Slashdot Mirror
MS Publishes Papers For a Modern, Secure Browser
V!NCENT writes with an excerpt from a new publication by Microsoft:
"As web sites evolved into dynamic web applications composing content from various web sites, browsers have become multi-principal operating environments with resources shared among mutually distrusting web site principals. Nevertheless, no existing browsers, including new architectures like IE 8, Google Chrome, and OP, have a multi-principal operating system construction that gives a browser-based OS the exclusive control to manage the protection of all system resources among web site principals. In this paper, we introduce Gazelle, a secure web browser constructed as a multi-principal OS. Gazelle's Browser Kernel is an operating system that exclusively manages resource protection and sharing across web site principals."
Here's the full research paper (PDF).
Grammar problems aside, TFA blurb is difficult to read and talks about MS offering a web browser that is an OS Kernel.... that is secure... and backward compatible!
I can only conclude that this website has been hacked, and this is a huge joke. Seriously, this sounds like MS PR machine trying to pour salt directly in the wounds of the boardmembers, or this was written by a person suffering delirium after being hit in the head by a flying chair. Well, perhaps it's just MS Marketing department trying reverse psychology?
In any case, it's rather surreal to read those words.
I'm off to check that there are no foreign substances in my coffee.
Support NYCountryLawyer RIAA vs People
> process creation overhead
Why does Windows have so much more overhead for creating processes? What is it about the Windows processes that makes them cost that much?
Why is it so hard to see that a secure browser could be done using existing operating systems?
My quess would be that is it more palatable to call something completely new more secure than anything we currently have than it would be to concede a competitor is more secure (even if you are not MS).
Don't try to out wierd me, three-eyes. I get stranger things than you, free with my breakfast cereal. --Zaphod Beeblebr
why is it so hard to then imagine that, given that the "browser" is doing everything that you can also do with desktop widget UI toolkits, why is it so hard to appreciate that you need the full range of OS technology to support that desktop
I could see a case for it. I could also see a case for doing it WITHOUT modifying the full range of OS technology. Why is it so hard to see that a secure browser could be done using existing operating systems?
sorry, i assumed it would be clear. applications running within the browser are becoming more like _real_ applications - _real_ "desktop" applications, especially with downloadable-executable-code ( "plugins" such as as adobe ) having been thrown into the mix.
and you have multiple of "applications" running simultaneously.
therefore, you have security implications, application stability implications, and much more [i recently had firefox crash out-of-memory on linux, and i have 2gb of ram and 3gb of swap space].
therefore, you need to start looking at isolating the applications from each other, whilst also allowing them access across a common API to a central set of protected resources (screen, keyboard, mouse, other devices, memory, networking), to be able to communicate across that boundary without impacting any other applications or the central resource management layer itself.
and i think you'll find that if you look closely, that's pretty much the definition of an OS.
so, working from the requirements - the expectation that good, hostile, rogue or simply badly designed applications all need to be given a chance to run, you arrive naturally at the rather unfortunately-logical conclusion that the only decent way to fulfil the requirements is with an actual full-blown operating system.
to believe that anything else can fulfil the requirements, to provide multi-tasked application stability and security, really is sheer delusion, or is... like... expecting a 1980s apple mac OS with a 68000 CPU and no Virtual Memory support, to be "secure". ... actually, there _is_ one other possibility: Security-Enhanced Linux (specifically, the FLASK security model behind SE/Linux). and we know what people think of _that_, despite SE/Linux being incredibly good at its job.
No, Mach had two problems.
First and foremost, messages were not idempotent, and while the system allowed for reentrancy, it did not allow for at-most-once processing of multiple identical messages. Among other things this complicated locking and diminished locality of reference, which has grown important in the presence of hierarchical memories and non-uniform access times in multiprocessor systems and clusters.
This problem is fundamental and architectural in Mach, but it is not to message-passing microkernel architectures in general.
Darwin 8, for example, explicitly considers cache hierarchies and NUMA, in part because at the time of Mac OS X 10.4, essentially every computer Apple was selling was dual-processor, and the high end was shipping shared L2 caches, rather than just shared main memory).
