Microsoft working on secure web browser

The most interesting aspect of the Gazelle web browser is that it devolves many of the security feature of the operating system into the browser code, which effectively takes a kernel programming approach to the browser client, Infosecurity notes.

The paper - The Multi-Principal OS Construction of the Gazelle Web Browser - describes a browser client acting as a "multi-principal" operating system, with a "principle" defined as a single, unique connection to a web site.

This appears to be a new approach to web site interactions, Infosecurity notes, as conventional web browser clients are really designed for sequential browsing of static pages, even if those sites are then `tabbed' into a series of page views, as seen on Internet Explorer 8 and Mozilla Firefox 3.

According to Microsoft, by defining each web site interaction as a principal, each 'page view' can be discreetly handled within the memory of the computer.

This appears to take a 'memory sandbox' approach to web browsing, similar to that seen in Google's Chrome but taking security to new levels.

"Gazelle's Browser Kernel is an operating system that exclusively manages resource protection and sharing across web site principals," says the paper.

"This construction exposes intricate design issues that no previous work has identified, such as legacy protection of cross-origin script source, and cross-principal, cross-process display and events protection," it adds.

It comes as no surprise that the paper's authors say they have developed a prototype Gazelle web browser based on Internet Explorer, with each principal placed into a separate protection domains so they are protected from each other.

"Just as in desktop applications where instances of an application are run in separate processes for failure containment, we run instances of principals in separate protection domains for the same purpose," says
the paper.

"For example, when the user browses the same URL from different tabs, it corresponds to two instances of the same principal; when embeds two iframes, the iframes correspond to two instances of; however, multiple same-origin frames in a page are in the same principal instance as the page," it adds.

Gazelle's developers also claim their browser can beat the current competition in its handling of other common security flaws.

There is no indication when - and if - Gazelle will be released, but the technology could eventually find its way into the real world via Windows 7, which current borrows most of its TCP/IP interaction features from the Vista operating system.

What’s Hot on Infosecurity Magazine?