1

Isolating Web Programs in Modern Browser Architectures

CS6204: Cloud EnvironmentSpring 2011

2

Relationship with Lecture 1

OS processes as isolation mechanism

Lecture 1: Implemented on Microsoft IE web

browserLecture 2: Implemented on Google Chromium

web browser

3

Other Secure Web Browser Architecture 1/2

The Tahoma Web browsing system Based on Browser Operating System

(BOS) Runs each web application (web

browser + site) in its own virtual machine

Implemented on a Xen virtual machine (on top of a Linux distribution)

Web browser: Konqueror

4

Other Secure Web Browser Architecture 2/2

USENIX’s secure Web Browser Based on UNIX OS user’s privileges Implemented on a SubOS-capable OpenBSD

2.8 operating system using Perl. Uses three daemons:

Browser Log-in Daemon: downloads objects over the network. Every object is assigned a sub user id

Browser Display Daemon: displays the content Browser Interpreter Daemon: processes the

content of the downloaded objects. Starts a new process with sub user id to interpret active code

5

Ideas

Enable browsers to identify program boundaries

Revamp web browser to isolate programs

Preserve the compatibility with existing web content

6

Web Programs Identification 1/5

Abstractions Web programsSet of related pages and their sub

resources that provide a common service

Web program instanceCopies of pages from a web program

that are tightly coupled within the browser

7

Web Programs Identification 2/5

Concrete definitions Site

Concrete realization of a web program abstraction

Combination of protocol and registry-controlled domain name

Relaxes the Same Origin Policy, since page origin can change during runtime

8

Web Programs Identification 3/5

Browsing Instance Set of connected windows and frames Is created each time a fresh browser

window is open Grow each time an existing window

create a new connected window or frame

9

Web Programs Identification 4/5

Site instance Set of connected same site pages

within a browsing instance Only one site instance per site

10

Web Programs Identification 5/5

11

Execution Model Web program execution =

Page Rendering + Script execution Site instance:

single address space for all web object and web components

Single thread of execution Pages within the same site instance can

access each other (Coarse Granularity) Avoid concurrent DOM modifications

12

Browser Architecture 1/4

Rendering engine One for each instance of a web

program Parses, renders and executes web

programs Single thread for rendering and script

execution

13

Browser Architecture 2/4

Browser kernel Contains all shared capabilities and

resources: Storage functionality: cookies, cache,

history Network stack Logic for managing the browser’s user

interface

14

Browser Architecture 3/4

Plug-ins Is the process responsible of running

browser plug-ins Prevents plug-ins to cause crashes in

web program instances

15

Browser Architecture 4/4

16

Chromium’s Implementation

“monolithic” mode: load all the components in a single

process supported

Process-per-Site-Instance Creates a separate renderer process for

each site instance Provides the best isolation Default process mode Not fully implemented

17

Implementation’s limits New process are created only when the

user explicitly expresses it (new tab, etc.)

Navigations initiated within a page are handled by the same process

Frames and their parents are render in the same process

Limit to the number of process that can be created (20 processes)

18

Evaluation 1/6 Methods

Comparison between monolithic mode and process-per-site-instance mode

Results: Fault tolerance: simulation of a crash

Monolithic mode: loss of the entire browser

process-per-site-instance mode: loss of a single rendering engine

19

Evaluation 2/6

Accountability: User can track CPU usage, memory

consumption and network usage of each instance

Memory management: Multi process architecture reclaims

the memory more quickly after an offending window is closed

20

Evaluation 3/6

Responsiveness Test the delay between a right click

and the display of the context menu, while loading web pages.

Significant delays in the monolithic architecture

Delays are almost absent in the multi process architecture

21

Evaluation 4/6

Speedup: when restoring a session

22

Evaluation 5/6

Latency

23

Evaluation 6/6

Memory overhead

24

Chrome’s extension model Extension = Manifest and one or more

HTML page or JavaScript File or other files Has a “background” page:

Invisible page containing the main logic of the extension

runs in the extension process, exists for the lifetime of your extension

one instance is active a time all extension's pages execute in same

process A script cannot modify the DOM of its

parent background page

25

Remarks

No comparison with other browser especially IE8 since it is mentioned in the paper

The goal of isolating web programs is not fully fulfill: Different site use the same rendering

process unless it is explicitly specify by the user

26

Questions???