[owasp-intrinsic-security] The Multi-Principal OS Constructionofthe Gazelle Web Browser

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Tue Feb 24 08:59:52 EST 2009


Definitely worth a read.

This research shows it is possible to alter a browser to use a  
different architecture that more securely implements the same origin  
policy using principals and an abstracted API.

It does not propose to allow sites to customize their SOP but it does  
give you more (not 100%) confidence that the one-off SOP bypass and  
corner cases can't be exploited.

Arshan



On Feb 22, 2009, at 5:43 PM, "Arshan Dabirsiaghi" <arshan.dabirsiaghi at aspectsecurity.com 
 > wrote:

> I've been advocating multiple per-page principals for a while  
> because Caja, FBML, etc., don't really address "horizontal" or "data  
> layer" access control issues in sandbox security. Those projects are  
> all about limiting what system functions or global objects you can  
> access, but I think we need to have a system that makes sure you can  
> only operate on DOM elements that belong to you, or make sure code  
> you execute doesn't allow you to get outside of your visual jail-box.
>
> I have to study this paper to see if it's close - it sounds very  
> ambitious.
>
> Arshan
>
> From: owasp-intrinsic-security-bounces at lists.owasp.org on behalf of  
> Marcin Wielgoszewski
> Sent: Sun 2/22/2009 3:23 PM
> To: owasp-intrinsic-security at lists.owasp.org
> Subject: [owasp-intrinsic-security] The Multi-Principal OS  
> Construction ofthe Gazelle Web Browser
>
> A paper published by Microsoft:
> http://research.microsoft.com/apps/pubs/default.aspx?id=79655
>
> Haven't had the time to go through it, but from the abstract, it talks
> about the browser being its own kernel.
>
> --
> Marcin Wielgoszewski
> tssci-security.com
>
> _______________________________________________
> owasp-intrinsic-security mailing list
> owasp-intrinsic-security at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-intrinsic-security
>
> _______________________________________________
> owasp-intrinsic-security mailing list
> owasp-intrinsic-security at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-intrinsic-security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-intrinsic-security/attachments/20090224/02d5dbc2/attachment.html 


More information about the owasp-intrinsic-security mailing list