| The Web is now the dominant platform for delivering interactive applications to hundreds of millions of users. Correspondingly, web browsers have become the de facto operating system for hosting these web-based applications (web apps). Unfortunately, web apps, browsers, and operating systems have all become popular targets for web-based attacks, intensifying the need for secure web browsing systems.;Current research efforts to retrofit today's web browsers help to improve security, but fail to address the fundamental design flaws of current browsing systems. To overcome those issues, in this dissertation, we rethink the way we build secure browsing systems, hoping to define the principles that should be followed.;To achieve this goal, we strive to learn through building experimental systems for secure web browsing. Specifically, we design and implement a new operating system and a new web browser. We also investigate other generic approaches to help secure these systems even further, including formal methods and heuristics.;The first system we build is called the Illinois Browser Operating System (IBOS). IBOS is an operating system co-designed with a new browser that reduces the trusted computing base for web browsing. We demonstrate that by exposing browser-level abstractions directly at the lowest software layer---the OS kernel---we are able to remove almost all traditional OS components and services from our trusted computing base. We show that this architecture is flexible enough to enable new browser security policies, can still support traditional applications and adds little overhead to the overall browsing experience.;We also propose the OP2 secure browser architecture that can be used on top of commodity operating systems. We combine operating system design principles with formal methods to design this secure web browser by drawing on the expertise of both communities. Our design philosophy is to partition the browser into smaller subsystems and make all communications between subsystems simple and explicit. At the core of our design is a small browser kernel that manages the browser subsystems and interposes on all communications between them to enforce our new browser security features.;Through the experiences of building these systems, we are able to summarize the principles of building secure browsing systems: (1) make security decisions at the lowest layer of software and make it simple; (2) enforce strong isolation between distinct browser-level components; (3) employ simple and explicit communication between components; (4) provide the right set of operating system abstractions; (5) maintain compatibility with current browser standards; (6) expose enough browser states and events to enable new browser security policies.;Overall, we demonstrate in this dissertation that, by following these principles, our new browsing systems are not vulnerable to many forms of web-based attacks. We believe that the work presented in the dissertation makes one step towards secure web browsing. |
