Microsoft introduces ultra-secure web browser

By Sterling “Chip” Camden
Contributing Writer, [GAS]

You must be wondering how you entered a parallel universe in which a [GAS] headline can include the words “Microsoft”, “browser”, and “secure” — without the words “not”, “disaster”, or “joke”.  And given the history of security flaws in Internet Explorer over the years, the folks at Redmond need to put a whole lot of money where their mouth is when they claim to be developing a browser that implements a better security model than Firefox, Google Chrome, or even OP (PDF).  But that’s exactly the claim of a team at Microsoft Research, where they’ve developed a prototype and written a paper (PDF) about a proposed web browser they call “Gazelle.”

Both Chrome and OP have already explored the idea of achieving greater security and reliability by creating separate processes to manage different concerns within the browser.  Gazelle uses the same idea, but draws the lines between processes a bit differently.  In Gazelle, the Browser Kernel (BK) manages all direct access to the operating system and the network.  Individual page-rendering processes may only access these resources indirectly, via an API through the BK.

Gazelle also strictly enforces process separation along same-origin policy (SOP) lines.  If you have a web page that embeds an iframe that’s sourced from a different domain, for example, Google Chrome hosts that entire page including the iframe within the same process.  In Gazelle, each domain-host-protocol source gets its own process.  The process for the iframe renders the display for the area that it occupies as a “tenant”, but has no access to any part of the page outside that area.  The main page, or “landlord”, manages the dimensions of the iframe, but has no access to the content within it.  Neither process manipulates the screen directly — that’s relegated to the BK.

Gazelle’s SOP rules are also more strict than those of existing browsers.  Subdomains are not considered the same origin as their parent domain — so a script hosted at scripts.mydomain.com would not have access to elements of a page hosted at mydomain.com, for instance.  However, a path (e.g., mydomain.com/scripts) would still be considered part of the same origin.

Unlike the OP browser, Gazelle does not separate JavaScript, CSS, and HTML handling into separate processes.  Microsoft researchers feel that such a separation adds no real security benefit, while adding a significant interprocess communication overhead.  So Gazelle combines everything required to render content from a single source within a sandboxed process.  That process is paired with a sandboxed instance of browser plugins to form what is called a “principal”.  Principals can communicate with the BK and with each other, but only through the defined API.  Plugins operate under the same source restrictions as web content, so they only have access to page content that comes from the same origin as the plugins themselves.

The team has put quite a lot of thought into how to handle user-generated events as well.  In general, a mouse click for example gets forwarded to the principal in charge of the area occupying that screen real estate.  Topmost window wins, and every principal’s assigned area must be opaque — eliminating many types of clickjacking vulnerabilities.

The prototype version of the browser reportedly works reasonably well — the team has identified many areas for improvement, but it displayed 19 out of the top 20 Alexa-ranked sites without any issues.  Performance will need work — which shouldn’t be a surprise given the design of the prototype:  the BK is written in C#, and the browser instance is a Trident WebControl wrapped in an “interposition layer” of code that prevents the WebControl from doing anything directly with the system or the network.  We can only hope, should Gazelle become a production browser, that Microsoft would abandon Trident in favor of a more standard and better-performing rendering engine.

Source: The Multi-Principal OS Construction of the Gazelle Web Browser (PDF)

Advertisement





32 Responses to Microsoft introduces ultra-secure web browser

  1. Sounds pretty interesting.

    Would be good to see this come out. Wonder if it would replace IE in the end though, or whether they would run the two browsers

    • I have to think that they’re looking at this as the next generation of browser — where the browser becomes the OS, instead of being just a highly vulnerable client program. So I’m betting that IE eventually dies — or that Gazelle becomes what they call IE version whatever. But that’s all speculation on my part.

  2. Great! We have another browser to check if the website renders correctly.

    I wonder if they still use the same rendering engine as in IE.

