Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Is There Room For a Secure Web Browser?

Soulskill posted more than 6 years ago | from the you-can-have-ie's-spot dept.

Software 222

An anonymous reader points out an eWeek story about researchers from the University of Illinois at Urbana-Champaign who are designing a new web browser based on security. The new software, code-named OP for Opus Palladianum, will separate various components of the browser into subsystems which are monitored and managed by the browser kernel. Quoting: "'We believe Web browsers are the most important network-facing application, but the current browsers are fundamentally flawed from security perspective,' King said in an interview with eWEEK. 'If you look at how the Web was originally designed, it was an application with static Web pages as data. Now, it has become a platform for hosting all kinds of important data and businesses, but unfortunately, [existing] browsers haven't evolved to deal with this change and that's why we have a big malware problem.' The idea behind the OP security browser is to partition the browser into smaller subsystems and make all communication between subsystems simple and explicit."

Sorry! There are no comments related to the filter you selected.

Somewhat pointless? (5, Interesting)

Izabael_DaJinn (1231856) | more than 6 years ago | (#22888610)

I'm not sure if I get this. The key feature seems this:

"Our policy removes the burden of security from plug-in writers, and gives plug-ins the flexibility to use innovative network architectures to deliver content while still maintaining the confidentiality and integrity of our browser, even if attackers compromise the plug-in," he said.

Great! :)

But even if it works as planned...this new browser is going to enter the market and who is going to download it? A tiny percentage of internet users--those would be part of the same minority who would also know how to use Firefox (and other browsers) quite safely *right now*.

So who is this product for? Seems interesting from a design point of view, but unelss one of the big browsers adopts it, could it really make even a tiny dent on the security of the internet?

I predict no. The internet's main problem is between the monitor and keyboard ;-)


Re:Somewhat pointless? (0, Interesting)

Anonymous Coward | more than 6 years ago | (#22888654)

Cool! A super slow browser that will lose all the performance wars to FF and Opera. Like anyone would use it. Compatible with what? One web page? Give me a break. If people in general actually cared about security we would already havesecurity. Duh!

Re:Somewhat pointless? (4, Funny)

Corwn of Amber (802933) | more than 6 years ago | (#22888996)

An other web browser that no one willl use, for the reasons you mention.

Like it's that hard to securely receive and render webpages. It's a trivial task. Anyone who says the contrary should get a reality check. It's very possible to program without bugs. That's what correctness tests are for. An if your tolkit sucks so much it has security holes, code your own lib from scratch.

Re:Somewhat pointless? (1)

smussman (1160103) | more than 6 years ago | (#22889126)

From TFA:

The prototype currently runs on Linux with KHTML as the layout engine. The long-term plan is to create a cross-platform Webkit version that will be released to the open-source community
So I don't think it's going to be quite "super slow"

Re:Somewhat pointless? (3, Insightful)

piojo (995934) | more than 6 years ago | (#22889142)

This browser seems like the sort of thing that big companies might like to install on their workstations. After all, they don't care that much about usability (my university currently has right clicking disabled--there are quite a few things that are harder or impossible if you can't right click). I don't mean to say that this browser will be unusable--it's just that a corporation might sacrifice speed and flexibility for security. This browser might also be good for kiosks.

Re:Somewhat pointless? (5, Informative)

irc.goatse.cx troll (593289) | more than 6 years ago | (#22889366)

If your university runs windows, try hitting alt+shit+numlock (alt/shift have to be the left side) to enable mouse keys, then with numlock on hit * and then 5 to middleclick.

Fuck silly restrictions.

Re:Somewhat pointless? (5, Insightful)

Bacon Bits (926911) | more than 6 years ago | (#22888662)

Don't be so close-minded. The same could have been said for Gecko (Mozilla) or Webkit (Safari) or Opera back in the IE 5/6 heydays.

Re:Somewhat pointless? (4, Insightful)

webmaster404 (1148909) | more than 6 years ago | (#22888732)

No, how Gecko/WebKit got so popular was because of how bad both a) ActiveX was and b) How much of a pain it was to get IE to render simple things. What we need is less bloated browsers, those that don't use up 100+ MB of RAM, along with faster browsers, as for security, as long as it is open-source it will probably be patched and up to date well enough to deal with all the problems except the one typing on the keyboard.

Re:Somewhat pointless? (5, Interesting)

Bacon Bits (926911) | more than 6 years ago | (#22889088)

And why was ActiveX bad? Not just because it was platform specific, but because it was insecure and prone to malware abuse. The model behind ActiveX was inherently flawed because it had too much trust for remote code to be automatically executed. Firefox and Opera are both billed as more secure because they are not subject to the kinds of broad attacks that IE 5 and 6 were.

Mozilla, Safari, and Opera gained market traction by having features that users or developers wanted that were not otherwise available. Security is a feature that many users, developers, and particularly network administrators desire. Say you have a choice between deploying your workstations with Firefox or with Secure Firefox, which one do you pick?

We're nearly to the stage where interface features (bookmarks, tabs, toolbars, javascript, flash, java) are reasonably complete and rendering speed and quality (Acid2, Acid3) is reasonably complete. So we can assume that any modern browser (including this new one) will be fully-featured and acid-compliant when released. It would be inane to do otherwise. So how do you improve browsers from here? Security *is* still an issue with browsers because they are *the* platform of the decade. Why not improve that?

Prove to me that security in IE, Firefox, Opera, and Safari is "good enough".

Re:Somewhat pointless? (3, Insightful)

hedwards (940851) | more than 6 years ago | (#22889328)

Prove to me that security in IE, Firefox, Opera, and Safari is "good enough".
The current number of browser exploits clearly indicates that you are correct.

IE has both activeX and extensions to worry about, on top of being tightly integrated into the core OS. And Firefox has the additional burden of all those extensions that most people use. Removing the extensions makes it significantly easier to audit the code and assure that the end user browser experience is secure. With extensions, they can only QA the browser itself and ensure that the basic API allows sufficiently secure practices.

