The Security Architecture of the Chromium Browser Adam Barth UC Berkeley Collin Jackson - PDF document

letoanentireinstanceoftherenderingengine,evenwhenthatprivilegeisonlyneededbyasinglesecurityorigin.Thearchitecturedoesnotpreventanattackerwhocompro-misestherenderingenginefromattackingotherwebsites(forexample,byreadingtheircookies).Instead,thearchi-tectureaimstopreventanattackerfromreadingorwritingtheuser'slesystem,helpingprotecttheuserfromadrive-bymalwareinstallation.ToevaluatethesecurityofChromium'sarchitecture,weexaminethedisclosedbrowservulnerabilitiesinInternetEx-plorer,Firefox,andSafarifromtheprecedingyear.Foreachvulnerability,wedeterminewhichmodulewouldhavebeenaectedbythevulnerability,hadthevulnerabilitybeenpresentinChromium.Wendthat67:4%(87of129)ofthevulnerabilitieswouldhaveoccurredintherenderingengine,suggestingthattherenderingengineaccountsforasigni-cantfractionofthebrowser'scomplexity.NotallrenderingenginevulnerabilitieswouldhavebeenmitigatedbyChromium'sarchitecture.Chromium'sarchi-tectureisdesignedtomitigatethemostseverevulnerabili-ties,namelythosevulnerabilitiesthatletanattackerexecutearbitrarycode.Ifanattackerexploitssuchavulnerabilityintherenderingengine,Chromium'sarchitectureaimstore-stricttheattackertousingthebrowserkernelinterface.Wendthat38ofthe87renderingenginevulnerabilitiesal-lowedanattackertoexecutearbitrarycodeandwouldhavebeenmitigatedbyChromium'sarchitecture.Theseaccountfor70:4%(38of54)ofalldisclosedvulnerabilitiesthatallowarbitrarycodeexecution.Toevaluatethesecuritybenetsofsandboxingadditionalbrowsercomponents,weexaminedthearbitrarycodeexecu-tionvulnerabilitiesthatwouldhaveoccurredinthebrowserkernel.Wendthat72:7%(8of11)ofthevulnerabilitiesresultfrominsucientvalidationofsystemcallsandwouldnothavebeenmitigatedbyadditionalsandboxing.Forex-ample,onesuchvulnerabilityinvolvedthebrowserimprop-erlyescapingaparametertoShellExecutewhenhandlingexternalprotocols.Althoughcountingvulnerabilitiesisanimperfectsecuritymetric[24],theseobservationsleadustobelievethatChromium'sarchitecturesuitablydividesthevariousbrowsercomponentsbetweenthebrowserkernelandtherenderingengine.Byseparatingthebrowserintotwoprotectiondomains,onerepresentingtheuserandanotherrepresentingtheweb,Chromium'ssecurityarchitecturemitigatesapproximately70%ofcriticalbrowservulnerabilitiesthatletanattackerexecutearbitrarycode.Theremainingvulnerabilitiesarediculttomitigatewithadditionalsandboxing,leadingustoconcludethatthearchitectureextractsmostofthesecu-ritybenetsofsandboxingwhilemaintainingperformanceandcompatibilitywithexistingwebcontent.Wetookathree-prongedapproachtoevaluatingthecom-patibilityofChromium'sarchitecture.First,ourimplemen-tationofthearchitecturepasses99%of10;115compatibilitytestsfromtheWebKitproject.Thetestsourimplementa-tiondoesnotpassareduetoimplementationdetailsandarenotduetoarchitecturallimiations.Second,weman-uallyvisitedeachofthe500mostpopularwebsitesandxedanyincompatibilitieswefound.Third,wedeployourimplementationtomillionsofusersworld-wide. Figure1:Thebrowserkerneltreatstherenderingengineasablackboxthatparseswebcontentandemitsbitmapsoftherendereddocument. Organization.Section2denesathreatmodelforbrowserexploits.Section3detailsChromium'sarchitecture.Sec