Hi all,
At a security lecture, I got to thinking about how browsers are
becoming more like OSes in that they're running more and more of our
apps. Arguably the primary goal of an OS is to allow us to run
multiple programs without them messing each other up. An important
mechanism to enable this is separate address spaces for each process.
But our apps in different tabs all run in the same address space (as
far as I know) so if one app exploits a vulnerability or triggers a
bug in the js interpreter or an image parser or something they may
have access to something important like our banking information which
is being displayed in another tab. So I was curious about how
difficult it would be to modify the browser so that there's a main
process which does network stuff and ui stuff and manages the cache
and most of the general web browser functionality, but it doesn't try
to understand anything sent down by a web server. Instead it passes
that data to a separate process which is responsible for actually
rendering the content of the page and passes the finished static
product back. So the understanding/rendering process would have the
isolation provided by the OS and any problems couldn't spill over to
other tabs. Additionally, the understanding and rendering process
could be highly sandboxed using selinux or apparmor or whatever other
security tools people like. Since it's output would be through such a
restricted channel and in such a (hopefully) safe way, I'd think it
could be set up so that even if it's exploited to allow arbitrary code
execution, the attacker couldn't harm any local resources like the
filesystem.
If something like this is possible, I might try to do it as a research
project at school. Does anyone know if it is or how difficult it would
be?
Thanks a lot,
Dan
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
