Most internet users do not expect the performance of browser-based applications to be the same as desktop applications, which are driven by code created from high-quality compilers and designed to run natively at the operating system (OS) level. However, several ongoing projects at Google, Microsoft, and other companies aim not only to close that performance gap, but also to eliminate some of the security weaknesses that have plagued Web browsers since the early days of the Internet.
For years, the Netscape plug-in API and Microsoft's ActiveX have provided a way to use native code modules as part of a Web application. Along with enhanced browser functionality, these extension technologies provide full access to the OS's file and networking interfaces. But by relying on trust rather than strong technical measures for safety, these extension technologies are vulnerable to social-engineering attacks in which users are tricked into permitting malicious operations.
One software project that challenges this trust model yet still offers native performance is Xax, developed at Microsoft Research. Xax separates native instruction execution from native OS access, leveraging legacy code to deliver desktop applications on the Web. The project's goal is to incorporate legacy code into browser-based applications, which then run at native performance levels and rely on a security mechanism that is more flexible than language isolation.
"Rather than use a language-based isolation mechanism, why not instead use the well-evolved and ubiquitous memory management unit?" asks researcher Jon Howell, who developed Xax at Microsoft Research.
Howell and his colleagues at Microsoft Research are currently exploring how a Xax interface can be used to deliver not just Web extensions, but all of a Web application's content, including the rendering functions normally provided by a browser. Realigning the client's role in this way, according to Howell, will help make browsers more secure and lead to more flexible applications that can use new rendering frameworks without forcing developers to wait for widespread client adoption.
In contrast to Xax, which relies on the memory management unit for memory isolation and a kernel system-call patch to prevent OS access, Google's Native Client takes a different approach. Using an OS-portable sandbox, Native Client relies on x86 segmentation hardware to enforce memory isolation and on a binary validator to isolate the OS interface, preventing direct access to the OS and resources such as the file system and the network.
Despite the different implementation techniques, the idea behind Xax and Native Client is similar, according to Howell. "Let the software use the processor however it likes," he says, "and rely for isolation on a simple bit of hardware designed to do just that."
Xax and Native Client are but two of the software technologies designed to close the performance gap and strengthen the security of Web browsers. Sun's Java, Microsoft's Silverlight, and Adobe's AIR represent another approach to isolating untrusted modules from OS interfaces while narrowing the performance gap with native execution. Of course, unlike Xax and Native Client, these application frameworks tend to be used mainly as replacements for the browser-based application environment.
"The desire is to have some kind of strong isolation barrier that an attack will not be able to penetrate," says Mendel Rosenblum, cofounder of VMware and a computer science professor at Stanford University. "Hardware-level virtual machines provide precisely that high-assurance barrier yet can run existing browsers at near-native speeds."
Rosenblum says the computer industry's focus on low-level isolation mechanisms is missing the larger point about what virtualization layers can do for performance and security, especially as the Web evolves from a document-delivery mechanism into an ecosystem of interactive applications. "The ability to run sophisticated code safely, and with high performance on the clients, will allow the new applications running in the cloud to support the richer, highly interactive interfaces users are accustomed to," he says.
Full virtualization is an alternative approach that is gaining popularity.
Posva says the performance of V8 will improve regardless of whether it is embedded in a sandboxed environment. "We had to make some design decisions in V8 to allow it being embedded in the sandboxed renderer process within Google Chrome," he says. "But none of these decisions prevent a nonsandboxed use of V8, and none of these decisions had an impact on the real-world performance of V8."
That performance versatility might become increasingly important as browsers evolve, perhaps even to the point where they are no longer distinguishable from the applications they run. "In a few years," says Microsoft's Howell, "I don't think we'll mean the same thing by 'browser' that we mean today; we'll mean much less." Howell predicts that most of the functions of the traditional browser will be rendered moot, replaced by flexible code linked directly into the Web sites users visit.
Howell's prediction amounts to saying that the browser itself will become the sandbox, more or less a simple isolation framework. "Because Xax has such a narrow interface, and because we can compile the browser itself for the Xax container, you can think of Xax as a way to virtualize the browser," says Howell, who maintains that treating the host OS as something special is a short-lived phenomenon.
"As Web applications get richer, they're just as important to protect as the host OS," he says. "If Web applications are sandboxed, users can try one with no risk of exposing everything on their computer."
©2009 ACM 0001-0782/09/0700 $10.00
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.