Difference between revisions of "COMP 3000 Essay 2 2010 Question 2"
| Line 15: | Line 15: | ||
==Background Concepts== | ==Background Concepts== | ||
The Illinois Browser Operating System (IBOS) is not just a new browser to improve security, it is also a full operating system. It’s main goal is to expose browser-level abstractions at the lowest possible software layer, reducing the trusted computing base for web browsers. Many websites and web applications have become major targets for attackers and hackers. Just recently, cross-site scripting (XSS) has become the most common security vulnerability over the age old buffer overflow. | The Illinois Browser Operating System (IBOS) is not just a new browser to improve security, it is also a full operating system. It was developed by three graduate students at the University of Illinois. It’s main goal is to expose browser-level abstractions at the lowest possible software layer, reducing the trusted computing base for web browsers. Many websites and web applications have become major targets for attackers and hackers. These attackers are always finding new ways of exploiting even the most secure systems. Just recently, cross-site scripting (XSS) has become the most common security vulnerability over the age old buffer overflow. | ||
Plenty of research has gone in to improving security among the various web browsers on the market today but all browsers still remain susceptible to attacks on the lower layers. Compromised Ethernet drivers can send sensitive HTTP packets to third parties, compromised storage modules can send persistent data to unwanted viewers and compromised window managers can overlay fake interfaces common in phishing attacks. Common web browsers run on top of commodity operating systems with shared system services and user-mode libraries, increasing the trusted | Plenty of research has gone in to improving security among the various web browsers on the market today but all browsers still remain susceptible to attacks on the lower layers. Compromised Ethernet drivers can send sensitive HTTP packets to third parties, compromised storage modules can send persistent data to unwanted viewers and compromised window managers can overlay fake interfaces common in phishing attacks. Common web browsers run on top of commodity operating systems with shared system services and user-mode libraries, increasing the trusted computing base(TCB). IBOS looks to solve this issue by exposing browser-level abstractions rather than just general-purpose abstractions. Important concepts such as cookies, HTTP connections and tabs for displaying pages are all brought into the browser abstraction layer. By using all of these methods, the IBOS system ultimately aims to reduce the computer's TCB. | ||
===TCB=== | ===TCB=== | ||
The TCB is the hardware and software that is critical to the computer's security. Modern operating system | The TCB is the hardware and software that is critical to the computer's security. Modern operating system-browser combinations have massive TCBs that may have several millions of lines of code. By extracting components such as device drivers from the kernel, one can lower a systems TCB considerably. If a device driver is outside of the TCB and becomes corrupted, the effects would not be too severe, but if the driver is left in the TCB, then the results could be cataclysmic. By removing elements from the TCB, you make it smaller, thereby reducing the risk of having an attack get inside. | ||
==Contribution== | ==Contribution== | ||
IBOS has considerably smaller | The authors have developed IBOS to reduce security risks, without compromising speed and efficiency. One of the ways they have achieved this is through the use of process creation. Essentially there are two types of processes. A web page instance and a traditional process. Any time the user opens a new tab, clicks on a link, or enters a web address in the uniform resource locator(URL) bar, the IBOS kernel creates a new process. Upon creating a web page instance process, the kernel labels it with the originating address of the HTTP request. If a web site such as ''facebook.com'' decides to host an outside script, also known as an iframe, from another website, the kernel creates a new process for the embedded script and labels it appropriately. Traditional processes are every other process that is created for the local machine. These processes are simply labeled as ''localhost''. | ||
By creating unique labels for each web page instance, the kernel can isolate them from one another. This prevents a compromised component from taking control of other processes. Also by labeling where requests come from, the IBOS kernel can ensure that the data it is receiving is in fact from the expected origin. | |||
IBOS has considerably smaller TCB compared to other modern browsers. Where both Chrome and Firefox come in at over 4 million plus lines of code in their trusted computing base, IBOS has only about 42,000. Since IBOS isolates each process, it was also able to prevent between 75-100% of vulnerabilities from affected components on a machine. Using Chrome, the researchers tested 175 known issues on the IBOS kernel which ranged from memory exploits to interface spoofing. Out of all the known issues, IBOS was able to prevent 135 or 77% of the issues whereas Chrome was only able to contain 83 of them. The issue is that Chrome is able to catch exploits in its rendering engine since it is in a sandbox but any exploits that took advantage of the browser kernel could not be prevented. This is not a problem for IBOS because many of the browser components inside the trusted computing base in Chrome have been brought outside of the IBOS TCB limiting what can be done with exploitation. | |||
Revision as of 16:02, 2 December 2010
Paper
Trust and Protection in the Illinois Browser Operating System
http://www.usenix.org/events/osdi10/tech/full_papers/Tang.pdf
Shuo Tang, Haohui Mai, Samuel T. King
University of Illinois at Urbana-Champaig
Presentation slides to go along with the paper: Trust and Protection in the Illinois Browser Operating System. http://www.cs.uiuc.edu/homes/stang6/ibos.html#slide1
Research Problem
Modern browsers, such as Google Chrome and Mozilla Firefox, are constantly being revised and updated to keep up with the latest attacks, but continuously have hundreds of security vulnerabilities. Most of these attacks are simple, slightly harmful assaults on web applications, but many attacks are on the browser or even the operating system and its libraries. Since the browser runs lower on the shared storage stack, a successful attack on a browser can have horrible repercussions because it gives access to all of the browser data for all of the web application. It also provides the attacker with access to other resources on the system which is being exploited. An attack on the operating system can be disastrous if it is successful and may cause serious damage to the entire system because the attackers can access arbitrary states and events, allowing them to have full control over the system. The focus of this research is to prevent and decrease the attacks on the browser, libraries, operating systems and system services.
