Building a Se

ure Web Browser

Sotiris Ioannidis Steven M. Bellovin
sotirisdsl. is.upenn.edu smbresear h.att. om
University of Pennsylvania AT&T Labs Resear h

Abstra t sin e they operate on untrusted data. These appli-

ations whi h are often buggy [11℄, exe ute with the
users privileges and an therefore ompromise the
Over the last several years, popular appli ation su h se urity of the system. Furthermore the browsers
as Mi rosoft Internet Explorer and Nets ape Navi- also interpret ode like JavaS ript and VBS ript [6℄,
gator have be ome prime targets of atta ks. These making the browser itself vulnerable 1 .
appli ations are targeted be ause their fun tion is
to pro ess unauthenti ated network data that often In this paper we present the ar hite ture of a se ure
arry a tive ontent. The pro essing is done either web browser. Our system is designed to address the
by helper appli ations, or by the web browser itself. problems that plague the popular Web browsers by
In both ases the software is often too omplex to using support oered by the operating system. We
be bug free. To make matters worse, the underly- built our prototype on SubOS [12℄. SubOS is an
ing operating system an do very little to prote t operating system that oers pro ess-spe i prote -
the users against su h atta ks sin e the software is tion me hanisms, whi h we will explain in Se tion
running with the user's privileges. 3.

We present the ar hite ture of a se ure browser, de- The paper is organized as follows. In Se tion 2 we
signed to handle atta ks by in oming mali ious ob- dis uss the motivation behind this work. In Se -
je ts. Our design is based on an operating system tion 3 we give a brief ba kground des ription of a
that oers pro ess-spe i prote tion me hanisms. SubOS- apable operating system. In Se tion 4 we
present the ar hite ture of our system. In Se tion 5
Keywords: Se ure systems, web browser, pro ess{ we dis uss related work, and nally we on lude in
spe i prote tion. Se tion 6.

1 Introdu tion 2 Motivation

In the urrent highly inter onne ted omputing en- With the growth of the Internet, ex hange of infor-
vironments, Web browsers are probably the most mation over wide-area networks has be ome essen-
popular tool for re eiving data over the internet. tial for users. Web browsers, like Nets ape Naviga-
More often than not, the data ome from unauthen- tor and Mi rosoft Internet explorer often automati-
ti ated sour es that an potentially be mali ious. ally invoke helper appli ation to handle the down-
Sin e the in oming data often arry a tive ontent loaded obje t. In some ases, like in Perl s ripts,
that will be interpreted on the lient ma hine, in they will query the user about exe uting it. In oth-
many ases without the users knowledge, a number ers, like in Posts ript les or Java applets [10, 15, 9℄,
of atta ks be ome possible. they will exe ute the ontent, possibly ompromis-
ing the se urity of the system. The former approa h
To interpret a tive ontent web browsers often rely puts a lot of burden on the user, who more often
on helper appli ations, that be ome se urity riti al than not is not parti ularly se urity ons ious. In
 This work was supported by DARPA under Contra t
1 There are a number of hostile JavaS ript and VBS ript
F39502-99-1-0512-MOD P0001. sites on the Web, easily found using sear h engines
the latter ase the user is bypassed altogether and sions and managing resour es. All this is what
system se urity be omes dependent on the orre t- is traditionally done by operating systems. Web
ness of the Posts ript or Applet viewer. browsers onsequently, be ause of their omplexity
as well as the la k of exibility in the underlying
It is also the ase that seemingly ina tive obje ts se urity me hanisms, possess a number of se urity
like Web pages are very mu h a tive and potentially holes. Examples of su h problems are numerous,
dangerous. One example is JavaS ript [6℄programs e.g. JavaS ript, mali ious Posts ript do uments,
whi h are exe uted within the se urity ontext of et .
the page with whi h they were down{loaded, and
they have restri ted a ess to other resour es within We wish to demonstrate how to build a se ure
the browser. Se urity aws exist in ertain Web browser, designed to handle atta ks by in oming
browsers that permit JavaS ript programs to mon- mali ious obje ts, on top of an an operating system
itor a user's browser a tivities beyond the se urity that oers pro ess-spe i prote tion me hanisms.
ontext of the page with whi h the program was
down-loaded (CERT Advisory CA:97.20). It is obvi-
ous that su h behavior automati ally ompromises
the user's priva y and se urity. 3 SubOS-enabled Operating Systems