    • The prototype is using Trident (the same rendering engine as in IE), but they don’t say whether that will be the rendering engine for any final product. In fact, they don’t discuss getting this to market at all.

    • If it does ever get to market — even if it uses the same rendering engine, you’re still correct to say that compatibility tests would be needed. Especially when it comes to how scripts work. The strict security model could easily disable a lot of scripts, and maybe even some CSS.

  3. Sounds pretty interesting.

    Would be good to see this come out. Wonder if it would replace IE in the end though, or whether they would run the two browsers

    • I have to think that they're looking at this as the next generation of browser — where the browser becomes the OS, instead of being just a highly vulnerable client program. So I'm betting that IE eventually dies — or that Gazelle becomes what they call IE version whatever. But that's all speculation on my part.

  4. Great! We have another browser to check if the website renders correctly.

    I wonder if they still use the same rendering engine as in IE.

    • The prototype is using Trident (the same rendering engine as in IE), but they don't say whether that will be the rendering engine for any final product. In fact, they don't discuss getting this to market at all.

    • If it does ever get to market — even if it uses the same rendering engine, you're still correct to say that compatibility tests would be needed. Especially when it comes to how scripts work. The strict security model could easily disable a lot of scripts, and maybe even some CSS.

  5. It sounds like a very ambitious project. Its too bad its not open source but if it does become the most secure browser I would gladly change my position as Mozilla’s #1 fanboy.

  6. It sounds like a very ambitious project. Its too bad its not open source but if it does become the most secure browser I would gladly change my position as Mozilla's #1 fanboy.

  7. This is not a Microsoft project, it’s only sustained by them. The idea is interesting but taking into account the performance problems I doubt it will ever get to market.

    • What do you mean by “sustained by them”? The first three researchers listed have microsoft.com email addresses.

      I expect that the performance problems can be overcome, and are mostly due to the ugly hack used to create the prototype — a lot of the code is used simply to prevent the WebBrowser control from performing its default actions, and the kernel is unoptimized C#. I would expect both of those features to change radically before any product comes out of this.

      • What I meant to say is that Gazelle looks more like a university research project sponsored by Microsoft than like a real line of product development.

        I suppose Microsoft sponsores hundreds of such projects and only several of them ever get to market.

        • You’re probably right about that. But the issue of browser security is a hot one for Microsoft, and both Chrome and OP have made the case for using separate processes to limit risk. I think this one will see the light of day sometime, though who knows in what form.

  8. This is not a Microsoft project, it's only sustained by them. The idea is interesting but taking into account the performance problems I doubt it will ever get to market.

    • What do you mean by "sustained by them"? The first three researchers listed have microsoft.com email addresses.

      I expect that the performance problems can be overcome, and are mostly due to the ugly hack used to create the prototype — a lot of the code is used simply to prevent the WebBrowser control from performing its default actions, and the kernel is unoptimized C#. I would expect both of those features to change radically before any product comes out of this.

      • What I meant to say is that Gazelle looks more like a university research project sponsored by Microsoft than like a real line of product development.

        I suppose Microsoft sponsores hundreds of such projects and only several of them ever get to market.

        • You're probably right about that. But the issue of browser security is a hot one for Microsoft, and both Chrome and OP have made the case for using separate processes to limit risk. I think this one will see the light of day sometime, though who knows in what form.

    • I’d argue that IE is insecure by design. Allowing ActiveX controls and native-language add-ons means that the browser will always be as insecure as the combined malevolence or stupidity of the authors of those components.

    • I'd argue that IE is insecure by design. Allowing ActiveX controls and native-language add-ons means that the browser will always be as insecure as the combined malevolence or stupidity of the authors of those components.

  9. If it works like the Vista security model, you’ll have to separately approve each cookie, each image, each block of text loading in the web page. ;-)

  10. If it works like the Vista security model, you'll have to separately approve each cookie, each image, each block of text loading in the web page. ;-)