browsers, Java, Silverlight, and Flash
will certainly have new competition.”
As Web sites take advantage of improved client-side technologies,
browsers will need to start coping with
a growing range of performance, reliability, and security concerns. “As we
make Web browsers more powerful,
we need to keep in mind how malicious Web sites might abuse that additional power,” says Barth. For example,
a truly secure browser should let users
visit sites that contain buggy or malicious code without fearing about the
integrity of their OS, applications, or
To address these concerns, researchers are reconsidering the underlying architecture of the Web
browser. New multiprocess browsers,
such as Tahoma, Google Chrome, Internet Explorer 8, and the OP browser,
place separate Web applications in
their own operating system processes
or virtual machines, allowing the underlying host operating system or virtual machine monitor to ensure that
crashes and slowdowns in one Web
application do not affect the performance or robustness of other applications. “By decomposing the browser,
you can separate out the security logic
from the implementation,” says King.
To improve security, browsers such
as Chrome and Internet Explorer 8
have been refactored to run untrusted
components and Web code in a low-privilege sandbox, limiting the exposure of browser vulnerabilities and
the damage that can be inflicted by a
malicious Web application. Mozilla is
exploring a similar protection mechanism in its Electrosis project that will
strengthen security features in a future version of Firefox. Meanwhile,
Microsoft Research developers have
taken this approach a step further with
the prototype Gazelle browser, which
separates different Web sites into discrete protection domains. With the OP
browser, researchers at the University
of Illinois at Urbana-Champaign explored applying OS principles to Web
browser design by breaking the browser program into smaller subsystems.
By isolating processes within a
browser, browsers can mediate interactions between Web programs, such
As Web sites take
cope with a
as mashups and embedded widgets,
to prevent one program from stealing
information from or causing damaging side effects to other programs.
However, the techniques that accomplish this often come at the expense
of backward compatibility, making
them more difficult to deploy.
Looking further ahead, questions
of compatibility will continue to arise
as browsers must negotiate a growing
tangle of local computing resources
such as offline storage, cameras, microphones, geolocation, and graphics
acceleration hardware—all of which
have their own security and performance issues.
Geolocation provides an instructive example of the types of challenges
that browser developers will likely face
in the near future. “Geolocation is an
interesting case from a security point
of view because we’re resorting to asking users to grant Web sites additional privileges to read location data,”
says King. Developers must negotiate
delicate trade-offs in giving users an
appropriate level of control without
letting them also damage their systems. “Developing a security policy
for accessing local data and hardware
is still an open, difficult, and important research problem,” he says.
The continued proliferation of
devices—each with its own OS and interface—may provide further impetus
toward a consistent, predictable Web
OS. With new devices like the Palm
Pre smartphone, the CrunchPad Web
tablet, and various netbooks running
Google’s forthcoming Chrome OS,
all user interaction will take place
through a browser or Web-based applications. While each of these devices may still have a different OS providing a scaffolding of background
processes, users will increasingly
experience these devices through the
filter of a Web interface.
As developers take advantage of
these emerging technologies to craft
Web-based experiences across a growing range of devices, the OS will likely
continue to recede from users’ awareness—and perhaps eventually disappear altogether. But even if the traditional OS sticks around in some form
for years to come, it may not matter
much to anyone except developers.
“I’m not sure users care that much
about the computing platform,” says
Barth. “Users seem to care much more
about what they can do with technology than how it gets done.”
Barth, A., Jackson, C., Reis, C., and the Google
The Security Architecture of the Chromium
Cox, R. S., Hansen, J. G., Gribble, S. D.,
and Levy, H. M.
A safety-oriented platform for web
applications, Proceedings of the 2006
IEEE Symposium on Security and Privacy,
Oakland, CA, May 2006.
Grier, C., Tang, S., and King, S. T.
Secure web browsing with the OP web
browser, Proceedings of the 2008 IEEE
Symposium on Security and Privacy,
Oakland, CA, May 2008.
Reis, C. and Gribble, S. D.
Isolating web programs in modern
browser architectures, Proceedings of
the 4th ACM European Conference on
Computer Systems (EuroSys 2009),
Nuremberg, Germany, March 2009.
Wang, H. J., Grier, C., Moshchuk, A., King, S. T.,
Choudhury, P., and Vente, H.
The multi-principal OS construction of
the Gazelle web browser, Proceedings of
the 18th USENIX Security Symposium,
Montreal, Canada, August 2009.
Alex Wright is a Brooklyn-based writer and information
architect. Charles Reis (Google), Steve Gribble
(University of Washington), and Hank Levy (University
of Washington) contributed to the development of
© 2009 ACM 0001-0782/09/1200 $10.00
DECEMBER 2009 | VOL. 52 | NO. 12 | COMMUNICATIONS OF THE ACM