Web browsers have become ever more important for our computers. Instead of the browser displaying static HTML pages, they now handle complex web applications, ranging from social networking to text editors to online banking, and everything in between. While some browsers have finally started treating the browser more like an operating system (Chrome and Internet Explorer 8), those are just baby steps. The real thing is coming with Microsoft’s Gazelle, a research project which applies operating system concepts to the browser.
We’ve talked about Gazelle before on OSAlert, but the past few weeks, this Microsoft Research project made its way around the web again because the Systems and Networking group, those working on Gazelle, will be presenting a paper about Gazelle at the Usenix Security Symposium. As such, let’s take a look at what Gazelle is tying to achieve, and how.
A core concept that you need to understand in order to grasp Gazelle is the principal. Most websites today offer content from different web principals at the same time, on one page. For instance, a page for a YouTube video draws content from YouTube itself, but also from various subdomains, such as the video content, advertisements, and so on. All these different principals live within the same process and protected domains, and this could potentially be dangerous. What if a browser manages such principals and the resources they demand like an operating system?
What you’d end up with is a browser where a piece of bad code drawn from an ad domain can no longer hog or even crash the page – or worse, the entire browser or operating system. “In the Gazelle model, the browser-based OS, typically called the browser kernel, protects principals from one another and from the host machine by exclusively managing access to computer resources, enforcing policies, handling interprincipal communications, and providing consistent, systematic access to computing devices.” This is basically Chrome’s and IE8’s process-per-tab model taken to the extreme, with additional functionality.
Basically, Gazelle has a browser kernel that sits on top of the operating system. This browser kernel manages the principals, treating them like entities that are dangerous to one another; each principal gets its own sandboxed operating system process. So if an ad box has bad code in it, it won’t affect the rest of the page. Plugins are managed as principals, so they get the same benefits. This is a massive stride forward compared to current web browsers.
It is important to note that the team behind Gazelle wasn’t happy with the media presenting Gazelle as a product prototype; instead, they state it is “strictly research”, just another milestone in an ongoing effort. It follows from a Microsoft Research project from 2007, called MashupOS, which first explored the ideas behind the multi-principal OS. “The work in MashupOS was about identifying and designing the multi-principal OS abstractions that a browser should expose to programs, while Gazelle is all about constructing the browser as a multi-principal OS: How should a browser-based OS provide protection and resource management to its applications?” says Helen J. Wang, senior researcher at the Systems and Networking group.
Research project or no, Gazelle can correctly render 19 of Alexa’s top 20 web sites, but it uses Internet Explorer rendering technology to get there. As a research project, it’s also quite slow. Still, Wang believes this is the way to go. “I think this is the right way to go and I think this can be practical,” Wang said, “It will also take a lot of work.”
I’m personally very interested in Gazelle and what it could mean for the world of web browsing. Even though there is no information whatsoever on the future prospects of Gazelle as a product, if Microsoft were to turn this into a product as the successor to Internet Explorer, they’d turn the browser world upside down. It would put Microsoft at the very, very, very top of browser innovation.
That would be weird.
Now when the browser is having problems drawing a page, it’ll show the Blue Screen of Death, and I’ll have to reboot.
How is that a new thing?
I’d call this a BSOD. Wouldn’t you agree?
http://img219.imageshack.us/img219/144/bsod.png
Well, you see, it’s not really blue…
Well, it is kinda… blueish.
And it’s definitely a screen of Death. Just look at the icon. It’s dead.
not sure basing your security on domains is the right idea .. there is no real reason that abc.com is different from def.com … its just a DNS domain name and that doesn’t mean they are different or the same originator. this isn’t that revolutionary.
its a bit like a Windows anti-virus application treating files differently depending on their drive letter (C:, D:, etc). in reality it doesn’t mean anything. they could even be on the same drive!
they’d be better off sorting out buffer overflows and more bread and butter security weaknesses …
Edited 2009-07-08 00:34 UTC
That’s not what people generally exploit on the web. It’s far more common to see these Cross-Site Scripting attacks against the design of the web applications than against the browser code.
It’s the same reason why people go after applications running on Windows much more than after the OS itself: it’s a lot easier and likely just as lucrative.
One very common and insidious (has happened with google and amazon, among others) attack is Cross Site Request Forgeries (or CSRF)
The idea is this: you go to your bank, and check the “keep me signed in” checkbox (which any bank worth their salt would NOT have, but this is an example). That site puts an authentication cookie in your browser. Next time you go to the site, it checks the cookie, and doesn’t bother asking for username/password, but just forwards you a long to the next screen.
Now, I have a site (or use an XSS attack against a site you use), and I do an AJAX request that mimics a form submission to transfer money to my account. The site receives the request, checks for authentication, since it is the browser making the request it finds the cookie, and just lets it through.
These kinds of exploits are very difficult to avoid, the only thing you can really do is generate an authentication tolken on every page, and then checking for it on the next request from that session.
Maybe it is that this will be practical/needed in the future as the web heads for a more application-like platform, but really, is anyone concerned at all about the problems Gazelle is trying to address?
Yes, pretty much everyone is. The browser is an application that executes arbitrary code off the internet, and that millions of people enter sensitive information into.
Very much so. Never mind “in the future” – the web is already well on the way to an application-like platform, and has been for several years. And if you look through recent Firefox release notes, you’ll notice that a substantial proportion of the bugs fixed in the 3.0.x series were security bugs of this kind.
This sort of reminds me of a microkernel OS archetecture.