Research Areas
Authored Publications
Sort By
Preview abstract
Current production web browsers are multi-process but place different web sites in the same renderer process, which is not sufficient to mitigate threats present on the web today. With the prevalence of private user data stored on web sites, the risk posed by compromised renderer processes, and the advent of transient execution attacks like Spectre and Meltdown that can leak data via microarchitectural state, it is no longer safe to render documents from different web sites in the same process. In this paper, we describe our successful deployment of the Site Isolation architecture to all desktop users of Google Chrome as a mitigation for process-wide attacks. Site Isolation locks each renderer process to documents from a single site and filters certain cross-site data from each process. We overcame performance and compatibility challenges to adapt a production browser to this new architecture. We find that this architecture offers the best path to protection against compromised renderer processes and same-process transient execution attacks, despite current limitations. Our performance results indicate it is practical to deploy this level of isolation while sufficiently preserving compatibility with existing web content. Finally, we discuss future directions and how the current limitations of Site Isolation might be addressed.
View details
App Isolation: Get the Security of Multiple Browsers with Just One
Eric Y. Chen
Jason Bau
Adam Barth
Collin Jackson
18th ACM Conference on Computer and Communications Security, ACM (2011)
Preview abstract
Many browser-based attacks can be prevented by using separate browsers for
separate web sites. However, most users access the web with only one browser.
We explain the security benefits that using multiple browsers provides in terms
of two concepts: entry-point restriction and state isolation. We combine these
concepts into a general app isolation mechanism that can provide the same
security benefits in a single browser. While not appropriate for all types of
web sites, many sites with high-value user data can opt in to app isolation to
gain defenses against a wide variety of browser-based attacks. We implement
app isolation in the Chromium browser and verify its security properties using
finite-state model checking. We also measure the performance overhead of app
isolation and conduct a large-scale study to evaluate its adoption complexity
for various types of sites, demonstrating how the app isolation mechanisms are
suitable for protecting a number of high-value Web applications, such as online
banking.
View details
Preview abstract
Many of today's web sites contain substantial amounts of client-side code, and consequently, they act more like programs than simple documents. This creates robustness and performance challenges for web browsers. To give users a robust and responsive platform, the browser must identify program boundaries and provide isolation between them.
We provide three contributions in this paper. First, we present abstractions of web programs and program instances, and we show that these abstractions clarify how browser components interact and how appropriate program boundaries can be identified. Second, we identify backwards compatibility tradeoffs that constrain how web content can be divided into programs without disrupting existing web sites. Third, we present a multi-process browser architecture that isolates these web program instances from each other, improving fault tolerance, resource management, and performance. We discuss how this architecture is implemented in Google Chrome, and we provide a quantitative performance evaluation examining its benefits and costs.
View details
