On the Design of a Web Browser: Lessons learned from Operating Systems

1
On the Design of a Web Browser Lessons learned
from Operating Systems

• Kapil Singh and Wenke Lee
• Georgia Institute of Technology
• Web 2.0 Security and Privacy 2008

2
Motivation

• Browser has evolved from rendering static web
  pages to a host of variety of applications.
• Browser size has grown and is running much more
  application code.
• Effectively building up into a mini-OS.
• so why not think of browser design based on
  known OS designs?

3
What we have today?

• All browser components run in one isolation
  boundary.
• Minimum or no isolation among components
• Problem of plug-ins
• increased code size
• Source of increasing browser
• vulnerabilities
• bad maintainability
• lack of flexibility
• Not much freedom to customize your browser

4
Have we already seen these issues somewhere?

• Monolithic kernel design suffers from similar
  limitations!
• Can we do something better?
• Micro-kernel, Exokernel, SpinOS
• Can the lessons from OS be applied to the browser
  design?

5
Design Principles

• Isolation between browser components
• Integrity of communication channels
• Separation between policy and mechanism
• Customization and Flexibility

6
Browser Design

• Goal To leverage known OS designs to develop a
  secure and flexible web browser.
• Utilize the µ-kernel OS design Leitdke95
• Layered architecture with a kernel mode and a
  user mode.
• ß-kernel provides complete mediation.
• All applications run on the layer on top of the
  ß-kernel.

7
Browser from an OS view
µ-kernel based OS
ß-kernel based browser
8
ß-kernel primitives

• Address space
• Communication between browser components
• Identity of browser components

9
ß-kernel primitives Address Space

• Enable isolation and customized access control.
• Memory management module owns complete address
  space at browser startup.
• Grant, Map and Flush operations.
• Applicable to browser cache and file system.

10
Example Same Origin Policy
X.com
Y.com
Memory Management
Access Control
X
X
ß-kernel
11
Design Directions

• Single process browser
• better performance and memory management
• Intra-address space isolation Ford08, Chiueh99
• Vx32 provides lightweight sandbox for guest code
  in the host address space.
• Can control the systems calls from the guest
  code.

12
Single process Performance (?)
13
Tackling browser extensions

• Browser design allows flexibility to develop your
  own memory management, access control, etc. on
  top of the kernel.
• Installation of new extensions mediated by the
  ß-kernel.
• Communication interfaces verified according to
  the user policies.
• Execution verification and isolation
• Intra-process sandboxing

14
Conclusions

• Presented a new browser design based on the
  learnings from a µ-kernel design.
• Design shows potential, feasibility depends on
  performance and usability.
• Attempt to bridge the gap between OS designs and
  browser designs.
• Might be useful to utilize other experiences from
  the OS field.

15

• Thank You.
• Questions?
• Kapil Singh
• ksingh_at_cc.gatech.edu