Background Concepts
The Illinois Browser Operating System (IBOS) is not just a new browser to improve security, it is also a full operating system. It was developed by three graduate students at the University of Illinois. It’s main goal is to expose browser-level abstractions at the lowest possible software layer, reducing the trusted computing base for web browsers. Many websites and web applications have become major targets for attackers and hackers. These attackers are always finding new ways of exploiting even the most secure systems. Just recently, cross-site scripting (XSS) has become the most common security vulnerability over the age old buffer overflow.
Plenty of research has gone in to improving security among the various web browsers on the market today but all browsers still remain susceptible to attacks on the lower layers. Compromised Ethernet drivers can send sensitive HTTP packets to third parties, compromised storage modules can send persistent data to unwanted viewers and compromised window managers can overlay fake interfaces common in phishing attacks. Common web browsers run on top of commodity operating systems with shared system services and user-mode libraries, increasing the trusted computing base(TCB). IBOS looks to solve this issue by exposing browser-level abstractions rather than just general-purpose abstractions. Important concepts such as cookies, HTTP connections and tabs for displaying pages are all brought into the browser abstraction layer. By using all of these methods, the IBOS system ultimately aims to reduce the computer's TCB.
TCB
The TCB is the hardware and software that is critical to the computer's security. Modern operating system-browser combinations have massive TCBs that may have several millions of lines of code. By extracting components such as device drivers from the kernel, one can lower a systems TCB considerably. If a device driver is outside of the TCB and becomes corrupted, the effects would not be too severe, but if the driver is left in the TCB, then the results could be cataclysmic. By removing elements from the TCB, you make it smaller, thereby reducing the risk of having an attack get inside.
Contribution
The authors have developed IBOS to reduce security risks, without compromising speed and efficiency. One of the ways they have achieved this is through the use of process creation. Essentially there are two types of processes. A web page instance and a traditional process. Any time the user opens a new tab, clicks on a link, or enters a web address in the uniform resource locator(URL) bar, the IBOS kernel creates a new process. Upon creating a web page instance process, the kernel labels it with the originating address of the HTTP request. If a web site such as facebook.com decides to host an outside script, also known as an iframe, from another website, the kernel creates a new process for the embedded script and labels it appropriately. Traditional processes are every other process that is created for the local machine. These processes are simply labeled as localhost.
By creating unique labels for each web page instance, the kernel can isolate them from one another. This prevents a compromised component from taking control of other processes. Also by labeling where requests come from, the IBOS kernel can ensure that the data it is receiving is in fact from the expected origin.
IBOS has considerably smaller TCB compared to other modern browsers. Where both Chrome and Firefox come in at over 4 million plus lines of code in their trusted computing base, IBOS has only about 42,000. Since IBOS isolates each process, it was also able to prevent between 75-100% of vulnerabilities from affected components on a machine. Using Chrome, the researchers tested 175 known issues on the IBOS kernel which ranged from memory exploits to interface spoofing. Out of all the known issues, IBOS was able to prevent 135 or 77% of the issues whereas Chrome was only able to contain 83 of them. The issue is that Chrome is able to catch exploits in its rendering engine since it is in a sandbox but any exploits that took advantage of the browser kernel could not be prevented. This is not a problem for IBOS because many of the browser components inside the trusted computing base in Chrome have been brought outside of the IBOS TCB limiting what can be done with exploitation.
In terms of performance, IBOS is comparable to the two best performing web browsers currently released: Firefox and Chrome. For websites such as Google Maps and Facebook, IBOS actually performs much better than Firefox while loading pages. This may be due partly to the fact that IBOS was developed with the WebKit engine, which has been optimized to run Google Maps. For Facebook and Wikipedia, sites that use many HTTP requests, IBOS performs slightly slower than the other two browsers, but for the others, where there are only a few HTTP requests, IBOS runs just as quickly as the others.
Critique
This paper was very well organized and executed. It naturally flows and keeps order in what it is trying to explain without the need to flip back and reference another piece of content in the paper. Starting with the core mechanics of why it is needed to how the kernel is organized and working its way up to many high-level pieces of information it felt like a natural progression of ideas, giving you the information you need to understand upcoming concepts.
References
You will almost certainly have to refer to other resources; please cite these resources in the style of citation of the papers assigned (inlined numbered references). Place your bibliographic entries in this section.