Personally I like the idea that's being pushed here, and have been wondering for quite some time why there isn't more separation between extensions/plugins and the browser itself. People will use whatever is cheap, fast, pretty, reliable and secure. There is no inherent reason why with all the processing power and extensions to the processor that a browser like this can't nail the other three while being close enough on performance that people don't notice a speed trade off.

This kind of thing can already be done presently. Just in a less efficient and less fine grained manner. Linux or similar in a VM.

Re:Somewhat pointless? (4, Funny)

Dahamma (304068) | more than 6 years ago | (#22889116)

or Opera back in the IE 5/6 heydays.

Or Opera in the IE 7/8 heydays, for that matter...

Totally pointless. (1)

zonky (1153039) | more than 6 years ago | (#22888666)

as you say. who will adopt it? The people who would most benefit from it? Of course not.

Re:Somewhat pointless? (0)

Anonymous Coward | more than 6 years ago | (#22888670)

Exactly what I thought. Where is the incentive to encourage secure programming practices?

This seems like an attempt to "fix stupid."

All Hype. (0, Troll)

inTheLoo (1255256) | more than 6 years ago | (#22888700)

You think Microsoft wants people to equate Firefox with security like you just did? This piece of vapor is all marketing.

This is more of the same from them, promising things they never deliver. Security has been job one for them for the last six years and it has yet to make a dent on the malware problem their customers have. Yet there they go again, "our next version of X will completely blow away the things you could enjoy from our competitors today." It gets tiresome.

The scant description makes their new concept sound like a Mosaic UAC and it's ripe for abuse. The company that's been accused of manipulating search results and political based email filtering would love to have a complicated "security" wrapped around the world wide web.

Re:All Hype. (0)

Anonymous Coward | more than 6 years ago | (#22889072)

I am confused as to who you are talking about here? This is not a MS product so can't be them you are trying to say are creating vaporware. not a mozilla thing either and anyone that associates firefox with security needs a reality check. A secure browser would be a nice thing to have as an option, currently none exist at all.

Re:Somewhat pointless? (2, Funny)

al0ha (1262684) | more than 6 years ago | (#22888718)

"The internet's main problem is between the monitor and keyboard " I definitely have to agree with this statement. However I am a little less pessimistic about wide-spread acceptance of a truly secure browser. As an Information Security professional, I definitely welcome the idea and think they are on the right track. Separation of duties and data validation in and out. Once completed, you could count me as being on board in trumpeting its use. Now if we could only do something about the Internet's main problem. ;-)

Yeah, right. (0, Flamebait)

twitter (104583) | more than 6 years ago | (#22888750)

M$ likes to blame "3rd party" applications and plugins for all their problems. It will be a cold day in hell when they release a browser that would deny them that dodge.

Re:Yeah, right. (2, Funny)

calebt3 (1098475) | more than 6 years ago | (#22889066)

Then they would blame 3rd party attackers.

Re:Yeah, right. (0, Troll)

larry bagina (561269) | more than 6 years ago | (#22889254)

And the MoFo likes to blame 3rd party extensions for FireFox's memory leaks and instability.

Re:Somewhat pointless? (1)

AKAImBatman (238306) | more than 6 years ago | (#22888902)

But even if it works as planned...this new browser is going to enter the market and who is going to download it?

Depends. If it's integrated into the popular web browser shells (e.g. FF, IE, Opera, Webkit), then everyone. Which is ultimately how all web technologies are introduced.

Re:Somewhat pointless? (4, Interesting)

Deanalator (806515) | more than 6 years ago | (#22888930)

If I was offered a browser that was able to contain flash or quicktime 0day, I would switch to it in a heartbeat. For all the security in firefox, 0day still exists, and is used frequently in the environments that I work in. These threats can be mitigated, and we really should be moving towards properly designed software.

link to the paper:
http://www.cs.uiuc.edu/homes/kingst/Research_files/grier08.pdf [uiuc.edu]

Re:Somewhat pointless? (0)

Anonymous Coward | more than 6 years ago | (#22888968)

I don't care about it from a security point of view, but it sounds pretty awesome from a maintainability and reliability point of view. Today I seem to have the choice of "Flash plugin enabled" or "browser stays up more than a day". (Other video players have issues, but Flash seems to be the worst offender.) And I've tried looking at Mozilla, but it's quite simply a monster -- my chances of understanding it seem only slightly higher than being able to grok OpenOffice.

If they manage to produce a browser that's reliable in the face of crashy plugins, and easier to hack than Firefox, they could be on to something. Web browsers today *do* suffer from fundamental design flaws.

Re:Somewhat pointless? (4, Funny)

RuBLed (995686) | more than 6 years ago | (#22888986)

I predict no. The internet's main problem is between the monitor and keyboard ;-)
The internet's main problem is a cup of coffee?

Re:Somewhat pointless? (0)

Anonymous Coward | more than 6 years ago | (#22889506)

No, no, no. Its the keyboard usb cable.

Re:Somewhat pointless? (0)

Anonymous Coward | more than 6 years ago | (#22889062)

The internet's main problem is between the monitor and keyboard ;-) "
Whats wrong with my desk?

Re:Somewhat pointless? (2, Funny)

ModernGeek (601932) | more than 6 years ago | (#22889118)

What is between the monitor and keyboard that causes issues with the internet?

Re:Somewhat pointless? (1)

elrous0 (869638) | more than 6 years ago | (#22889408)

The head of the idiot who uses them

Re:Somewhat pointless? (1)

scamper_22 (1073470) | more than 6 years ago | (#22889132)

so basically, its a micro-kernel for web browsers.
Ah, good old micro-kernels...they missed the boat with desktop OS and then they missed the boat on web browsers....but have no fear.
They are the 'right' solution.