The la k of exibility in modern operating systems

is one of the main reasons se urity is ompromised. SubOS is a pro ess{spe i prote tion me hanism,
The UNIX operating system, in parti ular, violates a more extensive dis ussion on SubOS an be
the prin iple of least privilege. The prin iple of least found in [12℄. Under SubOS any appli ation (e.g.
privilege states that a pro ess should have a ess to ghosts ript, perl, et .) that might operate on pos-
the smallest number of obje ts ne essary to a om- sibly mali ious obje ts (e.g. posts ript les, perl
plish a given task. UNIX only supports two privilege s ripts, et .) behaves like an operating system, re-
levels: \root" and \any user". stri ting their a esses to system resour es. We are
going to all these appli ations SubOS pro esses, or
To over ome this short oming, UNIX, an grant sub-pro esses in the rest of this paper. Figures 1
temporary privileges, namely setuid(2) (set user and 2 demonstrate the dieren e between a regular
id) and setgid(2) (set group id). These ommands and a SubOS-enabled operating system. The a ess
allow a program's user to gain the a ess rights of rights for that obje t are determined by a sub-user
the program's owner. However, spe ial are must id that is assigned to it when it is rst a epted
be taken any time these primitives are used, and as by the system. The sub-user id is a similar notion
experien e has shown a la k of suÆ ient aution is to the regular UNIX user id's. In UNIX the user
often exploited [13℄. id determines what resour es the user is allowed to
have a ess to, in SubOS the sub-user id determines
Another te hnique used by UNIX is to hange the what resour es the obje t is allowed to have a ess
apparent root of the le system using hroot(2). to. The advantage of using sub-user id's is that we
This auses the root of a le system hierar hy vis- an identify individual obje ts with an immutable
ible to a pro ess to be repla ed by a subdire tory. tag, whi h allows us to bind a set of a ess rights to
One su h appli ation is the ftpd(8) daemon; it has them. This allows for ner grain per-obje t a ess
full rights in a safe subdire tory, but it annot a - ontrol, as opposed to per-user a ess ontrol.
ess anything beyond that. This approa h, however,
is very limiting, and in the parti ular example om- The idea be omes lear if we look at the example
mands su h as ls(1) be ome unrea hable and have shown in Figure 3. Let us assume that our un-
to be repli ated. trusted obje t is a posts ript le foo.ps. To that
obje t we have asso iated a sub{user id, as we will
These me hanisms are inadequate to handle the dis uss in Se tion 3.1. Foo.ps initially is an ina tive
omplex se urity needs of todays appli ations. This obje t in the le system. While it remains ina -
for es a lot of a ess ontrol and validity de isions tive it poses no threat to the se urity of the system.
to user{level software that runs with the full privi- However the moment gs(1) opens it, and starts exe-
leges of the invoking user. To over ome these short- uting its ode, foo.ps be omes a tive, and automat-
omings appli ations su h as Web browsers be ome i ally a possible danger to the system. To ontain
responsible for a epting requests, granting permis- this threat, the appli ations that open untrusted ob-
 running an applet
Word processor
executing a game

viewing a file
Command shell

Browser
Applications .....

Unprotected Space

Operating System

Resources
Protected Space
(CPU, Memory, Disk, Network, etc.)

