Abstract
Privilege separation is a fundamental security concept that has been used in designing many secure systems. A number of recent works propose re-designing web browsers with greater privilege separation for better security. In practice, however, privilege-separated designs require a fine balance between security benefits and other competing concerns, such as performance. In fact, performance overhead has been a main cause that prevents many privilege separation proposals from being adopted in real systems. In this paper, we develop a new measurement-driven methodology that quantifies security benefits and performance costs for a given privilege-separated browser design. Our measurements on a large corpus of web sites provide key insights on the security and performance implications of partitioning dimensions proposed in 9 recent browser designs. Our results also provide empirical guidelines to resolve several design decisions being debated in recent browser re-design efforts.
Chapter PDF
Similar content being viewed by others
References
Additional tables on performance evaluation, http://compsec.comp.nus.edu.sg/bci/additional-tables.pdf
Bromium, http://www.bromium.com/
Invincea, http://www.invincea.com/
Akhawe, D., Barth, A., Lam, P.E., Mitchell, J., Song, D.: Towards a formal foundation of web security. In: Proceedings of the 23rd IEEE Computer Security Foundations Symposium, CSF 2010 (2010)
Akhawe, D., Saxena, P., Song, D.: Privilege separation in html5 applications. In: Proceedings of the 21st USENIX Security Symposium (2012)
Alexa: Top sites (2012), http://www.alexa.com/topsites (retrieved)
Azimuth Security: The chrome sandbox part 2 of 3: The IPC framework, http://blog.azimuthsecurity.com/2010/08/chrome-sandbox-part-2-of-3-ipc.html
Barth, A., Felt, A.P., Saxena, P., Boodman, A.: Protecting browsers from extension vulnerabilities. In: Proceedings of the 17th Annual Network and Distributed System Security Symposium, NDSS 2010 (2010)
Barth, A., Jackson, C., Reis, C.: The Google Chrome Team: The security architecture of the chromium browser. Tech. rep. (2008)
Barth, A., Rubinstein, B.I.P., Sundararajan, M., Mitchell, J.C., Song, D., Bartlett, P.L.: A learning-based approach to reactive security. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 192–206. Springer, Heidelberg (2010)
Barth, A., Weinberger, J., Song, D.: Cross-origin javascript capability leaks: detection, exploitation, and defense. In: Proceedings of the 18th USENIX Security Symposium (2009)
Bernstein, D.J.: Some thoughts on security after ten years of qmail 1.0. In: Proceedings of the 2007 ACM Workshop on Computer Security Architecture, CSAW 2007 (2007)
Bittau, A., Marchenko, P., Handley, M., Karp, B.: Wedge: splitting applications into reduced-privilege compartments. In: Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2008 (2008)
Brumley, D., Song, D.: Privtrans: automatically partitioning programs for privilege separation. In: Proceedings of the 13th USENIX Security Symposium (2004)
Certification Authorities Software Team (CAST): What is a ”decision” in application of modified condition/decision coverage (mc/dc) and decision coverage (dc)?, http://www.faa.gov/aircraft/air_cert/design_approvals/air_software/cast/cast_papers/media/cast-10.pdf
Chromium: GPU command buffer, http://www.chromium.org/developers/design-documents/gpu-command-buffer
Chromium: Process models — process-per-site-instance, http://www.chromium.org/developers/design-documents/process-models#1_Process_per_Site_Instance
Cox, R.S., Gribble, S.D., Levy, H.M., Hansen, J.G.: A safety-oriented platform for web applications. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy (2006)
Felt, A.P., Finifter, M., Weinberger, J., Wagner, D.: Diesel: applying privilege separation to database access. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011 (2011)
Grier, C., Tang, S., King, S.T.: Secure web browsing with the op web browser. In: Proceedings of the 2008 IEEE Symposium on Security and Privacy (2008)
Grier, C., Tang, S., King, S.T.: Designing and implementing the op and op2 web browsers. ACM Transactions on the Web (2011)
Hart, T.E., Chechik, M., Lie, D.: Security benchmarking using partial verification. In: Proceedings of the 3rd USENIX Workshop on Hot Topics in Security, HotSec 2008 (2008)
IEBlog: Tab isolation, http://blogs.msdn.com/b/ie/archive/2010/03/04/tab-isolation.aspx
Li, Z., Tang, Y., Cao, Y., Rastogi, V., Chen, Y., Liu, B., Sbisa, C.: Webshield: Enabling various web defense techniques without client side modifications. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2011 (2011)
Lie, D., Satyanarayanan, M.: Quantifying the strength of security systems. In: Proceedings of the 2nd USENIX Workshop on Hot Topics in Security, HotSec 2007 (2007)
McCabe, T.J.: A complexity measure. In: Proceedings of the 2nd International Conference on Software Engineering, ICSE 1976 (1976)
Mozilla Foundation: Mozilla foundation security advisories, http://www.mozilla.org/security/announce/
Provos, N., Friedl, M., Honeyman, P.: Preventing privilege escalation. In: Proceedings of the 12th USENIX Security Symposium (2003)
Rescorla, E.: Is finding security holes a good idea? IEEE Security and Privacy 3(1), 14–19 (2005)
Roesner, F., Kohno, T., Moshchuk, A., Parno, B., Wang, H.J., Cowan, C.: User-driven access control: Rethinking permission granting in modern operating systems. In: Proceedings of the 2012 IEEE Symposium of Security and Privacy (2012)
Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proceedings of the IEEE (1975)
Ta-Min, R., Litty, L., Lie, D.: Splitting interfaces: Making trust between applications and operating systems. In: Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2006 (2006)
Tang, S., Mai, H., King, S.T.: Trust and protection in the illinois browser operating system. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI 2010 (2010)
Wahbe, R., Lucco, S., Anderson, T.E., Graham, S.L.: Efficient software-based fault isolation. ACM SIGOPS Operating Systems Review 27(5), 203–216 (1993)
Wang, H.J., Grier, C., Moshchuk, A., King, S.T., Choudhury, P., Venter, H.: The multi-principal os construction of the gazelle web browser. In: Proceedings of the 18th USENIX Security Symposium (2009)
Wikipedia: DigiNotar, http://en.wikipedia.org/wiki/DigiNotar
Wikipedia: Time of check to time of use, http://en.wikipedia.org/wiki/Time_of_check_to_time_of_use
Zdancewic, S.A.: Programming languages for information security. Ph.D. thesis, Cornell University (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Dong, X., Hu, H., Saxena, P., Liang, Z. (2013). A Quantitative Evaluation of Privilege Separation in Web Browser Designs. In: Crampton, J., Jajodia, S., Mayes, K. (eds) Computer Security – ESORICS 2013. ESORICS 2013. Lecture Notes in Computer Science, vol 8134. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40203-6_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-40203-6_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40202-9
Online ISBN: 978-3-642-40203-6
eBook Packages: Computer ScienceComputer Science (R0)