Sarcasm aside, their 'security' model should be operating system wide for any networked application. I should be able to instruct an application that I don't think need to access my harddrive to never be able to. On install, the application requests a security profile and you either approve/disapprove accordingly.

Good luck to them getting this working on a web browser.

Re:Somewhat pointless? (0)

Anonymous Coward | more than 6 years ago | (#22889162)

I disagree with the idea that many of the problems in computer security stem from the user. More specifically, I don't believe in putting the burden of security on to users unless it's necessary.

For example, I've read some posts over the years that claim that the major problem with web and email security is that people download "dangerous" files (attachments from people the user doesn't know) or visit "dangerous" web sites (which might exploit the browser to gain access to the user's files, network connections, etc). If they just didn't do that, they'd be fine.

That seems pretty unambitious and limiting to me. Ideally, my computer should be protecting me; I shouldn't be protecting it. It's a challenge, to be certain, but I think one worth pursuing.

Re:Somewhat pointless? (0, Redundant)

BroadbandBradley (237267) | more than 6 years ago | (#22889210)

you do mean the problem exists between keyboard and chair PEBKAC.... right?

similar to an I Dee 10 T error (ID10T).

users are so 404.

Re:Somewhat pointless? (0)

Anonymous Coward | more than 6 years ago | (#22889228)

IE 7 is cool. I think I'll switch to it for my Windows computers (despite having used Firefox since its first beta). What I like about beta 3: tooltips that show keyboard shortcuts, in fact an entire list of keyboard shortcuts is available from the option menu on newly opened tab. Also I like the option on shutdown to open up with the current tabs next time.

"But there are extensions for all that!"In fact that gets me to what I hate most about Firefox. Extension hell. Every time I install Firefox on a new system I have to hunt down a list of extensions for it or my user experience is going to change radically. And all those extensions take up memory and processor time, and often have bugs or security flaws of their own.

Another thing I like about IE 7 is its sandbox mode on Vista. That should, I think, provide several security advantages over competing browsers. (In fact, IE 6 with ActiveX turned off was already reasonably secure.)

How do I use firefox safely? (1)

nten (709128) | more than 6 years ago | (#22889294)

I keep it updated to the latest non-beta release. I use no-script. I don't feel safe, how many fortune 500 companies get compromised on a regular basis? How often has /. been compromised? Whitelisting only works when you have some sense that there is *anyone* you can trust to run code on your machine. And anytime I allow jscript/flash/pdfs/quicktime etc. for a page, that is what I'm doing. I know one thing I should be doing is browsing only from a user with limited rights, but so much crap doesn't work without superuser that it just seems infeasible. And even a user account can spam people all day.

Re:How do I use firefox safely? (1)

CastrTroy (595695) | more than 6 years ago | (#22889548)

What feature on your web browser doesn't run under a limited user. There's no reason you can't start Firefox (or any other browser) as a different user, and just do everything else with your regular old admin user.

Re:Somewhat pointless? (2, Funny)

Echelon One (1062532) | more than 6 years ago | (#22889336)

The internet's main problem is between the monitor and keyboard
So, what, the speakers? The empty bottle of Gatorade that's been sitting on my desk for a week? I think you meant PEBKAC [acronymdb.com] ;)

Re:Somewhat pointless? (2, Interesting)

Heembo (916647) | more than 6 years ago | (#22889496)

The internet's main problem is between the monitor and keyboard ;-)
I know you meant well, but that is a very ignorant statement. I can be casually surfing the web with a modern browser, and if I hit a site that was hijacked by an attacker, even if I have modern security software installed, I can get hit with JavaScript code that can escape the sandbox, break single origin policy, or (in the past) flat out run OS commands. The browser is an operating system. And a very insecure one at that.

Re:Somewhat pointless? (0)

Anonymous Coward | more than 6 years ago | (#22889542)

I predict no. The internet's main problem is between the monitor and keyboard ;-)

I looked there but just found some crumbs and dust.... Although I have found that users are a big problem and they are somewhere between the chair and keyboard....

Between my monitor and keyboard? (0)

Anonymous Coward | more than 6 years ago | (#22889550)

Oh, great. Now I have to virus check my pens, ashtray, spare batteries and what not. As if it wasn't bad enough. Damn you.

We do not have a malware problem. (2, Insightful)

twitter (104583) | more than 6 years ago | (#22888616)

M$ has a malware problem. I'm all for better design but we should avoid sweeping generalizations about computer security. It's not a "computer virus" it's a Word Macro, a pdf pass through exploit, an Outlook problem, etc. People who pretend to be "platform neutral" are either ignorant or trying to sell you something second rate. Any platform can use more security but only one of them really needs it.

The general approach sounds much like what any browser, or any program for that matter, already does. A main process calls and monitors subroutines that do different things on demand. Calling the main program a kernel and it's messaging "OS level" does not do much for me. All modern software is as modularized as possible. What's really going on here besides Microsoft Research hype?

Don't overlook the potential for abuse. (2, Funny)

inTheLoo (1255256) | more than 6 years ago | (#22888740)

Just think of what Microsoft would like to do with UAC for your browser. "This website is not Microsoft signed, Cancel or Allow?"

Re:Don't overlook the potential for abuse. (1)

ScrewMaster (602015) | more than 6 years ago | (#22888800)

Just think of what Microsoft would like to do with UAC for your browser. "This website is not Microsoft signed, Cancel or Allow?"

I think this is how it would really be: "This website is not Microsoft signed."

Re:We do not have a malware problem. (1, Informative)

Anonymous Coward | more than 6 years ago | (#22889298)

You already posted [slashdot.org] in this article with one of your many sockpuppet accounts. Please don't game the moderation system or the posting limits for negative karma accounts. They exist for a reason.

M$ has a malware problem.

Since I run Windows and don't have a malware problem, it follows that "M$" doesn't, either. Users who download and run shit on their computers do, however. It also follows that if I had a malware problem in OS X or Linux, it would be my fault.