-tion4describesthesandboxusedtoconnetherenderingengine.Section5explainsthebrowserkernelAPIusedbythesandboxedrenderingengine.Section6evaluatesthese-curitypropertiesofthearchitecture.Section7comparesChromium'sarchitecturewithotherbrowserarchitectures.Section8concludes.2.THREATMODELInordertocharacterizethesecuritypropertiesofChro-mium'sarchitecture,wedeneathreatmodelbyenumerat-ingtheattacker'sabilitiesandgoals.Thesecurityarchitec-tureseekstopreventanattackerwiththeseabilitiesfromreachingthesegoals.Wecanusethisthreatmodeltoeval-uatehoweectivelyChromium'sarchitectureprotectsusersfromattack.AttackerAbilities.Weconsideranattackerwhoknowsanunpatchedsecurityvulnerabilityintheuser'sbrowserandisabletoconvincetheuser'sbrowsertorendermaliciouscontent.Typically,theseabilitiesaresucienttocompro-misetheuser'smachine[20].Morespecically,weassumetheattackerhasthefollowingabilities:1.Theattackerownsadomainname,sayattacker.com,thathasnotyetbeenaddedtothebrowser'smalwareblacklist[19].TheattackerhasavalidHTTPScer-ticateforthedomain,andcontrolsatleastonehostonthenetwork.Theseabilitiescanbepurchasedforabout$5.2.Theattackerisabletoconvincetheusertovisithisorherwebsite.Thereareanumberoftechniquesforconvincingtheusertovisitattacker.com,suchassendingoutspame-mail,hostingpopularcontent,ordrivingtracviaadvertising.Itisdiculttopricethisability,but,inapreviousstudy,wewereabletoattractaquarterofamillionusersforabout$50[1].2 3.Theattackerknows,andisabletoexploit,anun-patchedarbitrarycodeexecutionvulnerabilityintheuser'swebbrowser.Forexample,theattackermightknowofanunpatchedbuerover owinthebrowser'sHTMLparser[17],anintegerover owintheregu-larexpressionlibrary[14],orabuerover owinthebookmarkssystem[15].In-ScopeGoals.Chromium'sarchitecturefocusesonpre-ventingtheattackerfromachievingthreehigh-valuegoals:PersistentMalware.Theattackerattemptstoin-stallmalicioussoftwareontheuser'scomputer.Forexample,theattackermightattempttoinstallabot-netclient[6]thatreceivescommandsoverthenet-workandparticipatesincoordinatedattacksontheuseroronnetworktargets.Inparticular,theattackerattemptstoinstallpersistentmalicioussoftwarethatsurvivestheuserclosinghisorherbrowser.TransientKeylogger.Theattackerattemptstomon-itortheuser'skeystrokeswhentheuserinteractswithanotherprogram.Suchsystem-widekeyloggersareof-tenusedtostealuserpasswords,creditcardnumbers,andothersensitiveinformation.Toachievethisgoal,theattacker'skeyloggerneednotsurvivetheuserclos-ingthebrowser.FileTheft.Theattackerattemptstoreadsensitivelesontheuser'sharddrive.Forexample,theattackermightattempttoreadthesystem'spassworddatabaseortheuser'snancialrecords.Filetheftisanimpor-tantconcernforenterpriseuserswhosemachinesoftencontainlargeamountsofcondentialinformation.Ifanattackerisabletoachieveoneormoreofthesegoals,heorshehastheabilitytocauseseriousharmtotheuser.Forexample,anattackerwhoisabletoinstallmalwareisnolongerconstrainedbythebrowser'ssecuritypolicyandoftensaidto\own"theuser'smachine.Chromium'sarchitectureaimstopreventanattackerwiththeaboveabilitiesfromachievingthesegoals.Out-of-ScopeGoals.Thereareanumberofotherat-tackergoalsforwhichChromium'sarchitecturedoesnotprovideadditionalprotection.Chromiumincludesfeaturesthathelpdefendagainstthesethreats,butthesefeaturesrelyontherenderingenginetoenforcethesame-originpol-icy.Phishing.Inaphishingattack,theattackertrickstheuserintoconfusingadishonestwebsitewithanhonestwebsite.Theconfusedusersupplieshisorherpasswordtothedishonestwebsite,whocanthenim-personatetheuseratthehonestwebsite.Anattackerwhoexploitsanunpatchedvulnerabilitycancreateaconvincingphishingsitebycorruptingawindowdis-playingthehonestsite.Chromiumhasanumberofsecurityfeaturestohelpmitigatephishingattacks.Forexample,thebrowser'slocationbarhighlightsthewebsite'sdomainname,aidingusersindeterminingwhethertheyareviewinganhonestoradishonestwebsite.Thebrowseralsoblack-listsknownphishingsites,showingafull-pagewarningiftheuservisitsaknownphishingsite.Addi-tionally,thebrowserdisplaysadditionalsecurityuserinterfaceelementsifthesitehasanextendedvalida-tioncerticate.ManyofthesesecurityfeaturescanbefoundinotherbrowsersandareorthogonaltothedesignofChromium'sarchitecture.OriginIsolation.Chromium'sarchitecturetreatstherenderingengineasrepresentingtheentirewebprincipal,meaninganattackerwhocompromisestherenderingenginecanactonbehalfofanywebsite.Forexample,anattackerwhoexploitsanarbitrarycodeexecutionvulnerabilitycanobtainthecookiesforev-erywebsiteandcanreadallthepasswordsstoredinthebrowser'spassworddatabase.Iftheattackerisnotabletoexploitanunpatchedvulnerability,theusualbrowsersecuritypolicypreventstheattackerfromread-ingcookiesorpasswordsfromhostnamesthatarenotunderhisorhercontrol.FirewallCircumvention.Thesame-originpolicyisdesignedtorestrictanattacker'snetworkaccessfromwithinthebrowser[9].Theserestrictionsareintendedtoprotectcondentialresourcesbehindorganizationalrewalls.However,anattackerwhoexploitsanun-patchedvulnerabilitycanbypasstheserestrictionsandcanreadHTTPresponsesfrominternalserversbymakinguseofthebrowser'sURLrequestingfacilities.TheabilitytorequestarbitrarywebURLsfollowsthecompatibilityandblack-boxdesigndecisionsinordertosupportstylesheetsandimagetags.WebSiteVulnerabilities.Chromium'sarchitec-turedoesnotprotectanhonestwebsiteifthesitecontainscross-sitescripting(XSS),cross-siterequestforgery(CSRF),orheaderinjectionvulnerabilities.Tobesecureagainstwebattackers,thesesitesmustrepairtheirvulnerabilities.ChromiumsupportsHttpOnlycookies[12],whichcanbeusedasapartialmitigationforXSS.3.CHROMIUM'SARCHITECTUREChromium'sarchitecturehastwomodules:arenderingengineandabrowserkernel.Atahighlevel,therender-ingengineisresponsibleforconvertingHTTPresponsesanduserinputeventsintorenderedbitmaps,whereasthebrowserkernelisresponsibleforinteractingwiththeoper-atingsystem.ThebrowserkernelexposesanAPIthattherenderingengineusestoissuenetworkrequests,accessper-sistentstorage,anddisplaybitmapsontheuser'sscreen.Thebrowserkernelistrustedtoactastheuser,whereastherenderingengineistrustedonlytoactastheweb.RenderingEngine.Therenderingengineinterpretsandexecuteswebcontentbyprovidingdefaultbehav-iors(forexample,drawing&#xinpu;&#xt000;elements)andbyservicingcallstotheDOMAPI.Renderingwebcon-tentproceedsinseveralstages,beginningwithparsing,buildinganin-memoryrepresentationoftheDOM,layingoutthedocumentgraphically,andmanipulat-ingthedocumentinresponsetoscriptinstructions.Therenderingengineisalsoresponsibleforenforcingthesame-originpolicy,whichhelpspreventmaliciouswebsitesfromdisruptingtheuser'ssessionwithhon-estwebsites.3 