Microsoft Research has published a paper detailing a new security-oriented browser called Gazelle that incorporates fundamental security features previously found in the operating system.
The paper, called The Multi-Principal OS Construction of the Gazelle Web Browser, describes a browser in which the kernel acts as a so-called "multi-principal" operating system, a 'principal' being a unique connection to a website. According to the authors, this came about because today's browsers are still tailored for sequential browsing of static sites, whereas today's sites frequently interoperate, leading to security vulnerabilities.
"Gazelle's Browser Kernel is an operating system that exclusively manages resource protection and sharing across web site principals," the paper's authors wrote. "This construction exposes intricate design issues that no previous work has identified, such as legacy protection of cross-origin script source, and cross-principal, cross-process display and events protection."
According to the authors, the browser places different "principals" into separate protection domains so they are protected from one another.
"Just as in desktop applications where instances of an application are run in separate processes for failure containment, we run instances of principals in separate protection domains for the same purpose," the authors wrote. "For example, when the user browses the same URL from different tabs, it corresponds to two instances of the same principal; when a.com embeds two b.com iframes, the b.com iframes correspond to two instances of b.com; however, multiple same-origin frames in a page are in the same principal instance as the page."
Google's Chrome browser, which treats each opened site as a separate process, is most similar to Gazelle, the authors said. However, they added, Chrome is innately less secure on several counts: it treats subdomains as part of the same process as the main site, whereas Gazelle places them in separate processes; it allows all plug-in content from different sites to share one plug-in process, while Gazelle treats them as separate processes; and it implements cross-site protection in its rendering and plug-in processes, whereas Gazelle "provides a clean separation between the act of rendering web content and the policies of how to display this content".
Gazelle's developers have also claimed the browser can beat its rivals in its handling of several other common security flaws. In the case of "race condition attacks", where the attacker exploits a user's previous behaviour to predict the time and location of their user input, Gazelle avoids spoofed input fields being briefly presented to the user "by ignoring user input into newly exposed window area (for one second) until the user has got a chance to see the newly exposed display", the authors wrote.
"In IE7, there are three GUI [graphical user interface] logic flaws which can be exploited to spoof the contents of the address bar," the authors added. "For Gazelle, the address bar UI is owned and controlled by our Browser Kernel, where it is much easier to implement correctly."