A main process calls and monitors subroutines that do different things on demand. Calling the main program a kernel and it's messaging "OS level" does not do much for me.

Let's put it this way. If this had come out of IBM or some other company, you'd be praising god and passing the ammo, mostly because it's obvious by what you wrote here that you have no understanding whatsoever of the topic at hand, and didn't even bother to RTFA. You're just pretending to be an "advocate" by mindlessly bashing Microsoft, which does not help us one bit, especially when you use "we". While I use and promote free software whenever I can, I'd rather not be associated in any way with people like you.

I used to have some OP shirts (0)

Anonymous Coward | more than 6 years ago | (#22888638)

But then they weren't cool anymore, so I stopped wearing them.

part of the solution.... (4, Informative)

owlnation (858981) | more than 6 years ago | (#22888648)

One quick and easy way to make the web a safer place would be for ActiveX to be shunned by everyone. If you are a web developer, simply refuse to use it.

Shhh! It's a secret. (1)

Erris (531066) | more than 6 years ago | (#22888778)

ActiveX is the "kernel" that minds the rest of the processes! How else can you cram if full of !NET?

Meet the new IE, same as the old IE.

LOL (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22888652)

Like these schmucks from this hick school have any experience in writing a web browser.

Re:LOL (0)

Anonymous Coward | more than 6 years ago | (#22889378)

Parent was attempting for 'funny'(not commenting on that), but not a troll - go easy, mods.

Please don't link to eWeek (2, Insightful)

Animats (122034) | more than 6 years ago | (#22888664)

Users with strong privacy protections can't get past the stupid ad screen. Find another source, please.

no (2, Insightful)

Kohath (38547) | more than 6 years ago | (#22888678)

Security is low on the list of features people notice, so sacrificing anything higher on that list for the sake of security will be perceived as a negative feature.

So no.

Re:no (1)

eli pabst (948845) | more than 6 years ago | (#22889596)

Security is low on the list of features people notice, so sacrificing anything higher on that list for the sake of security will be perceived as a negative feature.

I disagree. Look at the market share that Firefox has picked up, almost exclusively because people were desperate for a browser that would protect them from sites that infected their systems with spyware and malware. If anything using Firefox is more of a pain in the ass because many website developers only beta-test their code in IE.

Ad-free version of article (3, Informative)

jroysdon (201893) | more than 6 years ago | (#22888686)

Ad-free version of article [eweek.com] .

How hard is it to look for the "Print version" w/o ads and link to that?

Re:Ad-free version of article (2, Insightful)

noidentity (188756) | more than 6 years ago | (#22888846)

How hard is it to look for the "Print version" w/o ads and link to that?

I figure that once everyone starts linking to the "no fucking ads so we can read the article comfortably" link, they'll stop providing it. I, for one, would like this feature to continue to exist.

Man, if only Samuel L Jackson were here... (3, Funny)

Anonymous Coward | more than 6 years ago | (#22889060)

He'd know what to say...

Whiny-bitch-free version of the motherfucking link provided by parent. [eweek.com]


Really fucking easy, which is why we don't need a karma whoring bitch such as yourself providing the motherfucking thing.


About as easy as shutting your editorializing bitchass mouth motherfucker.

Re:Ad-free version of article (2, Insightful)

chubs730 (1095151) | more than 6 years ago | (#22889282)

Because some folks would like to make a living off of this whole internets thing. It's no secret that nobody likes ads, but hosting and bandwidth costs money. This is one reason that all the "I use adblock and I'm going to let you know every chance I get" people bother me. If nobody sees these ads, or clicks them, then the sites you've come to rely on for free will cease to exist.

Besides, you clearly take advantage of the karma bonus that the ad-ridden stories provide ;).

Wrong Opus? (1)

miguelfrommars (1222110) | more than 6 years ago | (#22888702)

Partition? Unpatriotic wimps I say! Give me repartition or give me vulnerability! Besides, to really be an "Opus" shouldn't it be a penguin?

In other news... (4, Funny)

ruinevil (852677) | more than 6 years ago | (#22888712)

...emacs is getting a browser. Still no word on the implementation of a usable editor.

Re:In other news... (2, Funny)

Constantine XVI (880691) | more than 6 years ago | (#22889130)

Everyone always seems to forget viper-mode

Yet another layer to destroy performance. (1, Insightful)

Anonymous Coward | more than 6 years ago | (#22888720)

This is just another layer of software to further destroy the performance of our modern PCs. Even just to render a string on-screen in a web app goes through numerous layers on a typical Linux system:
1) The browser's UI layer.
2) The GUI toolkit's high-level rendering layer.
3) The GUI toolkit's low-level rendering layer.
4) Xlib.
5) The network connection, UNIX domain socket or shared memory between the Xlib and the X server.
6) The X server's high-level graphics layer.
7) The X server's low-level graphics layer.
8) The X driver.
9) The Linux kernel.
10) Finally the hardware itself.

So even a "Hello World!" app for a browser goes through at least 10 layers of code, and that's in an ideal situation. It's no wonder that PCs today don't feel any faster than those of a decade ago, even though we've got hundreds of times the processing power and RAM; we keep slowing them down by adding further layers for such basic operations.

I've got a secure web browser (3, Funny)

dudeman2 (88399) | more than 6 years ago | (#22888738)

Lynx [isc.org] .

Such a great idea (3, Funny)

rudy_wayne (414635) | more than 6 years ago | (#22888746)

Divide your software into subsystems managed by a kernel. That's certainly guaranteed to make things more secure -- just look how well it worked for Windows.

The super-duper-secure safe OS (4, Funny)

sweet_petunias_full_ (1091547) | more than 6 years ago | (#22888954)

OK, if you really want a truly secure safe OS (and by extension, to a browser mapped to the same address space), this is what you need in your OS:

Not one microkernel, for extra safety you need redundant nanokernels, with a microkernel over those, then the user kernel. To prevent buffer overruns, all messages passed between these are sent as emails, with spamassassin checking lest any of them get any ideas about sending spams.

