications such as has not identified the essential factors needed for a single Facebook and New York Times will have difficulties adopting browser to achieve the same security benefits as using multi- our proposal.