Microsoft Research Showcases New Browser Prototype, "Gazelle"

Ars Technica reports that Microsoft has opened up about "Gazelle," a new browser prototype of theirs that is modeled after the underlying concepts of operating system design. "A research team led by Microsoft's Helen Wang recently published a report about an experimental browser prototype called 'Gazelle' that uses processes to isolate page content elements originating from different domains. It builds on the concept of multiprocess browsing but uses more fine-grained isolation to expand on the security advantages that are already delivered by existing multiprocess browsing models. But is it an operating system, Microsoft Research's analogue to Google's Chrome OS? Not quite."

New MS browser

Oh boy! A more secure browser from the pros at secure browsing, Microsoft.

Re:New MS browser

[gmuslera]

Don't be so negative... they said "that is modeled after the underlying concepts of operating system design.". So it probably will be as secure as Microsoft Windows. At last Internet will be safe.

New Focus

[Haffner]

Microsoft focusing on developing a browser-based OS is directly opposed to their current business model, which involves forcing users to purchase an operating system. Microsoft's focus has always been on for-pay, offline applications. Taking a precautionary foray into Google's future business model seems to show that they are at the very least wary of Google's future plans.

Re:New Focus

[Andr+T.]

It happened when Microsoft invaded Cuba.

Not an improvement

[Todd+Knarr]

MS's idea is nice, but it's not going to help a lot of things very much. It'll help when plug-ins and helper apps go runaway, being in a separate process they won't be able to block the browser itself. But from a security standpoint the problem isn't that those embedded objects are in the same process, it's that they have access to the same page and the DOM elements in it and the data structures of the browser itself. And that won't be solved just by putting them in their own process, not without isolating them from the rest of the page and browser to a degree that'll break a lot of Microsoft's technologies.

Color me less excited :/

[Jugalator]

After reading that article, I'm much less excited than I was. I had assumed it was something similar to Google Chrome OS, but it's not even something that seems like it turned out very well for Microsoft, or something that can have yet undiscovered major issues on the horizon. The idea seems to have turned out overly complex to work around the limitations with the approach, and all that in a resource hungry .NET application. It says they're hopeful to get the per-tab RAM usage down from 16 MB, but I have to wonder by how much? This approach doesn't seem much better than running a process-separated browser written in Java. Ugh.

I have a hard time understanding the decision to use .NET, but perhaps it was a security decision? Anyway, it doesn't sound like the optimal choice, when the project all revolves around low-level features like isolating the tabs even further.

Re:Color me less excited :/

[PsychicX]

But it's not supposed to be a product! MS --> Research --. It's an architectural experiment, and sure, a lot of projects graduate from Research to an actual product group. The goal is NOT to make something you can take to the open market though. It's a proper research lab, and so of course its stuff is frequently lacking. If it were to be converted to a product, it'd be staffed up with a full team who would spend a year or two -- or seven in the case of some unfortunate victims -- making it viable for public consumption.

Re:Color me less excited :/

[Colonel+Korn]

After reading that article, I'm much less excited than I was. I had assumed it was something similar to Google Chrome OS, but it's not even something that seems like it turned out very well for Microsoft, or something that can have yet undiscovered major issues on the horizon. The idea seems to have turned out overly complex to work around the limitations with the approach, and all that in a resource hungry .NET application. It says they're hopeful to get the per-tab RAM usage down from 16 MB, but I have to wonder by how much? This approach doesn't seem much better than running a process-separated browser written in Java. Ugh.

I have a hard time understanding the decision to use .NET, but perhaps it was a security decision? Anyway, it doesn't sound like the optimal choice, when the project all revolves around low-level features like isolating the tabs even further.

Read the article a bit more and you'll discover that the purpose of this project was to find the limitations of taking the separate process model to an extreme, with every element on a single page living in its own process. This was low level research, not an attempt to spark a new product.

Standards

[doishmere]

IE doesn't support web standards, but people still use it because it has Microsoft's name. Maybe this will get people to switch to a (hopefully) standards-compliant browser.