OK, next you need lots of verification. Every time you write to disk there should be a second process to verify that what was written is correct. Then you need a process to check that the verifier process is checking things correctly. If memory doesn't run out while doing this, a body of processes should vote democratically as to whether the whole thing finished correctly. In case of collusion between the processes, some of them will be strictly dice rolls.

The least trusted part of the computer is the user, otherwise known as the "owner" of said computer. Thus, that person should not be allowed to do anything because that is a sure way to introduce problems. Harass that person with questions and popups at every opportunity. That will make sure they go out and read a book and not get in the way of the important things that the operating system is trying to do.

To prevent hardware from crashing any of the kernels, they must be separated by a special interface layer that works a lot like a chat room (IRC). What this means is that devices that speak the protocol correctly can connect and be listened to by the kernel(s). Those that misbehave or that use foul language are kicked off by the watchdog process. The watchdog process is watched by a bulldog process. Sometimes the bulldog just barks, other times the two are wrestling it out on the ground while the rest of the system waits for them to sort out their differences. Alas, such is the price of progress.

To further prevent buffer overruns, a new character encoding is introduced where a previously one-byte code now needs ten bytes to encode it. This means that buffers have to be ten times bigger and thus there is a lot more space before an overrun occurs.

Let me know if you can think of any more features to add to this future super-OS.

Re:The super-duper-secure safe OS (3, Funny)

Zebra_X (13249) | more than 6 years ago | (#22889270)

With all those kernels lying around all you are going to get out that design is *popcorn*

Re:Such a great idea (2, Insightful)

raddan (519638) | more than 6 years ago | (#22889064)

I'm not sure if you're being witty or just naive, but this really does appear to be a general software engineering strategy that works. I don't know much about how Windows' kernel works, so I can't say whether their implementation is any good-- I suspect that their business imperative to provide backward compatibility and rich APIs have probably hindered their efforts on the security front.

But if you go out and look at software that is written to be secure, the subsystem approach is how it is done. Postfix, for example, is actually a collection of simple applications. One application does queueing, one specializes in spewing SMTP, one specializes in receiving SMTP, and so on. Also, system call policy enforcement mechanisms (ala systrace) and privilege separation (like in Apache or SSH) can be formally verified to work. I think UIUC is on the right track here. Whether their browser becomes THE web browser is somewhat unimportant, since they're researching an area of security that has had a fair amount of attention from good programmers but not computer scientists. In some ways this is the ultimate in enforcing "object-oriented"-ness: code isn't just a collection of modules, the application is a collection of small applications, too.

The less functionality the better (5, Insightful)

sweet_petunias_full_ (1091547) | more than 6 years ago | (#22888754)

The solution for a more secure browser isn't to guild it with ever-growing layers of security and virtual machines, quite the reverse, it's to keep things simple.

If we allow an internet to exist without the need for complex interpreted languages, if people open mostly static HTML documents when they open web pages instead of opening a pandora's box of plugins, languages, interpreted bytecodes, activeX gotchas and other unnecessary exploitable garbage, then the entire internet will be more secure.

By making it more complex, exploits and backdoors are virtually guaranteed. But well, that's just *my* ignorant opinion.

Re:The less functionality the better (1)

dave562 (969951) | more than 6 years ago | (#22888914)

You're right about the ideal solution for a more secure browser. I think the "problem" is that people are used to a dynamically rich web experience and the challenge then becomes to provide that experience for them as safely as possible. The internet was much safer when I first got onto it. We didn't have web browsers.... just gopher and lynx. Yet ironically enough my first access to telnet came through a misconfigured gopher process that I could kill with a ^Z and get to the telnet prompt. I guess exploits have always been there and the browsers have never been 100% secure.

Re:The less functionality the better (5, Informative)

Anonymous Coward | more than 6 years ago | (#22889026)

Web browsers are already complex, and they've been designed without any regard whatsoever for security. It's impossible to go back to static HTML documents by now. So would you prefer that everyone just sticks their head in the sand, and pretends that it'll all go away?

This approach allows for complex browsers to actually become safer, by simplifying them. The browser is broken up into a set of components. Each component runs in a separate process, completely isolated (by the operating system) from the other components. In addition, each component is isolated from the rest of the system using mandatory access controls (SELinux in this case) which prevent the component from doing anything that it doesn't need to do.

The key aspect is that the components only have one way to communicate with each other - a single communications channel which is created by, controlled, and mediated by the kernel process. That means that all interactions between the components are simplified, and can be monitored by the kernel. The kernel itself can be small and simple enough that it's behaviour can be proven correct. The kernel then enforces a security policy.

This approach is known to work - it's similar to the approach used by operating system kernels.

Let's say you break into the rendering component, where the HTML rendering and JavaScript VM reside. You have absolutely no access to the operating system - your only link to the outside world is through the kernel, to the other components. Even if you manage to run native code inside the rendering engine, the operating system won't allow you to access the network, filesystem, or anything else. You only have access to the IPC mechanisms, and even then only to the connection between the rendering component and the kernel.

If your objective is to compromise the operating system through the browser, you can not do that from here. You can't just send a message to the component that handles file access, and get it to load malware onto the system - the kernel will prevent it. Even if you also find a hole in the kernel that allows you to run native code inside the kernel, the kernel doesn't have the ability to access the filesystem either. The filesystem component won't help either - it only has access to a small piece of the filesystem.

If your goal is to steal someone's bank password, you'll still have a tough time of it. The kernel will prevent you from doing anything that doesn't fit within the security policy. Even if you could access a bank password, you're not going to be able to send that information to anyone. If you do have the ability to send that information, you're not going to have access to the passwords.

The idea is not to add complexity - this browser should be no more complex than any other. The idea is to improve security by separating components, isolating them, and verifying that they are not doing anything that they're not supposed to.