4.THESANDBOXTohelpdefendagainstanattackerwhoexploitsavulner-abilityintherenderingengine,Chromiumrunseachrender-ingengineinasandbox.Thissandboxrestrictstherenderingengine'sprocessfromissuingsomesystemcallsthatcouldhelptheattackerreachthegoalsfromSection2.Goals.Ideally,thesandboxwouldforcetherenderingen-ginetousethebrowserkernelAPItointeractwiththeout-sideworld.ManyDOMmethods,suchasappendChild,simplymutatestatewithintherenderingengineandcanbeimplementedentirelywithintherenderingengine.OtherDOMmethods,suchasXMLHttpRequest'ssendmethod,re-quirethattherenderingenginedomorethanjustmanipu-lateinternalstate.Anhonestrenderingenginecanusethebrowserkernelinterfacetoimplementthesemethods.Thegoalofthesandboxistorequireevenacompromisedren-deringenginetousethebrowserkernelinterfacetointeractwiththelesystem.Implementation.Currently,ChromiumreliesonWindows-specicfeaturestosandboxtherenderingengine.Insteadofrunningwiththeuser'sWindowssecuritytoken,therender-ingenginerunswitharestrictedsecuritytoken.Whenevertherenderingengineattemptstoaccessa\securableob-ject,"theWindowsSecurityManagercheckswhethertherenderingengine'ssecuritytokenhassucientprivilegestoaccesstheobject.Thesandboxrestrictstherenderingen-gine'ssecuritytokeninsuchawaythatthetokenfailsalmosteverysuchsecuritycheck.Beforerenderingwebcontent,therenderingenginead-juststhesecuritytokenofitsprocessbyconvertingitsse-curityidentiers(SIDs)to\DENY_ONLY,"addingarestrictedSID,andcallingtheAdjustTokenPrivilegesfunction.Therenderingenginealsorunsonaseparatedesktop,mitigat-ingthelaxsecuritycheckingofsomeWindowsAPIs,suchasSetWindowsHookEx,andlimitingtheusefulnessofsomeunsecuredobjects,suchasHWND_BROADCAST,whosescopeislimitedtothecurrentdesktop.Additionally,therenderingenginerunsinaWindowsJobObject,restrictingtheren-deringengine'sabilitytocreatenewprocesses,readorwritetotheclipboard,oraccessUSERhandles.Otherresearchershaveadvocatedsimilarapproaches[10].ForfurtherdetailsabouttheChromiumsandbox,seethedesigndocument[4].Limitations.Althoughthesandboxrestrictstheabilityofacompromisedrenderingenginetointeractwiththeoper-atingsystem,thesandboxhassomelimitations:FAT32.TheFAT32lesystemdoesnotsupportac-cesscontrollists.Withoutaccesscontrollists,theWindowssecuritymanagerignoresaprocess'ssecu-ritytokenwhengrantingaccesstoaFAT32le.TheFAT32lesystemisrarelyusedonmodernharddrivesbutisusedonmanyUSBthumbdrives.Forexample,ifausermountsaUSBthumbdrivethatusesFAT32,acompromisedrenderingenginecanreadandwritethecontentsofthedrive.MisconguredObjects.IfanobjecthasaNULLdiscretionaryaccesscontrollist(DACL),theWindowssecuritymanagerwillgrantaccesswithoutconsideringtheaccessingsecuritytoken.AlthoughNULLDACLsareuncommon,somethird-partyapplicationscreateobjectswithNULLDACLs.OntheNTFSlesystem,thislimitationislargelymitigatedbecausethesand-boxremovestheprivilegeto\bypasstraversecheck-ing,"forcingWindowstocheckthattherenderingen-ginehasaccesstothetargetle'sparentdirectories.TCP/IP.Theoretically,therenderingenginecouldcreateaTCP/IPsocketonWindowsXPbecausethelow-levelsystemcallstoopenasocketdonotappeartorequireOShandlesortoperformaccesschecks.Inpractice,though,theusualWin32librarycallsforcre-atingasocketfail,becausethoseAPIsrequirehandleswhichtherenderingengineisunabletoobtain.Wehaveattemptedtobuildaproof-of-conceptbutareasyetunabletoopenasocketfromwithinasandboxedprocess.OnWindowsVista,therelevantsystemcallsperformaccesschecksbasedonthecurrentsecuritytoken.5.THEBROWSERKERNELINTERFACEThesandboxrestrictstherenderingengine'sabilitytoin-teractdirectlywiththeunderlyingoperatingsystem.Toac-cessoperatingsystemfunctionality,suchasuserinteraction,persistentstorage,andnetworking,therenderingenginere-liesonthebrowserkernelAPI.Inprovidingfunctionalitytotherenderingengine,thebrowserkernelmustbecarefullydesignednottograntmoreprivilegesthanarenecessary.Inparticular,thebrowserkernelinterfaceisdesignednottoleaktheabilitytoreadorwritetheuser'slesystem.UserInteraction.Commodityoperatingsystemsexposeaninterfacethatletsapplicationsinteractwiththeuser,buttheseinterfacesareoftennotdesignedtobeusedbyuntrustedapplications.Forexample,intheXWindowSys-tem,theabilitytocreateawindowonanXserveralsoimpliestheabilitytomonitoralloftheuser'skeystrokes[2].Thebrowserkernelmediatestherenderingengine'sinterac-tionwiththeusertohelpenforcetwosecurityconstraints:Rendering.Insteadofgrantingtherenderingenginedirectaccesstoawindowhandle,therenderingenginedrawsintoano-screenbitmap.Todisplaythebitmaptotheuser,therenderingenginesendsthebitmaptothebrowserkernel,andthebrowserkernelcopiesthebitmaptothescreen.Thisdesignaddsasinglevideomemorytovideomemorycopytotheusualdrawingpipeline,whichhasasimilarlysmallperformanceim-pacttodoublebuering,andclipstherenderedbitmaptothebrowserwindow'scontentarea.1UserInput.Insteadofdeliveringuserinputeventsdirectlytotherenderingengine,theoperatingsys-temdeliverstheseeventstothebrowserkernel.Thebrowserkerneldispatchestheseeventsaccordingtothecurrentlyfocuseduserinterfaceelement.Iffocusre-sidesinthebrowserchrome,theinputeventsarehan-dledinternallybythebrowserkernel.Ifthecontentareahasfocus,thebrowserkernelforwardstheinputeventstotherenderingengine.Thisdesignleveragestheuser'sintent(whichinterfaceelementisinfocus)torestrictwhichuserinputeventscanbeobservedbyacompromisedrenderingengine. 1IntheinitialbetareleaseofGoogleChrome,thebrowserkernelalsoexposesanAPIfordrawingmenusforthe&#xsele;t00;elementthatcanbeusedtodrawoverarbitraryregionsofthescreen.5 Browser Renderer Unclassied InternetExplorer 1 9 5 Firefox 5 19 0 Safari 5 10 0 Table3:NumberofArbitraryCodeExecutionCVEsbyChromiumModuleTheunclassiedvulnerabilityinSafariwaspresentinSafari'sPDFviewer.(Chromiumdoesnotcontainabuilt-inPDFviewer.)Table2revealsthatrenderingenginesaccountforthegreat-estnumberofdisclosedvulnerabilities,suggestingthattherenderingengineismorecomplexthanthebrowserkernel.Thisobservationisconsistentwiththelinecountheuristicforcodecomplexity.Chromium'srenderingenginecontainsapproximately1;000;000linesofcode(excludingblanklinesandcomments),whereasthebrowserkernelcontainsap-proximately700;000linesofcode.ArbitraryCodeExecution.Chromium'ssecurityarchi-tectureisdesignedtomitigatetheimpactofarbitrarycodeexecutionvulnerabilitiesintherenderingenginebylimitingtheabilityoftheattackertoissuesystemcallsaftercom-promisingtherenderingengine.ManyofthevulnerabilitiesconsideredabovearenotmitigatedbyChromium'sarchitec-turebecausetheydonotletanattackerreadorwritetheuser'slesystem.Forexample,oneoftheFirefoxvulnera-bilitiesletanattackerlearntheURLofthepreviouspage.Whilepatchingthesevulnerabilitiesisimportanttoprotecttheuser'sprivacy(andsensitiveinformation),thesevulnera-bilitiesarenotassevereasvulnerabilitiesthatletwebsitesinstallmaliciousprograms,suchasbotnetclients[20],ontheuser'smachine.Ifwerestrictourattentiontothosevulnerabilitiesthatleadtoarbitrarycodeexecution(seeTable3),wendthattherenderingenginecontainedmorearbitrarycodeexecu-tionvulnerabilitiesthanthebrowserkernel.(Asmentionedabove,thefourunclassiedInternetExplorervulnerabilitieswererelatedtoActiveXplug-insandonecontainedinsuf-cientinformationtodeterminethemodule.)Chromium'sarchitecturehelpsmitigatethesevulnerabilitiesbysandbox-ingthearbitrarycodetheattackerchoosestoexecute.Ofthevulnerabilitiesinthebrowserkernelthatleadtoarbitrarycodeexecution,themajority(8of11)ofthesevulnerabilitieswerecausedbyinsucientvalidationofin-putstosystemcallsandnotbybuerover owsorothermemory-safetyissues.Thesevulnerabilitiesareunlikelytobemitigatedbysandboxingmorebrowsercomponentsbe-causethebrowsermusteventuallyissuethesystemcallsinquestion,suggestingthatothertechniquesarerequiredtomitigatetheseissues.Summary.Although\numberofCVEs"isnotanidealse-curitymetric,thisdatasuggeststhatChromium'sdivisionofresponsibilitiesbetweenthebrowserkernelandtheren-deringengineplacesthemorecomplex,vulnerability-pronecodeinthesandboxedrenderingengine,makingitharderforanattackertoreadorwritetheuser'sharddrivebyex-ploitingavulnerability.Moreover,mostoftheremainingvulnerabilitieswouldnothavebeenmitigatedbyadditionalsandboxing,suggestingthatassigningmoretaskstotheren-deringenginewouldnotsignicantlyimprovesecurity.6.2CaseStudy:XMLExternalEntitiesAnothermethodforevaluatingChromium'ssecurityar-chitectureistodeterminewhetherthearchitecturesuccess-fullydefendsagainstunknownvulnerabilitiesintherender-ingengine.Inthiscasestudy,weexamineonevulnerabilityindetailandexplainhowthesecurityarchitecturemitigatedthreatsinthescopeofourthreatmodelbutdidnotmit-igatethreatsthatareoutofscope.Thisvulnerabilityis\unknown"inthesensethatwediscoveredthevulnerabilityafterimplementingthesandboxandbrowserkernelsecuritymonitor.Thevulnerabilitywasxedbeforetheinitialbetarelease,butthissectiondescribesthestateofaairsjustafterwediscoveredthevulnerability.XXE.AnXMLEntityisanescapesequence,suchas©,thatanXML(oranHTML)parserreplaceswithoneormorecharacters.Inthecaseof©,theentityisre-placedwiththecopyrightsymbol,c .TheXMLstandardalsoprovidesforexternalentities[3],whicharereplacedbythecontentobtainedbyretrievingaURL.InanXmleXternalEntity(XXE)attack,theattacker'sXMLdocument,hostedathttp://attacker.com/,includesanexternalentityfromaforeignorigin[25].Forexample,themaliciousXMLdocumentmightcontainanentityfromhttps://bank.com/orfromfile:///etc/passwd:version="1.0"&#x?xml;&#x-525;encoding="UTF-8"?doc[entSYSTEM&#x!ENT;&#xITY-;剐"/etc/passwd"&#x!ENT;&#xITY-;剐]&#xhtml;&#xhead;&#xscri;&#xpt00;...