Figure 1: User appli ations exe uting on an operating system maintain the user privileges, allowing
them almost full a ess to the underlying operating system.

je ts, inherit the sub{user id of that obje ts, and are

hereafter bound to the permissions and privileges Process
di tated by that sub{user id. File
gs foo.ps
sub−user id
foo.ps
There is a strong analogy here to the standard UNIX sub−user id
setuid me hanism. When a suitably-marked le is File
exe uted, the pro ess a quires the a ess rights of foo.ps
the owner. With SubOS, suitably-marked pro esses sub−user id
a quire the a ess rights of the owner of the les
that they open. In this ase, of ourse, the new
rights are never greater than those the pro ess had
before.

The advantages of our approa h be ome apparent Figure 3: In the left part of the Figure we see
if we onsider the alternative methods of ensuring an obje t, in this ase a posts ript le foo.ps,
that a mali ious obje t does not harm the system. with its asso iated sub{user id. The moment the
Again using our posts ript example we an exe ute ghosts ript appli ation opens le Foo.ps, it turns
foo.ps inside a safe interpreter that will limit its a - into a SubOS pro ess and it inherits the sub{user
ess to the underlying le system. There are how- id that was asso iated with the untrusted obje t.
ever a number of examples on how relying on safe From now on, this pro ess has the permissions
languages fails [11℄. We ould exe ute the posts ript and privileges asso iated with this sub{user id.
interpreter inside a sandbox using hroot(2), but
this will prohibit it from a essing font les that it
might need. Finally we ould read the posts ript 3.1 Se urity Me hanism Enfor ement
ode and make sure that it does not in lude any
mali ious ommands, but this is impra ti al.
As we mentioned earlier in Se tion 3, every time
Our method provides transparen y to the user and the system a epts an in oming obje t it asso iates
in reased se urity sin e every data obje t has its a - a sub-user id with it, depending on the redentials
ess rights bound to its identity, preventing it from the obje t arries. The sub-user id is permanently
harming the system. saved in the Inode of the le that holds that obje t,
whi h is now its immutable identity in the system
and spe ies what permissions it will have. It has
essentially the same fun tionality as a UNIX user
 running an applet
Word processor
executing a game

viewing a file
Command shell

Browser
Applications .....

Unprotected Space

SubOS

SubOS

SubOS
Operating System

Resources
Protected Space
(CPU, Memory, Disk, Network, etc.)

Figure 2: Under SubOS enabled operating systems user appli ations that \tou h" possibly mali ious
obje ts no longer maintain the user a ess rights, and only get restri ted a ess to the underlying
system.

id. One an view this as the equivalent of a user

logging in to the system. Login User Bar
Host Foo
Figure 4 shows the equivalen e of the two me ha- Password UNIX password
nisms. In the top part of the gure we see the regu-
lar pro ess of a user Bar logging in a UNIX system user id
Foo and getting a user id. In the same way, obje ts
that enter the system through ftp, mail, et ., \log
in" and are assigned sub-user id's based on their
(often ryptographi ally-veried) sour e. ftp, mail, Object Bar.{ps,html, ...}
Host Foo Web, etc.
Password Cryptographic Token
4 The Browser Ar hite ture sub-user id

4.1 The Threat Figure 4: In the top part of the Figure we see the
regular pro ess of a user Bar logging in a UNIX
system Foo and getting a user id. In the same
The use of Java, JavaS ript and VBS ript in HTML way obje ts that enter the system through ftp,
pages is be oming ever more popular, furthermore mail, et ., \log in" using a ryptographi token,
HTML provides support for other s ripting lan- and are assigned sub-user id's.
guages with the use of the <SCRIPT> tag [3℄. Even
though this fun tionality is primarily intended to
enhan e the apabilities of web pages and the \surf-
ing experien e" of the user, it is often used to atta k have restri ted a ess to other resour es within the
unsuspe ting hosts. browser. Some browsers running JavaS ript may, in
turn, have se urity aws that allow the JavaS ript
Even worse, the site or host is vulnerable even if program to monitor a user's browser more than
the browser is behind the rewall and the do ument what is onsidered safe or se ure. In addition, it
is a \se ure" HTTPS-based do ument. JavaS ript may be diÆ ult or impossible for the browser user
programs are exe uted within the se urity ontext to determine if the program is transmitting informa-
of the page in whi h they were down-loaded, and tion ba k to the web server. For instan e, among
other fun tions, JavaS ript is able to monitor a 2. Web pages that arry a tive ontent that is in-
user's browser a tivity by: terpreted by the browser.

