The 1993 release of the Mosaic browser sparked the onset of the modern Web revolution. The nascent Web was a hypertext document system for which the browser performed two functions: it fetched simple, static content from Web servers, and it presented that content to the user. A key Web feature was the ability for one Web site to link to (or embed) content published by other sites. As a result, users navigating the early Web perceived it as a vast repository of interconnected, passive documents.
Since that time, the Web has become increasingly complex in both scale and function. It provides access to an enormous number of services and resources, including financial accounts, Web mail, archival file storage, multimedia, and e-commerce services of all types. Users transfer funds, purchase tickets and commodity items, file their taxes, apply for employment, seek medical advice, and carry out a myriad of other interactions through the Web. The perception of the Web has evolved, as well. Today's users see the modern Web as a portal to a collection of independent, dynamic applications interacting with remote servers. Moreover, they expect Web applications to behave like applications executed on their personal computers. For example, users trust that Web applications are sufficiently isolated from one another that tampering or unintended access to sensitive data will not occur, but such expectations are sometimes unrealistic.
To respond to the demands of dynamic services, the browser has evolved from a simple document-rendering engine to an execution environment for complex, distributed applications that execute partially on servers and partially within clients' browsers. Modern Web browsers download and execute programs that mix passive content with active scripts, code, or applets. These programs: effect transactions with remote sites; interact with users through menus, dialog boxes, and pop-up windows; and access and modify local resources, such as files, registry keys, and browser components. The browser, then, has transcended its original role to become a de facto environment for executing client-side components of Web applications.
Unfortunately, current browsers are not adequately designed for their new role. Despite many attempts to retrofit isolation and security, the browser's original roots remain evident. Simply clicking on a hyperlink can cause hostile software to be downloaded and executed on the user's machine. Such “drive-by downloads” are a common cause of spyware infections. Trusted plug-ins may have security holes that permit content-based attacks. Browser extensibility features, such as ActiveX components and JavaScript, expose users to vulnerabilities that can potentially result in the takeover of their machines.
Vulnerabilities can exist in both client-side browsers and in the Web services with which they communicate. In browsers, scripting languages such as JavaScript and VBScript, are a major source of security flaws. While individual flaws can be addressed, the underlying security framework of browser scripting is itself considered unsafe, suggesting that flaws arising from active content will be an ongoing problem.
Java applet security is a well-studied topic. Java's current stack-based security model is significantly stronger than its original model. However, Java applets have recently taken a secondary role on the Web to other forms of active content, such as Flash elements, ActiveX components, and JavaScript. It would be desirable to employ virtual machines to provide a language-independent safe execution environment for browser instances. Even if a browser has security vulnerabilities, it would be desirable to contain those flaws within the virtual machine “sandbox.”
Multiple approaches for containing code within sandboxes have been explored by others, including operating system call interposition, fine-grained capability-based systems, intra-process domains, and virtual machine monitors or hypervisors. In addition to exploring such mechanisms, researchers have previously explored appropriate policies and usage models. For example, MAPbox™ defines a set of canonical application class labels (such as compiler, network client, or server) and appropriate sandboxes for them and relies on the user to classify programs according to those labels. Window Box™ provides users with durable, isolated Windows desktops, each associated with different roles or security levels (e.g., work, home, or play). Web services themselves are prone to attack from buffer overruns, SQL injection attacks, and faulty access control policies. Improving Web service security is an active research topic. However, none of the prior art use of virtual machines has been directed to their use in a browser architecture to isolate Web applications from each other.
Users assume that Web applications cannot interfere with one another or with the browser itself. However, today's browsers fail to provide either kind of isolation. For example, attackers can take advantage of cross-site scripting vulnerabilities to fool otherwise benign Web applications into delivering harmful scripted content to users, leaking sensitive data from those services. Other browser flaws let malicious Web sites hijack browser windows or spoof browser fields, such as the displayed URL. Such flaws facilitate “phishing” attacks, in which a hostile application masquerades as another to capture information from the user.
Overall, it is clear that current browsers cannot cope with the demands and threats of today's Web. While holes can be patched on an ad hoc basis, a thorough re-examination of the basic browser architecture is required. To this end, a new browsing system architecture is needed. The new architecture should adhere to three key principles:
1. Web applications should not be trusted. Active content in today's Internet is potentially dangerous. Both users and Web services must protect themselves against a myriad of online threats. Therefore, Web applications should be contained within appropriate sandboxes to mitigate potential damage.
2. Web browsers should not be trusted. Modern browsers are complex and prone to bugs and security flaws that can be easily exploited, making compromised browsers a reality in the modern Internet. Therefore, browsers should be isolated from the rest of the system to mitigate potential damage.
3. Users should be able to identify and manage downloaded Web applications. Web applications should be user visible and controllable, much like desktop applications. Users should be able to list all Web applications and associated servers that provide code or data, and ascribe browsing-related windows to the Web applications that generated them.
It would be desirable to provide a browser operating system architecture that is straightforward to implement, protects against the majority of existing threats, and is compatible with existing Web services and browsers. This architecture should be achieved without compromising user-visible performance, even for video-intensive browsing applications.