Chrompartments: Hybrid Compartmentalisation for Web Browsers

Chrompartments：Web 浏览器的混合分区

• 批准号: EP/X015963/1
• 负责人: Laurence Tratt
• 金额: $ 137.27万
• 依托单位: King's College London
• 依托单位国家: 英国
• 项目类别: Research Grant
• 财政年份: 2022
• 资助国家: 英国
• 起止时间: 2022 至 无数据
• 项目状态: 未结题
• 来源: https://gtr.ukri.org/projects?ref=EP%2FX015963%2F1
• 关键词: Chrompartments; Hybrid; Compartmentalisation; Web; Browsers

The Chrompartments project will explore hybrid compartmentalisation for webbrowsers using Chrome as a concrete example. Browsers are systemically importantbut present a large attack surface due to their scale and complexity: they are amagnet for attackers with frequent published attacks.Chrompartments will use CHERI to split browsers into mutually distrustingcompartments, making them more resilient and performant. We will use Chrome (inthe form of its open-source variant Chromium) as the vehicle for ourexperimentation because it is the most widely used browser and it is alreadypartially compartmentalised in a way that we can build upon. Chrome tries whenpossible to split itself into process-based compartments (roughly speaking: 1process per tab; and some core components such as graphics are split intoseparate processes). However, this model is heavyweight: OS processes consumeconsiderable resources and many devices (particularly phones) quickly hit theirprocess limits, forcing the browser to merge multiple tabs in a single process;and communication between processes is painfully slow. Some security-criticalcomponents (e.g. V8, Chrome's JavaScript engine) would ideally be split out too,but resource and performance constraints make this impractical.We will use CHERI's "hybrid mode" (i.e. where both traditional width pointerscan be used alongside capabilities) to split Chrome into process-likecompartments. Most code will use traditional width pointers and will be boxedinto compartments; pure capabilities will allow us to emulate various forms ofinter-compartment communication. We hypothesise that this will lead to greaterpractical security, and require fewer changes, than the idealpure-capability-based compartmentalisation.Our overall aim is thus first to replace Chrome's process-based model with CHERIcompartments, and then break those crude compartments into finer-grainedcompartments, enhancing security without significantly affecting performance. Aswell as significant engineering, there is also important research: processesgive some guarantees (e.g. against some side-channel attacks) that CHERIcompartments do not currently give. We will explore these guarantees andreplicate them for CHERI compartments where their existence is necessary forbrowser security.After converting process-based isolation to CHERI compartmentalisation,Chrompartments will operate in two strands: V8, the JavaScript engine; and thegraphics stack. Both strands contain significant challenges: for example, thegraphics stack is currently contained within a single process no matter how manysites are using it. Understanding the right compartmentalisation points will becritical to Chrompartments' success and lead to a much greater understanding ofhow to use CHERI on large-scale systems.

Chrome项目将以Chrome为例，探索网络浏览器的混合分区。浏览器具有系统重要性，但由于其规模和复杂性，它们会带来很大的攻击面：它们是攻击者频繁发布攻击的温床。Chromecraft将使用CHERI将浏览器划分为相互不信任的隔间，使其更具弹性和性能。我们将使用Chrome（以其开源变体Chromium的形式）作为我们实验的工具，因为它是使用最广泛的浏览器，并且它已经以一种我们可以构建的方式进行了部分划分。Chrome在可能的情况下尝试将自己分割成基于进程的部分（粗略地说：每个选项卡有1个进程;一些核心组件（如图形）被分割成单独的进程）。然而，这种模式是重量级的：操作系统处理消耗大量资源，许多设备（特别是手机）很快就达到了它们的进程限制，迫使浏览器在单个进程中合并多个标签;进程之间的通信非常缓慢。一些安全关键组件（例如V8，Chrome的JavaScript引擎）也可以理想地分离出来，但是资源和性能限制使得这不切实际。我们将使用CHERI的“混合模式”（即传统的宽度指针可以与功能一起使用）将Chrome分离成类似进程的组件。大多数代码将使用传统的宽度指针，并将被装箱到隔间中;纯功能将允许我们模拟各种形式的隔间间通信。我们假设，这将导致更实用的安全性，需要更少的变化，比理想的纯功能为基础的划分。因此，我们的总体目标是首先取代Chrome的基于进程的模型与CHERI隔间，然后打破这些粗糙的隔间到finer-grainedcompartments，增强安全性，而不显着影响性能。除了重要的工程设计，还有重要的研究：进程提供了一些CHERICompartments目前没有提供的保证（例如，防止一些侧信道攻击）。我们将探索这些保证，并将其重新用于CHERI隔间，在这些隔间中，它们的存在对浏览器安全是必要的。在将基于进程的隔离转换为CHERI隔间之后，Chromecast将以两种方式运行：V8，JavaScript引擎;和图形堆栈。这两个方面都包含着重大的挑战：例如，无论有多少站点在使用它，图形堆栈目前都包含在一个进程中。理解正确的划分点对Chromecast的成功至关重要，并有助于更好地理解如何在大规模系统中使用CHERI。

项目成果

Picking a CHERI Allocator: Security and Performance Considerations

选择 CHERI 分配器：安全性和性能考虑因素

• DOI: 10.1145/3591195.3595278
• 发表时间: 2023
• 作者: Bramley J