Slashdot Mirror
MS Publishes Papers For a Modern, Secure Browser
V!NCENT writes with an excerpt from a new publication by Microsoft:
"As web sites evolved into dynamic web applications composing content from various web sites, browsers have become multi-principal operating environments with resources shared among mutually distrusting web site principals. Nevertheless, no existing browsers, including new architectures like IE 8, Google Chrome, and OP, have a multi-principal operating system construction that gives a browser-based OS the exclusive control to manage the protection of all system resources among web site principals. In this paper, we introduce Gazelle, a secure web browser constructed as a multi-principal OS. Gazelle's Browser Kernel is an operating system that exclusively manages resource protection and sharing across web site principals."
Here's the full research paper (PDF).
Principle. Principal. ?? WTF?
...have to be this complicated?
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
It has changed my life and made me happy. Please mod me informative or insightful. Thank you.
I was told my browser can't be trusted to read PDF fils.
This issue is a bit more complicated than you think.
I am disappointed, Microsoft!
Why is the part "among web site principals." on its own line? Can't Microsoft even do simple paragraphs right?
This might be a good idea bit seeing that this is coming from microsoft, I'll just play it safe and avoid this technology at all cost.
I don't think I'll be rushing to buy tickets to on this boat.
Free Software: Like love, it grows best when given away.
If you can't secure your basic OS, why exactly do you expect me to believe, or in fact even read a paper you wrote about a domain in which you absolutely suck?
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Grammar problems aside, TFA blurb is difficult to read and talks about MS offering a web browser that is an OS Kernel.... that is secure... and backward compatible!
I can only conclude that this website has been hacked, and this is a huge joke. Seriously, this sounds like MS PR machine trying to pour salt directly in the wounds of the boardmembers, or this was written by a person suffering delirium after being hit in the head by a flying chair. Well, perhaps it's just MS Marketing department trying reverse psychology?
In any case, it's rather surreal to read those words.
I'm off to check that there are no foreign substances in my coffee.
Support NYCountryLawyer RIAA vs People
ActiveX probably.
Hey J.delanoy, Raul654, RexNL and $pacebirdy, you have been citation needed on reference 19!
Willy on Haggers, telling the wikitruth since August 20 2004!
"In this paper, we introduce Gazelle, a secure web browser constructed as a multi-principal OS. Gazelle's Browser Kernel is an operating system that exclusively manages resource protection and sharing across web site principals"
Is this similar to Googles Chrome and its ability to run native X86 code, and what's Microsofts' definition of 'multi-principal', and is a working copy of Gazelle out yet?
A browser runs IN an OS, not the other way 'round, and despite the blurring of app and kernel in MS-land. If you're talking a browser-based UI, or an "operating environment" like Windows used to have decency to call itself, that's another story.
I want to delete my account but Slashdot doesn't allow it.
Now if only they could make one!
Stick a full VM into the browser. Problem solved. Except of course for the huge resources needed to view even the simplest of pages.
The entire push over the last few years to transferring processing load back onto the client is the wrong direction in my opinion, and the browser should remain a THIN client like the original intent. Keeping it a thin client by nature would be secure.
---- Booth was a patriot ----
Thought #1:
Microsoft forced the registry, DLL hell, and activeX on the world when they started with a really the nice VMS security model as the basis for NT.
Thought #2:
Java is an application language with structured layered protections. And Java is pretty much now an open standard and embedded in modern browsers.
Summary:
Sure the idea is right. Why don't we all just work on making Java better?
Caution:
From Microsoft this message sounds like a joke. They fought against Java and invented all that other crap that led to the creation of the Viris protection industry. If they had done it right 10 years ago we would not be here now.
IS the one to put out a paper outlining guidelines for any secure software. we have decades of safe computer using and internet surfing to thank them for.
Read radical news here
"Browser Kernel runs in a separate OS process, directly interacts with the underlying OS, and exposes a set of system calls for browser principals. We draw the isolation boundary across the existing browser principal1 defined by the same-origin policy (SOP) [34], namely, the triple of , using sandboxed OS processes"
Run the OS in a separate process using a restricted set of system calls and sandbox from the rest of the system. In other words don't do what we did with Internet Explorer and embed it into the core OS kernel.
... that guy?
Any sufficiently advanced intelligence is indistinguishable from stupidity.
In other news Fannie Mae publishes a paper on financial stability, Congress publishes a paper on honesty in politics and Dick Cheney publishes a paper on foreign policy and diplomacy.
Ah, Microsoft research papers! The fine art of embracing, extending and extinguishing the dictionary, one word at a time.
