The Multi-Principal OS Construction of the Gazelle Web Browser

The Multi-Principal OS Construction of the Gazelle Web Browser Helen J. Wang , Chris Grier , Alexander Moshchuk , Samuel T. King , Piali Choudhury , Herman Venter⁄ ⁄Microsoft Research yUniversity of Illinois at Urbana-Champaign zUniversity of Washington fhelenw,pialic,hermanvg@microsoft.com, fgrier,kingstg@uiuc.edu, anm@cs.washington.edu Abstract Original web browsers were applications designed to view static web content. As web sites evolved into dy-namic web applications that compose content from mul-tiple web sites, browsers have become multi-principal operating environments with resources shared among mutually distrusting web site principals. Nevertheless, no existing browsers, including new architectures like IE 8, Google Chrome, and OP, have a multi-principal oper-ating system construction that gives a browser-based OS the exclusive control to manage the protection of all sys-tem resources among web site principals. In this paper, we introduce Gazelle, a secure web browser constructed as a multi-principal OS. Gazelle’s browser kernel is an operating system that exclusively manages resource protection and sharing across web site principals. This construction exposes intricate design is-sues that no previous work has identified, such as cross-protection-domain display and events protection. We elaborate on these issues and provide comprehensive so-lutions. Our prototype implementation and evaluation expe-rience indicates that it is realistic to turn an existing browser into a multi-principal OS that yields signifi-cantly stronger security and robustness with acceptable performance. 1 Introduction Web browsers have evolved into a multi-principal oper-ating environment where a principal is a web site [43]. Similar to a multi-principal OS, recent proposals [12, 13, 23, 43, 46] and browsers like IE 8 [34] and Fire-fox 3 [16] advocate and support programmer abstrac-tions for protection (e.g., in addition to