Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Publishes Papers For a Modern, Secure Browser

Posted by Soulskill on from the new-and-different dept.

V!NCENT writes with an excerpt from a new publication by Microsoft: "As web sites evolved into dynamic web applications composing content from various web sites, browsers have become multi-principal operating environments with resources shared among mutually distrusting web site principals. Nevertheless, no existing browsers, including new architectures like IE 8, Google Chrome, and OP, have a multi-principal operating system construction that gives a browser-based OS the exclusive control to manage the protection of all system resources among web site principals. In this paper, we introduce Gazelle, a secure web browser constructed as a multi-principal OS. Gazelle's Browser Kernel is an operating system that exclusively manages resource protection and sharing across web site principals." Here's the full research paper (PDF).

5 of 296 comments (clear)

  1. Dear MS, by BitZtream · · Score: 5, Insightful

    If you can't secure your basic OS, why exactly do you expect me to believe, or in fact even read a paper you wrote about a domain in which you absolutely suck?

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  2. Re:Does it really by obarthelemy · · Score: 5, Insightful

    Basically, since the browser already runs on top of an OS, the surprising thing is that they want to reimplement another OS within the browser.

    I assume that OS could run a browser which could run an OS which could... Do we really want that ? Why ?

    --
    The Cloud - because you don't care if your apps and data are up in the air.
  3. Re:Princi-what? by Hurricane78 · · Score: 5, Insightful

    No. They tried to murder them for power. Pure power. IE was the one browser to rule them all.
    Fortunately they were too stupid to do anything useful with that power. They only saved the money to continue developing their web developer torture instrument called IE

    Luckily, then the great Mozilla rose:

    Mammon slept. And the beast reborn spread over the earth and its numbers grew legion. And they proclaimed the times and sacrificed crops unto the fire, with the cunning of foxes. And they built a new world in their own image as promised by the sacred words, and spoke of the beast with their children. Mammon awoke, and lo! it was naught but a follower.

    -- from The Book of Mozilla, 11:9 (10th Edition)

    And Java is as far from dead as possible. Sun won the lawsuit against MS, and Java is one of the most used server languages.

    I see the good of it. Without this event, there would be no Firefox, maybe no XHTML as we know it, not such a big popularity of open source software, and not the freedom of add-ins like AdBlock Plus or Greasemonkey and Firebug.

    But I do not thank Microsoft for that.

    --
    Any sufficiently advanced intelligence is indistinguishable from stupidity.
  4. Re:Princi-what? by Divebus · · Score: 5, Insightful

    And Java is as far from dead as possible.

    Only through the force of programmers who eventually detected what Microsoft was up to. Please yip in if you have experience in this era of Visual Studio 97 and Visual Studio 6.0 and what it meant to polluting Java.

    Initially, Microsoft "partnered" with Sun to embrace and develop Java. They released Visual Studio which included tools to work with Java - on Microsoft's terms. Sun quickly realized that Microsoft was targeting the Java language and the JVM for destruction and sued. Microsoft was extending Java to include Windows-only system calls, violating the agreements.

    By the next year (1998), Microsoft was ordered to stop producing tools which used Sun's Java - but they continued with their own implementation (J++) which essentially extended Java but stripped away all the cross platform functionality. That was a knife in Java as intended - write once, run anywhere. By that time too many developers were using Microsoft's tools and they went along for the ride.

    This is why so many people run the other way when Microsoft wants to get on board the Open Source bandwagon. Your throats are scheduled to be slit next.

    --

    Most of the stuff on /. won't survive first contact with facts.
  5. Re:Does it really by pyrbrand · · Score: 5, Insightful

    The main issue right now is that a given web page often displays information from separate sources. The classic example at this point is that if I want to display ads on my web page, I have to bring in content from another source, and I essentially have to trust that content not to do tricky things with JavaScript to muck with my page - you know, display obnoxious, or worse, spoof UI, scrape user data, attack a browser vulnerability, all sorts of nastiness. Ads aren't the only example of this, the same is true of mashups ala housingmaps.com etc.

    Relying on the OS is essentially what this paper is proposing as far as I can tell. They suggest that each part of a page that is relying on a different source for its content be sandboxed in its own process. However, doing this requires changes to the browser since current browsers don't do this (although Chrome and IE8 do work to isolate each tab in its own process). There are other proposals out there in the wild such as Web Sandbox discussed recently: http://tech.slashdot.org/article.pl?sid=09%2F01%2F28%2F188254&from=rss , which takes a different approach (sanitizing javascript for badness and restricting its access to the main page).