Wait, they did WHAT for HOW MANY COOKIES?

[girlintraining]

It builds on the concept of multiprocess browsing but uses more fine-grained isolation to expand on the security advantages that are already delivered by existing multiprocess browsing models.

That's a new definition of security of which I was previously unaware. Just about anyone who's spent five minutes trying to do multi-process, multi-thread, unsyncronized accesses, cloud, spin-locks, etc., will tell you that no, there are no inherent security advantages. It'll be less secure unless you make a dedicated effort from project start just to keep it on par with single-threaded. The only "advantage" it has is that when it fails it'll crash more slowly, with a wider variety of obscure error messages, hammering the operating system as it tanks with the extra overhead as it does so. Yes, it might be slightly harder to develop an exploit because it's not using a generic flaw, but some complicated and obscure flaw -- but that's not more secure; Only badly designed.

Perhaps those technologies need to be broken.

[Kupfernigk]

Some of Microsoft's technologies - like data files that can execute code - need to be broken. It is sometimes necessary to sacrifice convenience for a degree of security. The personal computer industry has been slowly coming to terms with this for the last 10 years or so, it would be nice if we don't have to wait another 10 before it all works properly.

Trident?

[Dotren]

It's largely a .NET application that uses Internet Explorer's "Trident" rendering engine.

Granted, it has made significant improvements but I still haven't been that impressed by the Trident engine. Sometimes I wish they'd use someone else's engine so that they'd be kept up-to-date on standards AND you'd have the same browsing experience on multiple browsers.

I guess I can understand why they don't though... they'd be up a creek without a paddle if they used Webkit and people stopped developing for it or licensed Gecko from Firefox and they went under or yanked Microsoft's license.

Re:Trident?

[BitZtream]

Wow, WTF do you think open source is for? You've managed to imply that the two most important advantages to open source don't exist for two very large open source projects.

Gecko is open source. They can't yank the license out from under you any more than they can from Webkit because the OSS license implies that you can continue to use it forever.

Second, Webkit, like Gecko can stop development right this instant and they won't be any worse off than using Trident. They'll just have to do the webkit or gecko development themselves, which they already do with trident (okay, another MS group does, but thats not the point).

The advantages to OSS is that they can't take away your license to what you're already using. Nor can the death of an OSS project leave you out in the cold with no where to go.

When selecting a rendering engine to replace Trident when I took over the current project I'm working on it was always Gecko or Webkit from the very start because on of the FIRST things I got smacked in the face with when taking over the project is that MS was discontinuing the parts of trident we needed.

So, we switched to Gecko. Try to take those parts away now, go for it. I can continue to use the code I have and bug fix it as needed. I have no dependency on Mozilla if I don't want it. Sure, for the moment I just use what they have and commit bugfixes back to the Mozilla effort because it saves me a whole shitload of effort trying to maintain patches or a fork. Its in everyones best interest for my version of gecko to not diverge from the main code base, and it saves EVERYONE involved time and money by sharing the effort. It doesn't matter that the company I work for doesn't own the copyright to Gecko because the Mozilla guys aren't exerting it to hurt anyone, they just use it to cover their own asses, and have released it under a license which effectively allows me to cover my ass at the same time.

I'm amazed at how someone on slashdot so effectively entirely missed what I consider the greatest benefits of Gecko and Webkit being OSS. Yea yea, finding security issues is great and all, and feature enhancements for free are nice too, but I don't mind paying for those things. Whats far more important to the survival of my company is that I don't have to worry about Mozilla or Webkit doing something that utterly fucks me over. They can't. They have given me a way to protect myself.

That is not something you can get out of Opera or Microsoft, and that is why our company happily contributes all of our changes back to Gecko, which, for reference is in no way a requirement according to MPL, but its most certainly the right thing to do, and as I said, means I don't have to merge our code bases to stay in sync with mozdev.

Gazelle? How about Tree Sloth?