It's called "defence in depth" - acknowledging that the system can never be made totally secure, and designing it in such a way that any security breaches won't be able to do any damange, and are able to be tracked for analysis later.

Re:The less functionality the better (1)

kesuki (321456) | more than 6 years ago | (#22889244)

the best security ideas came around in the 60s and 70s they haven't changed much..

so basically the most secure browsing environment possible is a fully hardened linux from scratch where the browser is being run by a limited user, who can't sudo or su, and where much of the filesystem is made immutable with chattr (chflags for bsd/apple users trying to make a hardened bsd or apple setup),

then hackers no matter how good will just give up on your system, and thank god that microsoft is too retarded to adopt a file system/user configuration setup that would make it easy for people to run as limited users, and hard even if that person is retarded to overwrite vital system files.

What I want to know is... (4, Funny)

jemenake (595948) | more than 6 years ago | (#22888832)

What the hell makes these UIUC people think that they know how to make a browser? You'd think they'd leave this kind of thing to people who've done it before. Sheesh! :)

Re:What I want to know is... (1)

tjstork (137384) | more than 6 years ago | (#22889044)

What the hell makes these UIUC people think that they know how to make a browser? You'd think they'd leave this kind of thing to people who've done it before. Sheesh! :)

It's amazing how few people on /. seem to have gotten this joke.

Brooks' Law (1)

jmorris42 (1458) | more than 6 years ago | (#22889174)

Well they are just applying Brooks' Law... a bit late but better late than never.

Mosiac begat IE. The original Mosiac authors begat Netscape which begat Mozilla which finally (with a few namechanges we can skip) begat Firefox. Now with over a decade to see just how those original designs failed to scale to what the Internet became it is about time to toss the whole codebase and start over with the knowledge of what didn't work.

Hope they can do it faster than the whole Mozilla rewrite ended up taking.

Re:Brooks' Law (1)

Kent Recal (714863) | more than 6 years ago | (#22889422)

Hope they can do it faster than the whole Mozilla rewrite ended up taking.

Hell yea!

I squirm whenever I read about all the manyears they
constantly throw at refactoring the blackhole that is the
mozilla codebase.

Really, how long can it take to write a new browser from scratch?
I'm not saying that it's not a serious undertaking but I would really
love to see what all those skilled mozilla devs could achieve if
all the legacy crap was suddenly taken off their shoulders...

Better yet, I'm sure that not all parts are broken beyond salvation.
Why not cherrypick the good stuff (and *only* the good stuff) and build
your new world around it!

Large parts of gecko could likely survive the transition.
Same for the JS engine of choice. Everything UI would have to go
(remember: XUL was originally meant as a practical joke) but that
part is not so hard to reinvent better.

Kernel, application... (1)

bluefoxlucid (723572) | more than 6 years ago | (#22888842)

I have said for years that an application and a kernel are the same damn thing. I gave up eventually on trying to explain microkernel architecture and how to make an application resistant to faults and attacks because no one listened. Not even when Flash and Java crashed and took down the whole browser (oops). Looks like someone's finally getting the idea of protected mode memory schemes and operating system security policies (which you can apply to different processes, but not different bodies of code... well you can, but it's hard and causes huge performance problems)

Security is an annoyance to most peopl (2, Insightful)

icepick72 (834363) | more than 6 years ago | (#22888848)

Security isn't important enough to people right now to make the change away from IE (or older versions of it). A new browser deemed more secure will be met with less interest because those people not wanting to deal with current secure features in Firefox like NoScript and AdBlock plugins, surely they won't want to fiddle with something having even more restraints.

Re:Security is an annoyance to most peopl (2, Insightful)

WarJolt (990309) | more than 6 years ago | (#22888962)

People don't want to deal with it. The other day I was hearing someone complain about vistas security features. However, a secure architecture is different from a security feature. The idea is to prevent exploits and minimize the damage when things go wrong. Ideally the user won't have to enable a setting. I'd adopt it.

Re:Security is an annoyance to most peopl (1)

n6kuy (172098) | more than 6 years ago | (#22889744)

> -I'm on a quest for anyness and I am ready.

OK. Just press the 'any' key.

Yes, if it's standards-compliant (4, Insightful)

mandelbr0t (1015855) | more than 6 years ago | (#22888854)

I don't see why this couldn't fly. Samuel King appears to be a well-established professor with solid credentials. It's based on SELinux at present, but they've designed it to work with various other resource segmenting programs (they named AppArmor).

I'd say the key to finding a market will be standards-compliance. If it supports HTML 4 and XHTML reasonably well (like anyone can do it perfectly) and has ECMAScript, then it can work with a properly-designed webapp. While they're designing plugin support, I don't think it matters much whether Flash will be supported. People who care about security don't tend to be distracted by shiny things.

Sure, it won't even come close to top of the browser list. The purpose of this browser, however, is to bring web browsers to locations that can't use them because of security concerns. As a developer, I can certainly say that my productivity is improved with web access - forums, developer documentation, bug reports. I've been at companies that won't let their developers work on the Internet at all, probably for fear of espionage. The web browser is probably the second largest target (after e-mail clients) for malware writers. Web browsers are ubiquitous now, so spending some time researching "white-hat" web techniques is a worthwhile effort regardless, and I'm sure there are some who will find this browser useful. I will continue to use Firefox, despite the security concerns associated with JavaScript and Flash. My tin-foil hat is back in the closet, and I want to keep it there.

Re:Yes, if it's standards-compliant (0)

Anonymous Coward | more than 6 years ago | (#22889266)

It's based on KHTML. KHTML is a standards compliant rendering engine - it lags behind it's sibling Webkit, and Opera, but tends to be on-par with, or slightly ahead of Gecko, and miles ahead of Internet Explorer.