Mach also had a very narrow trust boundary that did not scale very well. Rights propagation should have been distributed as much as possible, taking lessons from Kerberos. Persistence of trust is important to avoid the constant recalculate & compare access rights system in Mach.
A number of these problems were fixed in Darwin 9, and previews of Darwin 10 suggest a great deal of thinking has gone into "third-party-introduction" rights acquisition distribution (which is also handy for Grand Central and clustering generally), as well as some ideas from Mach 4.
1. This is about Microsoft Research. Neat ideas, no productization, less cutthroatery.
2. MSR has half of the Mach team in it (the other half is at Apple or has retired from there). Rashid, for example, admits mistakes and tries to learn from them. Tevanian followed "great artists ship" directives, and Darwin 9 / Mac OS X 10.5 has evolved into something with superior scaling properties to earlier version of Mac OS X (10.0, 10.1, 10.2...). No doubt MSR's microkernel research people have checked out the open source and otherwise published work by their former colleagues at Apple. (They seem to use Mac Book Pros running Mac OS X in public a lot!)
Back to the main idea. It's kinda neat: each web site becomes a user with separate privileges from all the others, and different from the user who started the browser. This should prevent "home invasion" attacks at the very least, and assuming sensible defaults are placed on permissions owned by the browser-starting user, her or his files should be safe from malicious accesses.
If this does not impose a burdensome slowdown on "power users" hopefully MS's idea will be implemented by someone. MSR ideas are often unlikely to be implemented by MS, however...
Finally, your parent wrote:
But exactly this kind of thing (multiple processes owned by possibly mutually-hostile users drawing on a shared screen) is normal in many operating environments.
While I have no doubt that MSFT and their anti competitive practices helped, as someone who lived through the era let me shed a little light. Netscape 4 was BAD. As in terrible, horrible, giant pile o' suck, Mr. Crashy, etc. A lot of folks, myself included, who had happily bought Netscape jumped ship to IE over Netscape 4. While IE wasn't great at the time it stomped Netscape.
Which is one of the things I simply love about free software and Windows today. Now if one company puts out a pile of suck we actually have choices. In my family alone the breakdown is thus: Myself=Firefox, My Mom=Seamonkey, My Sis=Kmeleon(those on Windows that want a super fast browser should try it),My oldest boy=Opera, and my youngest=Flock. We are no longer trapped in the "either or" which we had during the days of Netscape. So while making MSFT bundle alternatives alongside IE might help speed things up, I honestly believe that the days of IE dominance are waning. More and more of the machine being brought into my shop has one of the above browsers installed.
In fact, oddly enough the one I've been seeing the most growth in lately hasn't been Firefox but Seamonkey. Apparently the word has begun to spread through the older folks that Seamonkey is a "good" version of Netscape suite, which it turns out a lot of folks still have a soft spot for. That is the great thing about having all this choice in the market: everyone can choose what works best for them as opposed to what some company thinks is best. Although I do find it humorous that none of the old folks actually call it Seamonkey. They all are just like my mom and call it "the blue bird" as in "my friend Janice has this blue bird that lets her go to Yahoo and download her email too. Can you give me the blue bird and how much does it cost?".
So while I'm sure MSFT shares SOME of the blame, if Netscape 4 wasn't such a train wreck they would probably still be around. But then again AOL could be given a magic money machine and find a way to fuck it up, so who knows.
ACs don't waste your time replying, your posts are never seen by me.
Events/delegates do exactly what they are intended to do. They do not attempt to hide the fact that they reference the subscriber. If you are finding this an issue I suggest you take a look at IDisposable, finalizers or weak events.
Don't think you can just pick up a tool and bang out code with a silly monkey grin on your face without understanding how it works.
LINQ is a nice syntax. Beats a load of "new SomePredicate(left, right)". Of course this is not going to stop a bunch of newbies picking it up and not understanding how it works.
If you are hiring a bunch of nubs, then I suggest you put up a big "CHECK ACCESS TO MODIFIED CLOSURES" poster.
An increase in expressiveness in the language is a good thing. It doesnt magically mean that less skilled devs can suddenly churn out complex bug-free software without knowing what the hell they are doing though...
3laws: No freebies, no backsies, GTFO.