Run the browser in X without a Window Manager. That's as secure as you're going to get right now.
The network is not trusted. Trust noone. As soon as you start building assumptions of trust of remote systems outside of your sphere of control into your model for operations to perform on the local machine, you're doing it wrong.
This is bot.NET: a system and method for pre-organizing zombie nodes for rapid assimilation by preparing trusted malware transmission vectors.
chrome is the best thing out there, and the only thing that has actually been done. of couse it kinda defeats the point when you are sending everything back to the mothership The Google, but if you use srware iron (a recompiled version with all the privacy stuff taken out) you a bit better off. (of course this is still sans inportant features non-existing in chromium like cookie permissions, script permissions, etc, that exist much better in firefox.)
First microsoft is saying that their own OS is not secure and that using the OS user sandbox is not secure, which it may be for Windows but isnt for other OS's
Second, Microsoft is saying that they have to put this in the kernel which is to everybodies disadvantage. from a security standpoint 1)It makes bugs in the application kernel bugs, 2)it makes it where you cant turn it off, and go to say a more secure browser 3)it means more kernel bloat. Then from a user standpoint it just means more incompatibilities between Microsoft's browser and a complete losing of choice.
Microsoft can go ahead and say its user model is broken, but that doesn't mean it doesn't work in other operating systems. Chromium is a quite decent model, and its only weakness is 1)it offers no protection from cookies, and actively gives information to The Google, 2) it cant work with plugins, for the same reason firefox cant control the permission of Flash cookies, chromium cant control plugins either, its the way they are designed. hopefully the element and HTML5 element are adopted and it becomes possible again to browse without ugly plugins.
"Process models 1 and 2 of Google Chrome are insecure since they don't provide memory or other resource protection across multiple principals in a monolithic process or browser instance. Model 4 doesn't provide failure containment across site instances [32].
Google Chrome's process-per-site-instance model is the closest to Gazelle's two processes-per-principal-instance model, but with several crucial differences: 1) Chrome's principal is site (see above) while ">Gazelle's principal is the same as the SOP principal"
" Chrome's decision is to allow a site to set document:domain to a postfix domain (ad.socialnet.com set to socialnet. com). We argue in Section 3 that this practice has significant security risks. 2) A parent page's principal and its embedded principals co-exist in the same process in Google Chrome, whereas Gazelle places them into separate processes"
" Tahoma doesn't provide protection to existing browser principals. In contrast, Gazelle's Browser Kernel protects browser principals first hand "
Classic bait and switch, compare Chrome running on Windows to Gazelle running on some imaginary secure other OS. MS.memo: Googles Chrome is eating our lunch, quick rush out a 'research paper' trashing it, and pretend Chrome is playing catch-up with Gazelle. Like, if Chrome was so bad, then why expend time in criticizing it.
After what? 25 years of practicing and beta testing, Microsoft has finally drawn up a white paper on a "secure browser" ?? WTF?!?!?! MS should just send the bastards responsible for Internet Explorer to school at Google, Opera, Firefox, Aurora, Konqueror, etc.......
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
There was a recent article in Wired magazine in which the newest CEO was interviewed (by a reporter that seemed a bit too awestruck by the man, imho). In any case, the article was entitled something like 'How will turn MS around'. I'm sure you could find it on Wired.com with a search if you looked.
In any case, they spoke a fair amount of MS's new plan to make a future OS that functions "within in the cloud". The main idea was that the OS would not be a thing native to the machine it was being run on, but instead something that was provided by a link to 'the cloud' (read: internet).
I thought it was pretty foolish at the time much like many of the PC games DRM's demanding a link to the net. I know more than a few people that refused to buy Halflife 2 for that reason, and only that reason (thought of lack of replay-ability in say, 10 years time due to lack of server support). I'm wondering if this news is MS's first public step towards that end.
It would be great, too. Loosing the vast majority of the usefulness of your PC to a freak storm that takes down your internet connection or a mistake by your ISP. And how would that tax the already 'clogged intertubes'. And this whole net-netrality thing suddenly gets murkier... so many crazy things that i'm sure are just drawing the rest of us to charishing such a move.