 Observing the URLs of visited do uments as To address these problems we will use the me h-
well as bookmarks. anisms provided by the SubOS- apable operating
system, as well as a modular Web browser ar hi-
 Observing the data lled into HTML forms (in- te ture. We divide the Web browser into three
luding passwords). parts, a ording to its fun tionality. The rst part
is responsible for down-loading obje ts over the net-
 Observing the values of ookies (that might
work, the se ond is responsible for displaying the
hold riti al information).
ontent, and the last is a set of helper appli a-
tions/interpreters used to pro ess the ontent of the
In Java the user may or may not be informed that an down-loaded obje ts. The design is presented in
applet is being down-loaded into their browser. The Figure 5
real sho k omes when a user inadvertently down-
loads a hostile applet. There are many dierent
things hostile applets an do to wreak havo on your Browser Log−in Daemon Browser Display
system. Among a few of the most noteworthy are
the following:

 Reveal information about your ma hine (e.g.

details about passwords or stru ture of your
system).
Browser Interpreter ..... Browser Interpreter
 Allo ate resour es to the point your ma hine
\lo ks up" (i.e. denial of servi e atta ks).
 Delete or alter les. Figure 5: The Web browser is omprised of three
parts. The rst part is responsible for down-
 Be just plain annoying (e.g. popping ountless
loading obje ts from the net and assigning sub-
windows).
user id's to them. The se ond provides the user
interfa e of the browser. Finally the third is a set
Hostile applets have also been known to have the a- of pro esses that interpret the a tive ode that
pability to onta t ma hines behind rewalls, send is arried by the in oming obje ts.
o a listing of a user's dire tories, tra k a user's a -
tions through the web, generate ma hine ode, make We de ided against using an existing Web browser
dire tories readable and writable, and send o email sin e that would require signi ant modi ation to
without intention 2 . its ar hite ture. Down-loading and authenti ation
of obje ts ould be easily a hieved by using a proxy,
however exe ution of embedded ode in HTML web
4.2 Modular Approa h pages would be a lot more hallenging, sin e it would
have to exe ute in a separate address spa e to main-
tain its se urity properties, as we dis ussed in Se -
In our ar hite ture we address the two se urity prob- tion 3.
lems of Web browsers:

4.2.1 Browser Log-in Daemon

1. Helper appli ations running with the user's
privileges.
2 There are a number of web sites that list hostile applets,
Every obje t that is down-loaded by our browser
JavaS ript and VBS ript, readily available for anyone inter-
log-in daemon is assigned a sub-user id, whi h is
ested in laun hing an atta k. bound to some permissions, and is then stored in the
le system. Assignment of sub-user id's is similar to 5 Related Work
the log in me hanism of UNIX. Obje ts that arry
erti ates are given more permissions than unau-
thenti ated obje ts. For example an authenti ated
obje t might get a ess to /home/user foobar, net- Web browser se urity is topi that has re eived a
work a ess and unlimited resour es, whereas an great deal of attention sin e its so ru ial in todays
unauthenti ated obje ts might only get a ess to highly inter onne ted omputing. However there
/tmp with no a ess to the network and limited CPU have not been any satisfa tory solutions so far. The
time and memory allo ation. primary proposed solution is se ure interpreters for
JavaS ript, VBS ript, Java, et . [14, 15, 17, 10, 9℄.
In the urrent implementation we use the URL ad- Su h solutions fail be ause their omplexity. The
dress is used to sele t the sub-user id that will be more omplex the implementation, the more likely
assigned to the down-loaded obje t. This approa h it is to have bugs. Furthermore they don't address
of ourse is not really se ure, ideally we should use the issue of other helper appli ations like Perl or
some sort of ryptographi token (e.g. a erti ate) T l. When they are invoked, the user is queried,
that is arried along with the down-loaded obje t. and this puts a lot of burden to the user.