TFA stated that they're looking into using Webkit as a rendering engine for this thing as well. I use both Konqueror (KHTML) and Safari (Webkit) quite often, and never have any problems with either browser. Compatibility will not be a problem.

The neat thing with this architecture is that Flash can be supported more securely than in traditional browsers. Since plugins are isolated from the rest of the browser, they can't compromise the entire browser. The kernel prevents the plugin from violating the browser's security policy in any way. Combined with an appropriate SELinux policy which prevents the plugin from compromising the operating system or bypassing the browser's security system, this browser could actually contain an attack that exploits a vulnerability in a plugin.

A link to the paper (5, Informative)

Sam King (1263550) | more than 6 years ago | (#22888934)

Here is a link to the full research paper [uiuc.edu] , we hope you enjoy it!

Very worthwhile project, well done (1)

Morgaine (4316) | more than 6 years ago | (#22889186)

The browser is the single flakiest application in modern operating systems, and has long needed an overhaul to make it robust and protected by design.

In Firefox on Linux, to lose 20 open tabs just because of a single bad web page is incompetent browser design, and Mozilla should be taken to task over it. The fact that some lost sessions can be recovered on restart is just a band aid --- the entire browser should not have gone down in the first place.

A robust browser kernel plus strong MMU-guaranteed separation and protection between pages or websites is exactly the way to go.

Re:A link to the paper (1)

Deanalator (806515) | more than 6 years ago | (#22889332)

Haha, I was going to yell at you that I posted the link to the paper first [slashdot.org] (well, same time anyway), then I realized who you were :-)

I really have just briefly glanced over it at the moment, but it looks interesting. Is there code I can download somewhere? I can't find any on your's or Chris' websites. Also, have you checked out jnode [jnode.org] ? Similar to Microsoft's singularity, but actually functional (and in java).

Doomed by Expediency (2, Interesting)

bill_mcgonigle (4333) | more than 6 years ago | (#22889000)

They're using a rendering engine written in a language that gets its stack smashed by buffer overflows. Nearly all browser security bugs that aren't of the XSS-type are due to buffer overflows.


Seriously, yes, I'd love to see a secure browser I could recommend for my family's computers, but it's alot of hard ground-up work. (It might actually be faster to write a tool to port the current Gecko/Webkit tree to another language automatically than to start in on a whole new rendering engine in a secure language).

Get started now and the silicon will be fast enough by time the browser is ready.

Re:Doomed by Expediency (0)

Anonymous Coward | more than 6 years ago | (#22889650)

There are plenty of solutions to secure stacks in software using an automated tool. That's one of the easier problems out there in.. check CCured, Diehard, Samurai or any of the others..

Great, another (potentially) crappy browser (0)

Anonymous Coward | more than 6 years ago | (#22889096)

If these guys only have security in mind, imagine what will become of standards compliance. It's already a pain to code for Firefox/Safari/Opera and IE5/IE6/IE7/IE(infinity), we don't need a new one.

Typical OSS mindset... Instead of helping others make their stuff better, they just make their own version.

Here's what I want (3, Insightful)

British (51765) | more than 6 years ago | (#22889120)

How about simply throttling the CPU usage Flash can use in Firefox? The whole system can slow down to a crawl just from ONE ad-laden web page. I'm not on some slouch of a computer, but every once in a while I wonder why things are sluggish. I close the suspect tab and everything's back to normal.

To me a secure browser would be non-modular, and be pretty slim on the list of features.

NO activeX
NO plug-ins, period. Once you introduce a 3rd party software entry point, it's spoiled
No giving out referrer info unless you say so
strict cookie control
mike's ad blocking hosts file built in, and configurable(or something similar)
CANCELABLE javascript. Wha? Any time you get a javascript prompt, you'll have OK, cancel, and "stop all javascript right fucking now".
Javscript turn off URL bars, resizing of windows? I don't think so. Leave that to the user.

And I'm betting there's 20 other things I haven't thought of that's mandatory. The web browser has become so fluidic that there's tons of entry points to a user's system now.

Re:Here's what I want (2, Informative)

recoiledsnake (879048) | more than 6 years ago | (#22889202)

CANCELABLE javascript. Wha? Any time you get a javascript prompt, you'll have OK, cancel, and "stop all javascript right fucking now".
Opera already does this.

Re:Here's what I want (4, Informative)

lithis (5679) | more than 6 years ago | (#22889522)

When I press F12 in Opera (or pull down the Tools menu and choose Quick preferences), I get the following menu:
  • Open all pop-ups
  • Open pop-ups in background
  • Block unwanted pop-ups
  • Block all pop-ups
  • Enable GIF/SVG animation
  • Enable sound in webpages
  • Enable Java
  • Enable plug-ins
  • Enable JavaScript
  • Enable cookies
  • Enable referrer logging
  • Enable proxy servers
  • Edit site preferences...
It's amazingly simple to enable and disable many irritating features. I keep plugins and animations off at all times, except when I want them.

Re:Here's what I want (1)

lithis (5679) | more than 6 years ago | (#22889574)

Javscript turn off URL bars, resizing of windows? I don't think so. Leave that to the user.
I forgot to mention that Opera has this, too. The JavaScript preferences dialog has a list of seven actions that can be disabled. Plus, if the address bar is hidden, the top of the window shows the current servername, and clicking on that address causes the address bar to appear.

Re:Here's what I want (1)

sgunhouse (1050564) | more than 6 years ago | (#22889702)

You can do most of that in Opera today (or 5 years ago for that matter).

Opera has never had ActiveX. While Opera does support plugins, you can turn them all off with a simple menu choice. Same for referrer info - it was originally disabled by default; it's now enabled by default due to sites that try to block external linking but can be disabled with a menu choice. Cookies? Of course you can blobk them all, you can turn them all into session cookies and various other options.

Ad-blocking? Yes, though it doesn't come with a list.
Cancellable javascript? Checkbox in every alert box.
Javascript to raise, lower, resize widows or hide toolbars? Also optional.