[MCSEBear]

Ummm... Isn't a Gazelle kind of a fast animal?

Since this browser runs at half the speed of the not exactly quick IE 7, shouldn't it be given a code name more in keeping with it's actual speed? I've always thought Ubuntu had a cute naming scheme going. I hereby dub this software Turgid Tortoise

Not new

[BitZtream]

Unless if by new you mean:
From february at least, seems older to me: http://research.microsoft.com/apps/pubs/default.aspx?id=79655

Has already appeared on slashdot and a hundred other tech sites.

http://tech.slashdot.org/article.pl?sid=09/02/22/1724244

Its hard to google before you run to try and get a story submitted isn't it?

Re:Gazelle? How about Tree Sloth?

[fuzzyfuzzyfungus]

What they don't tell you is that the part of the gazelle it most closely emulates is the stomach; which, in ruminants, implements four-chambered process isolation in order to safely digest large quantities of low-quality input. This seemed like a valuable feature for a web browser.

Boy, don't we miss x86 segments!

[tjstork]

Well, we were so eager to get rid of segments that by the time 80386 more or less perfected them, we dumped them for flat mode. Now they are gone in x86-64, likely never to return. What a terrible mistake! If we had different segments, we could have a lightweight browser process with user space threads assigning segments to different domains on the page. Instead of trying to get protection by wrapping software sandboxes around everything like Java, C# or something else does, we could have the CPU actually doing it. If only I could go back in time and say to myself, as I fumed over the likes of ES:CX... and say, no no, this will actually turn about to be a good thing in the future!

Re:Boy, don't we miss x86 segments!

[BitZtream]

Uhm ... segmenting didn't sandbox shit. It just made it annoying to get in between, not impossible as shown by the many different libraries that help programmers do exactly that.

The Virtual Memory Manager support built into processors on the other hand DOES segment blocks of ram. This is why kernel space can be protected from random attacks in user space.

Perhaps an OS that takes more advantage of the VMU would accomplish what you want, but jumping back to segmented addressing just means that the hackers (i.e. the programmers that actually do know what they are doing) will still be able to take advantage of exploits that exist now, as well as being able to take advantage of all the clueless programmers and CS grads who shouldn't touch code with a 10 foot pole but do it anyway since these people are the ones who will have a problem with a segmented memory model.

Of course the only way any of this works is if the code that manages it all is secure. Since I've yet to see any OS manage this for just the user/kernel space boundry well, then I think trying to add more boundries at this point is just asking for trouble. The smart hackers are still going to beat the code that was farmed out to India or some local uni, sorry.

Re:Boy, don't we miss x86 segments!

[ergo98]

I think you're confusing concepts. Segmented memory was a hack, and protected nothing. Then they added protected mode, giving OS' the option of acting as the cop of memory. That has been on the x86 since the 286, and is of course widely used.

Everything that any process on your machine does in user-space has to be effectively "allowed" by the operating system. It is purely due to non-granular permission structures that modern OS' don't allow you to fine-tune every permission of even "native" executables.

Re:Gazelle? How about Tree Sloth?

[finiteSet]

Ummm... Isn't a Gazelle kind of a fast animal?

Clearly they named it Gazelle because ultimately they expect it to be killed off by safari.

Re:Why doesn't MS just rename itself "Bing" alread

[koxkoxkox]

Beware of urban legends : http://www.snopes.com/cokelore/tadpole.asp

Coca-Cola's translation in Chinese is especially good and very successful. As it is composed of very simple characters, it is also one of the first words I learned :)

Another classic urban legend is the Chevrolet Nova : http://www.snopes.com/business/misxlate/nova.asp

Bing is translated with biying in Chinese (meaning roughly : "must answer", sorry I didn't manage to use sinogramms to add that little scholarly touch). Microsoft of course did not choose the character of "illness" or "ice". It still must be a little confusing for a Chinese user because he has to type "bing" on the address bar, while he sees another name on the page.