Another language related te hnique used for ensur-

4.2.2 Browser Display Daemon ing se urity is ode veri ation. This approa h uses
proof- arrying ode [16℄ to demonstrate the se urity
The display daemon is responsible for providing the properties of the obje t. This means that the obje t
user interfa e of the our Web browser. It an make needs to arry with it a formal proof of its prop-
requests to the log-in daemon to down-load les, it erties; this proof an be used by the system that
is responsible for spawning interpreters to handle a epts it to ensure that it is not mali ious. Code
the in oming obje ts, and display HTML. veri ation is very limiting sin e it is hard to re-
ate su h proofs. Furthermore, it does not s ale well;
imagine reating a formal proof for every Web page.
4.2.3 Browser Interpreter Daemon
A dierent approa h relies on the notion of sys-
tem all inter eption, as used by systems su h as
The nal part of our web browser is the set of in- TRON [5℄, MAPbox [4℄, Software Wrappers [7℄ and
terpreter daemons. These pro esses have dual fun - Janus [8℄. TRON and Software Wrappers enfor e
tionality; they interpret HTML along with any pos- apabilities by using system all wrappers ompiled
sible a tive ontent embedded in the web page, and into the operating system kernel. The sys all ta-
they exe ute the helper appli ations that handle in- ble is modied to route ontrol to the appropriate
oming obje ts su h as Perl, Posts ript, et . TRON wrapper for ea h system all. The wrappers
are responsible for ensuring that the pro ess that
Obje ts that are normally handled by helper appli- invoked the system all has the ne essary permis-
ations are also assigned sub-user id's by the log- sions. The Janus and MAPbox systems implement
in daemon, the same way as ordinary web pages. a user-level system all inter eption me hanism. It
When they are interpreted they are bound to the is aimed at onning helper appli ations (su h as
permissions of that sub-user id. This way users those laun hed by Web browsers) so that they are
don't need to be queried about every arbitrary ob- restri ted in their use of system alls. To a om-
je t they down-load of the net and also don't have plish this they use ptra e(2) and the /pro le
to worry about exe uting possibly mali ious ode on system, whi h allows their tra er to register a all-
their ma hine. ba k that is exe uted whenever the tra ee issues a
system all. These systems are the most related
When the interpreter daemon en ounters a tive to our work; however, our system diers in a ma-
ode embedded in a web page (by en ountering an jor point. We view every obje t as a separate user,
<APPLET> or <SCRIPT> tag) it spawns a pro ess to ea h with its own sub-user id and a ess rights to
interpret the Java, JavaS ript [1℄, or Perl ode. The the system resour es. This sub-user id is atta hed
new pro ess inherits the permissions of the parent to every in oming obje t when it is a epted by the
pro ess so the a tive ode an never es ape it's sand- system, and stays with it throughout it's life, mak-
box. ing it impossible for mali ious obje ts to es ape.
6 Con lusions 7 A knowledgments

