Designing, implementing, and evaluating secure web browsers

Web browsers are plagued with vulnerabilities, providing hackers with easy access to computer systems using browser-based attacks. Efforts that retrofit existing browsers have had limited success since modern browsers are not designed to withstand attack. To enable more secure web browsing, we design and implement new web browsers from the ground up that attempt to improve the state-of-the-art in browser security. We combine operating system design principles with formal methods to design a more secure web browser by drawing on the expertise of both communities. At the core of our design is a small browser kernel that manages browser subsystems and interposes on all communications between subsystems to enforce our security features.;To evaluate our browser architecture, we have implemented the OP web browser and Gazelle, testing performance, memory, and file system impact while browsing popular pages. We show that the additional security features in OP introduce minimal overhead. In addition to browser bugs, users browsing the web are also exposed to cross-site scripting (XSS) vulnerabilities, which have become the most prevalent form of vulnerability found in computer systems. Current browsers provide limited or no defense against XSS, cross-site request forgery (CSRF), and other types of web attacks because these attacks operate within the bounds of modern browser security policies. To protect users from these attacks, we have developed Alhambra, a browser with the ability to enforce fine-grained security policies that can automatically defeat a wide range of web attacks. Alhambra generates security policies based on pages the user visits. Focused policy generation allows Alhambra to generate more aggressive policies, thus potentially preventing more attacks without compromising compatibility.;Using Alhambra, we analyze the impact of policies on the compatibility of web pages. Using user-generated browsing sessions and browser-based replay, we evaluate security policies quickly and automatically. To provide comparison between policies for identical pages we developed useful comparison metrics for quantifying differences between identical pages executed with different security policies. We show that Alhambra can enforce strong security policies quickly and with minimal cost to compatibility.