And to top it off it would force people to continue to either rent an OS or even upgrade as the OS would be a MS server, not a product. No more "Vista? No thanks" arguements in the future...
why is it so hard to then imagine that, given that the "browser" is doing everything that you can also do with desktop widget UI toolkits, why is it so hard to appreciate that you need the full range of OS technology to support that desktop
I could see a case for it. I could also see a case for doing it WITHOUT modifying the full range of OS technology. Why is it so hard to see that a secure browser could be done using existing operating systems?
sorry, i assumed it would be clear. applications running within the browser are becoming more like _real_ applications - _real_ "desktop" applications, especially with downloadable-executable-code ( "plugins" such as as adobe ) having been thrown into the mix.
and you have multiple of "applications" running simultaneously.
therefore, you have security implications, application stability implications, and much more [i recently had firefox crash out-of-memory on linux, and i have 2gb of ram and 3gb of swap space].
therefore, you need to start looking at isolating the applications from each other, whilst also allowing them access across a common API to a central set of protected resources (screen, keyboard, mouse, other devices, memory, networking), to be able to communicate across that boundary without impacting any other applications or the central resource management layer itself.
and i think you'll find that if you look closely, that's pretty much the definition of an OS.
so, working from the requirements - the expectation that good, hostile, rogue or simply badly designed applications all need to be given a chance to run, you arrive naturally at the rather unfortunately-logical conclusion that the only decent way to fulfil the requirements is with an actual full-blown operating system.
to believe that anything else can fulfil the requirements, to provide multi-tasked application stability and security, really is sheer delusion, or is... like... expecting a 1980s apple mac OS with a 68000 CPU and no Virtual Memory support, to be "secure". ... actually, there _is_ one other possibility: Security-Enhanced Linux (specifically, the FLASK security model behind SE/Linux). and we know what people think of _that_, despite SE/Linux being incredibly good at its job.
Microsoft has to have something to sell, and as they have in the past, selling you *another* OS is not out of the question.
And even if they are not new-product ready and profitable, I think it would be even more financially urgent to attempt adding complexity to the current technology mix to hold them over until they do. New browser, methods, new development envs., IDE's, New Serverxxx w/extensions, SPs, patches, everything that keeps their juggernaut running.
The Virtual Machine!! What's the patent number on this one?
Pain is merely failure leaving the body
no see my earlier posting on this subject: the use of Security Descriptors and potential checking against the PDC is what makes process creation expensive, which then makes _thread_ creation so cheap in NT, by comparison. ... you can't really secure threads from each other, so why bother, basically, was the general attitude that can clearly be seen to have been taken.
i always wanted to write my own desktop, like webos or the example/demo that comes with extjs, using browser-based technology. then i can throw away all the silly desktops i never liked anyway, and run all my applications from inside the web browser. and, because i know that the browser technology is actually an OS, i know it's secure and also will have process-separation so that one app crashing won't take out my entire quotes browser quotes. hooray!
Linux threads were relatively heavyweight in early implementations, just about as much so as processes; the current implementation is much lighter weight. So some books still floating around contain that info, since it used to be true.
A sort of separate issue is that, for a variety of reasons, most Linux distros on x86 ship with a default 8MB pthread stack size, which is fairly high--- spawning a mere 50 threads gets you a nice 400MB of control stacks. You can set the stacksize smaller with pthread_attr_setstacksize, and the unused parts of those stacks can mostly live harmlessly in non-resident virtual memory, but it still makes threads seem heavier weight than they ought to seem.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Comment removed based on user account deletion
It's a cookbook!
Stick a full VM into the browser. Problem solved. Except of course for the huge resources needed to view even the simplest of pages.
The entire push over the last few years to transferring processing load back onto the client is the wrong direction in my opinion, and the browser should remain a THIN client like the original intent. Keeping it a thin client by nature would be secure.
noooo, nonono can do - yes it would be secure, but times have changed _drastically_. what's happened is that as the desktop wars got ridiculous (and i don't just mean between different OSes, i also mean between win95, xp and up), people simply moved to the browser itself to provide access to applications. all the talk of "ubiquitous computing" has actually _happened_.
and, as the expectations of web infrastructure got ever greater, that origial "thin client" architecture began to look... well... thin! so along came flash, and javascript, and god help us java, and then AJAX, and then GWT and Pyjamas which _really_ make it clear that the browser really _is_ just another "widget set" like Python-QT4, Python-GTK2 or Java Swing, and somewhere rather unfortunately along the line silverlight got added to the mix.
and once you're down this road, there really is no turning back. you're now running complex comprehensive applications such as gmail.com, google apps and WebOS and i do _mean_ applications side-by-side in the same "space" and it's just getting too much for the poor little browsers, which were never designed to act as "operating systems".
so i think what we're seeing here is the recognition of the fact that browsers have to become what OSes were designed to do, because browsers are now taking over from what OSes were _supposed_ to be doing, because everyone's moving inexorably to online interaction, now, instead of "isolated desktop".
so is anyone _really_ surprised that the solutions proposed are to use tried-and-tested proven technology, just moving it to where the focus has gone? current browser technology can be compared to OS technology of the Windows 1.0, GEM/DOS and early Mac era!
...but hey, instead of saying 'we are doing this' or 'we are doing that', how about just doing it? I they are right, they go sell the product, if they are wrong, just forget about it...
...' or 'Microsoft launched its Trustworthy Computing initiative in 2002...'
I believe in facts, not in words. We all have heard them stating that 'Microsoft claims Vista is more secure than OS X and Linux
Cut the crap. Do it instead or saying that you are doing it. The thing is that nowadays, Microsoft is a company that stands out for things other than innovation and the like... Go do it and do it well
"Actually, Sun essentially forced MS to fight against Java by not letting MS devs take the idea and run with it"
The historical record paints a different picture:
"Microsoft has no choice, we must seize control [of] the Java platform", Sep 4 1995
"I think the path we were going down of building on AWT was a sure disaster - It was creating a situation where pure 100% Java applications would look just as good as pure Windows applications which we have to avoid", Bill Gates Jan 1997
"How do we wrest control of Java away from Sun?", Ben Slivka April 1997
"I am hard core about NOT supporting JDK 1.2", Bill Gates May 1997
"A browser runs IN an OS, not the other way 'round"
:)
Why not, they pioneered the concept of an OS running on top of the GUI didn't they
They're publishing a paper on what Firefox is.
OMG!, what's next? ideas for a secure OS?
Well, when I was in High School, my Principal had principles.....
I am not a robot. I am a unicorn.
This boys and girls is what happens when one starts with a shitty OS and tries to make up for it on the browser (a la IE) or in the virtual machine (a la JVM).
An OS with a solid security model doesn't require all of these kludges. The sad reality is that the three dominant OSes in use considered security an afterthought, and yes that includes UNIX.
I'm going to sound like an old fogie, but back in my day any one could bring down an entire Unix system by simply typing the right stty combination, or one could write to any screen (wall) without being a superuser. How's that for proof that Unix wasn't designed with security in mind. ACLs (long overdue) are only now being implemented just about three decades late.
Yes, this post bashes windows *and* unix/linux. Mod me down, I don't care.
...will it run on Linux?
i won't take this paper with a grain of salt. MS has been out of touch with reality since 95.
Can't wait to read it! I've heard Microsoft is the foremost authority on secure software.
Am I the only one to see the irony of a "paper" about a "browser" that's in PDF format?
1. Run IE under wine (chmod it read-only if you want too).
2. use a vmware image with IE in it that is read-only.
A paper from Microsoft saying about browser security? Please, i can't take this seriously... - Microsoft is really loosing credibility on everything finally, this is really awesome!
Comment removed based on user account deletion
Comment removed based on user account deletion
Bah, I can do it too !
Multi principal OS -gazelle
Google return zero meaningful articles. I'm not inclined to dig into the article what the editor was too lazy to translate in English. It is probably something like multi-threaded anyway...
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
Look at Delphi. =)
Oh, how convenient: a theory about God that doesn't involve looking through a telescope.
The metadata of gazelle.pdf ( full research paper ) reads:
Creator: TeX output 2009.02.19:1213
Producer: dvipdfm 0.13.2d
Ups... what happened with Office 2007 boys? ask for your free copy!
--omz
Look, I hate IE6 as much as the next developer, but it's important to recognize the difference between the thought process that goes into making comercial products and making new tech ideas. MS figured out how to make the most money they could off technology. They are (were?) damn good at that.
But despite all the seemingly stupid tech decisions they've made on many consumer products they still have some brilliant people working for them, esspecially in R and D. I have a hard time thinking that the PhDs doing research for Microsoft are unaware of the mistakes/limitations of IE (in all its forms). Yes, the funding for this research comes from Windows and Office, but it has more of a chance of seeing the light of day than something done in a strictly academic environment.
For better or worse, MS is going to try to do whatever is going to be best for MS. Hopefully the big brains that they have at their disposal will be able to make a good commercial case for better ideas so that the general public can reap their benefits.
Steal my band's record! Seriously,
with IE removed.
And HTML Help can be rendered by HTML engines. Or not rendered at all if you don't click on the "Help" button.
We don't want one that crashes and leaks memory all the time. I mean the effing browser requires more memory than the entire operating system.
we have ms fanbois then ? after all the flops of the last 2 years ?
Read radical news here