We have presented the ar hite ture of a se ure web We would like to thank Jonathan M. Smith for
browser, that prote ts against mali ious in oming his useful omments and guidan e throughout the
obje ts. We have implemented a rst version of our ourse of this work. We also like to thank
prototype on a SubOS- apable OpenBSD 2.8 [2℄ op- the FREENIX 2001 anonymous reviewers and our
erating system using Perl. \shepherd" Ken Coar for their omments and sug-
gestions on improving this paper.
There are several advantages in our modular ar hi-
te ture versus the monolithi ar hite ture of popu-
lar Web browsers, su h as Nets ape Navigator and
Mi rosoft Internet Explorer. Our design adds a Referen es
stage of authenti ation before any in oming obje t
is pro essed. The burden of a ess ontrol is moved [1℄ NJS JavaS ript Interpreter.
from the browser and its helper appli ations, to the http://www.bbassett.net/njs/.
operating system, allowing for a simpler and there-
fore more se ure design. Finally the user is not in- [2℄ The OpenBSD Operating System.
volved in the pro essing of in oming obje ts, and http://www.openbsd.org/.
therefore annot be tri ked into exe uting hostile
ode. Presently however, our ar hite ture requires [3℄ World Wide Web Consortium.
that the operating system provides a data entri http://www.w3.org/.
prote tion me hanism, that asso iates permissions [4℄ Anurag A harya and Mandar Raje. Map-
and privileges to data obje ts. This limits us to box: Using parameterized behavior lasses to
our experimental SubOS-enabled OpenBSD operat- onne appli ations. In Pro eedings of the
ing system. 2000 USENIX Se urity Symposium, pages 1{
17, Denver, CO, August 2000.
There are still some things that remain to be added
to our prototype in order to oer more omplete [5℄ Andrew Berman, Virgil Bourassa, and Erik
fun tionality: Selberg. TRON: Pro ess-Spe i File Pro-
te tion for the UNIX Operating System. In
USENIX 1995 Te hni al Conferen e, New Or-
 We urrently don't support frames. Frames re- leans, Louisiana, January 1995.
quire spe ial handling sin e ea h frame onsists [6℄ David Flanagan. JavaS ript The Denitive
of an HTML do ument with possibly individ- Guide. O'Reilly, 1998.
ual se urity properties. In future versions of
our browser we will add this fun tionality to [7℄ Tim Fraser, Lee Badger, and Mark Feldman.
the browser display daemon. Hardening COTS Software with Generi Soft-
ware Wrappers. In Pro eedings of the IEEE
 Only a subset of HTML was implemented so Symposium on Se urity and Priva y, Oakland,
there are a number of tags that need to be CA, May 1999.
added, along with their possible variables.
[8℄ Ian Goldberg, David Wagner, Randi Thomas,
and Eri A. Brewer. A Se ure Environment
 We want to expand the <SCRIPT> tag to deal for Untrusted Helper Appli ations. In USENIX
with additional embedded s ripting languages 1996 Te hni al Conferen e, 1996.
other than JavaS ript and Perl.
[9℄ Li Gong. Inside Java 2 Platform Se urity.
 Finally we need to have some kind of se ure au- Addison-Wesley, 1999.
thenti ation me hanism for the browser log-in
[10℄ James Gosling, Bill Joy, and Guy Steele. The
daemon. The possible solutions we are onsid-
Java Language Spe i ation. Addison Wesley,
ering are either an additional tag that arries Reading, 1996.
a erti ate in the down-loaded web page, or a
erti ate atta hed to the HTTP request. [11℄ http://www. ert.org/advisories/.
[12℄ Sotiris Ioannidis and Steven M. Bellovin. Sub-
Operating Systems: A New Approa h to Appli-
ation Se urity. Te hni al Report MS-CIS-01-
06, University of Pennsylvania, February 2000.
[13℄ R. Kaplan. SUID and SGID Based Atta ks
on UNIX: a Look at One Form of then Use
and Abuse of Privileges. Computer Se urity
Journal, 9(1):73{7, 1993.
[14℄ Ja ob Y. Levy, Laurent Demailly, John K.
Ousterhout, and Brent B. Wel h. The Safe-
T l Se urity Model. In USENIX 1998 Annual
Te hni al Conferen e, New Orleans, Louisiana,
June 1998.
[15℄ Gary M Graw and Edward W. Felten. Java
Se urity: hostile applets, holes and antidotes.
Wiley, New York, NY, 1997.
[16℄ G. C. Ne ula and P. Lee. Safe, Untrusted
Agents using Proof-Carrying Code. In Le -
ture Notes in Computer S ien e Spe ial Issue
on Mobile Agents, O tober 1997.
[17℄ Dan S. Walla h, Dirk Balfanz, Drew Dean, and
Edward W. Felten. Extensible Se urity Ar hi-
te tures for Java. In Pro eedings of the 16th
ACM Symposium on Operating Systems Prin-
iples, O tober 1997.