&#x/scr;&#xipt0;&#x/hea;퀀ody;&#x/bod;&#xy000;&#x/htm;&#xl000;IfvulnerabletoXXEattacks,thebrowserwillretrievethecontentfromtheforeignoriginandincorporateitintotheattacker'sdocument.Theattackercanthenreadthecon-tent,circumventingacondentialitygoalsofthebrowser'ssecuritypolicy.libXML.Likemanybrowsers,ChromiumuseslibXMLtoparseXMLdocuments.Unlikeotherbrowsers,Chromiumdelegatesparsingtasks,includingXMLparsing,toasand-boxedrenderingengine.Afterimplementingthesandbox,butpriortotheinitialbetareleaseofGoogleChrome,webecameawarethattherenderingengine'suseoflibXMLwasvulnerabletoXXEattacks.Asaresult,therenderingenginewasnotpreventingwebcontentfromretrievingURLsfromforeignorigins.Instead,therenderingenginewaspassingtherequests,unchecked,tothebrowserkernel.Usingourproof-of-conceptexploit,weobservedthatthebrowserkernelperformeditsusualblack-boxchecksontheURLsrequestedbytherenderingengine.IftheexternalentityURLwasawebURL,forexamplewiththehttp,https,orftpschemes,thebrowserkernelservicedthere-quest,asinstructed.However,iftheexternalentityURLwasfromtheuser'slesystem,i.e.fromthefilescheme,thenthebrowserkernelblockedtherequest,preventingourproof-of-conceptfromreadingcondentialinformation,suchaspasswords,storedintheuser'slesystem.Discussion.ThevulnerabilityillustratesthreepropertiesofChromium'ssecurityarchitecture:1.Byparsingwebcontentinthesandboxedrenderingen-gine,Chromium'ssecurityarchitecturemitigatedanunknownvulnerability.Thesandboxhelpedprevent7 theJavaScriptinterpretor,thenetworkstack,andthecookiestoreinseparatemodules.IntheOParchitecture,thebrowserkernelismoreakintoamicro-kernel:chie yresponsibleformessagepass-ing.Thisdesignmitigatesunpatchedvulnerabilitiesbutdoesnotsupportanumberofwidelyusedbrowserfeatures,suchasinter-framescripting,downloads,anduploads.Forexample,theOPbrowserwouldnotbecompatiblewithGmail,whichusesofallofthesefea-tures.TheOPbrowser'ssandboxingofplug-insisalsomorerestrictivethanChromium's--safe-pluginsop-tion,imposingahighercompatibilitycost.Forexam-ple,OP'sarchitecturedoesnotsupportFlashPlayer'scross-domaincommunicationmechanisms(LocalCon-nectionandURLRequest).UnlikeChromium,theOPwebbrowser'srenderingen-gineusesXWindowstodrawtotheuser'sscreen.Un-fortunately,theXWindowsAPIisnotdesignedforsecurity.Acompromisedrenderingenginecansnoopontheuser'skeystrokesordisrupttheintegrityoftheuser'swindowenvironmentbydrawingtoarbitraryre-gionsofthescreen.Forexample,theattackercouldoverwritethebrowser'saddressbar.AlthoughtheOPbrowserseekstoprotectwebsitesfromeachother,anattackercanstillexploitrenderingenginevulnerabilitiestocompromiseothersites.Forexample,supposetheattackerknowsanarbitrarycodeexecutionvulnerabilityinthebrowser'simageparser.Ifanhonestsiteincludesanimagefromtheattacker,e.g.&#ximg-;剐src="http://attacker.com/img.gif",theOPbrowserdecodesthisimageinthehonestsite'sse-curitycontext.Bymaliciouslycraftingtheimage,theattackercanexploitthisvulnerabilityandcompromisethehonestsite'ssecuritycontext,violatingthesecu-ritypropertycheckedbytheirmodel.InternetExplorer8.InternetExplorer8runstabsinseparateprocesses,eachofwhichrunsinprotectedmode.Thisarchitectureisdesignedtoimproverelia-bility,performance,andscalability[28].BecauseIn-ternetExplorer8'sprotectedmodeisthesameasIn-ternetExplorer7'sprotectedmode,itdoesnotprovideanyadditionalsecurity.UnlikeChromium,protectedmodedoesnotseektoprotectthecondentialityoftheuser'slesystem[23].8.CONCLUSIONSChromium'ssecurityarchitecturedividesthebrowserintotwoprotectiondomains,thebrowserkernelandtherender-ingengine.Thesandboxedrenderingengineisresponsibleforperformingmanycomplex,error-pronetasks,suchasparsingHTMLandexecutingJavaScript.Asaresult,thearchitecturehelpsprotectthecondentialityandintegrityoftheuser'slesystemevenifanattackerexploitsanun-patchedvulnerabilityintherenderingengine.Ourdesigndecisionsdierfromthoseofotherproposalsforamodularbrowserarchitecture.Beingcompatiblewithexistingsitesrequiresthatthearchitecturesupportsallthefeaturesofthewebplatform.Treatingtherenderingengineasablackboxreducesthecomplexityofthebrowserkernel'ssecuritymonitor.Minimizesusersecuritydecisionsavoidsconstantsecurityprompts.OnedicultyinevaluatingthesecurityofChromium'sarchitectureisthatitaimstoprovidesecurityeveniftheimplementationhasbugs.Wecannotsimplyassumethatallvulnerabilitieswillariseintherenderingenginebecausethebrowserkernelisalsoofsignicantcomplexity.Toestimatewherefuturevulnerabilitiesmightoccur,wesurveyrecentbrowservulnerabilitiesandndthat67:4%(87of129)wouldhaveoccurredintherenderingenginehadtheybeenpresentinChromium.Wealsondthatthearchitecturewouldhavemitigated70:4%(38of54)ofthemostseverevulnerabilities.Ofthearbitrarycodeexecutionvulnerabilitiesthatwouldhaveoccurredinthebrowserkernel,8of11arearesultofin-sucientvalidationofparameterstooperatingsystemcalls.Thesevulnerabilitiesarediculttomitigatewithsandbox-ingbecausethebrowsermusteventuallyissuethosesys-temcallstorenderwebsites.TheseobservationssuggestthatChromium'sarchitecturedivisionoftasksbetweenthebrowserkernelandtherenderingengineusesthesandboxeectively.Todownloadanimplementationofthearchitecture,visithttp://www.google.com/chrome/.Thesourcecodeofourimplementationisavailableathttp://dev.chromium.org/.9.REFERENCES[1]AdamBarth,CollinJackson,andJohnC.Mitchell.Robustdefensesforcross-siterequestforgery.In15thACMConferenceonComputerandCommunicationsSecurity(CCS),October2008.[2]RuneBraathen.CrashcourseinXWindowssecurity,November1994.http://www.ussg.iu.edu/usail/external/recommended/Xsecure.html.[3]TimBray,JeanPaoli,C.M.Sperberg-McQueen,EveMaler,andFrancoisYergeau.ExtensibleMarkupLanguage(XML)1.0(FourthEdition),section4.2.2.http://www.w3.org/TR/REC-xml/#sec-external-ent.[4]TheChromiumAuthors.Sandbox,2008.http://dev.chromium.org/developers/design-documents/sandbox.[5]RichardS.Cox,JacobGormHansen,StevenD.Gribble,andHenryM.Levy.Asafety-orientedplatformforwebapplications.InIEEESymposiumonSecurityandPrivacy,2006.[6]NeilDaswani,MichaelStoppelman,andtheGoogleClickQualityandSecurityTeams.TheanatomyofClickbot.A.InProceedingsofHotBots2007,2007.[7]ChrisGrier,ShuoTang,andSamuelT.King.Securewebbrowsingwiththeopwebbrowser.InIEEESymposiumonSecurityandPrivacy,2008.[8]SotirisIoannidisandStevenM.Bellovin.Buildingasecurewebbrowser.InProceedingsoftheUSENIXAnnualTechnicalConference,FreenixTrack,June2001.[9]CollinJackson,AdamBarth,AndrewBortz,WeidongShao,andDanBoneh.ProtectingbrowsersfromDNSrebindingattacks.InProceedingsofthe14thACMConferenceonComputerandCommunicationsSecurity(CCS2007),November2007.[10]DavidLeBlanc.PracticalWindowssandboxing,July2007.http://blogs.msdn.com/david_leblanc/archive/2007/07.aspx.[11]Microsoft.Dynamic-linklibraryredirection.http://9