And Opera doesn't allow websites to access the file:// protocol

Re:Here's what I want (2, Insightful)

n6kuy (172098) | more than 6 years ago | (#22889704)

What I'd like to know is who's the asshole that designed the functionality into JavaScript that allows it to take control of stuff that it has no business taking control of, such as window decorations, URL bar, status bar, right click menu, etc.

That person oughtta be lynched.

maybe not for consumer, but attractive to business (1)

boyermike (835281) | more than 6 years ago | (#22889170)

Don't underestimate the viability of such a browser with the business community. Traction with business could also be surprising given the risk it purports to reduce.

I am the CIO of a technology company and would welcome reasonable solutions that allow me to help plug the risk that unmanaged code in today's browsers represent. Browsers remain one of the most prevalent sources of infections and malware which risk my corporate network and are also a source of data-loss/leak risk.

In the age of SOX, HIPAA, PCI and others, I would welcome a tool to add a layer of protection, enforcement, and a compliance trail for auditors.

Heck, this might be the first browser variant I would be willing to consider PAYING for.

Maybe it won't fly as a consumer browser, but corporations may flock to it.


Yes, it's called IE 7 on Vista (seriously) (2, Insightful)

ThinkFr33ly (902481) | more than 6 years ago | (#22889212)

I know, I know... this is Slashdot, I shouldn't bother. But IE 7 on Vista (running in Protected Mode [msdn.com] ) is pretty damn secure [washington.edu] .

While there have been exploits for IE 7, not a single one of them could successfully bypass Protected Mode. I'd say that's a pretty damn good track record for a browser that has been out for about a year and a half and has undoubtedly been targeted by many, many bad guys. (And good guys, for that matter.)

Firefox = Money for kid that can't program (0, Offtopic)

zymano (581466) | more than 6 years ago | (#22889222)

The kid-Blake Ross that worked(haha, more like cut and paste) on Firefox didn't do much other than reduce mozillas size to create firefox. He really didn't program anything.

Now firefox is just google's bitch for ad money kickbacks. $10 million dollars a year to him.
http://www.dulcenegosyante.com/top-20-internet-millionaires-under-30/ [dulcenegosyante.com]

Although ff beta is not bad and has reduced memory usage but still way buggy.

Oprah is better than regular Firefox and only opensource people with an agenda have been pushing FF because it was viewed as holy,free and not compromising to greedy companies. Not so fast....

Re:Firefox = Money for kid that can't program (2, Funny)

junner518 (1235322) | more than 6 years ago | (#22889360)

Oprah is definitely better than all other web browsers :p. Good talk show too...

plenty of room (1)

OglinTatas (710589) | more than 6 years ago | (#22889456)

I have 180 GB free. That should be enough room. I hope.

Web Browsers with kernels? service modules? (1)

you should love mach (993765) | more than 6 years ago | (#22889492)

How long would it take us to recognize the web browser is too much flawed as an application platform?
IMHO all of we should strive to let HTML (and perhaps HTTP) behind and create a sound platform for internet application distribution,
one where I don't have to spend so many hours suffering for a old IE/firefox/ bug or the poor support of javascript programming tools,
one where I don't have to worry about security policies tinkered from a platform designed for content, not applications.

You could say that it would never catch up because of the widespread adoption of browsers (did you notice the name? browser!),
but then we are condemned to suffering ridioulous 'innovations' (AJAX ? come on! smart terminals were a long time ago,
a secure web browser?! why should I bother more about it than my OS security? After all, is my application platform ).

It's just a matter of when do we want to do it, because you just can't continue stretch it's limits ad infinitum.
We have payed too much for the sweetness of application distribution offered by the web. It just doesn't make sense anymore.

Why bother? Safari is already 100% secure (0)

Anonymous Coward | more than 6 years ago | (#22889494)

why bother with a new, slow design. The world already has a 100% secure browser immune to security threats -- Safari.

bad start (1)

nguy (1207026) | more than 6 years ago | (#22889512)

If they want to write a more secure web browser, they shouldn't start with a C++-based layout engine.

djb described this design a couple years ago (0)

Anonymous Coward | more than 6 years ago | (#22889622)

Bernstein was working on the idea of a Unix-based web browser where every component of the software was locked in a jail. For instance if you wanted to decode image data like a jpeg, the browser would spawn a process that couldn't do anything but take jepg data on stdin and produce a decoded pixel bitmap on stdout. Each process would run under a separate randomly-generated UID, etc.

Basically, it would be next to impossible to hijack this via malformed data. Each component of the system would work the same way... it would take untrusted data from the network and output low-level decoded data in a safe way (for instance, the jpeg decoder would output the length of the bitmap, and then the bitmap). Of course there are limitations to this design (how could you possibly secure Javascript... maybe just leave it out!).

This is of course an excellent idea, which means it will never get implemented.

Programmers simply have too much ego to believe that they could possibly write a piece of code with bugs in it... either that, or they have this stupid belief that "all software has security holes" so they don't try to reduce them *by design*.

I'd like to see what they come up with though. If it's not brain-dead simple like djb's design, it will just move the security holes around rather than render them useless.

Slashdot keeps deleting this story: (1, Informative)

Anonymous Coward | more than 6 years ago | (#22889718)

Mac OS X gets hacked first in a contest to hack 3 notebooks, running Mac OS X, Ubuntu and Vista, earning the hacker $10,000. Network attacks failed against all three yesterday causing the $20,000 offered to go unclaimed, today browser attacks were tested and Mac OS X failed in 2 minutes, Vista running IE7 and Ubuntu running Firefox managed to deflect all attacks. Tommorow 3rd party applications will be added into the mix to increase the attack surface of the remaining contestants.

http://security.itworld.com/5013/mac-hacked-first-in-contest-080327/page_1.html [itworld.com]

Just goes to show the culture of the alternate OS types. Anything that proves them wrong is covered up and denied.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?