Researchers Say Gazelle Browser Offers Better Security

• By Kurt Mackie
• 02/26/09

A team consisting of Microsoft Research personnel and university staff members has demonstrated a potentially more secure Web browser called Gazelle. A paper (PDF) describing the browser prototype was published at Microsoft Research Thursday.

However this research team, led by Helen J. Wang and others, appears to be doing work that's separate from Microsoft's Internet Explorer 8 team. IE8 and Google Chrome frequently appear in the paper as examples of browsers that get security wrong.

The team claims that the Gazelle browser, which ran on Windows Vista and uses Internet Explorer's Trident renderer, offers greater security by using a browser-based operating system called a "browser kernel." The browser kernel consists of approximately 5,000 lines of C# code and is "resilient to memory attacks," according to the authors. Not even IE8 offers the same protection, they contend.

"No existing browsers, including new architectures like IE 8, Google Chrome, and OP [another experimental browser], have a multi-principal OS construction that gives a browser-based OS, typically called Browser Kernel, the exclusive control to manage the protection and fair-sharing of all system resources among browser principals," the authors write.

The Gazelle browser enables Web sites (or "principals") to communicate with each other, but they do so by passing messages through the browser kernel, just as would be done via interprocess communications. The browser kernel manages security as well as the sharing of system resources.

In contrast to Google Chrome, Gazelle runs a Web page and its embedded principals in separate processes. The authors also claim that Gazelle handles tabbed browsing in a superior way to IE8.

"IE 8 uses OS processes to isolate tabs from one another. This granularity is insufficient since a user may browse multiple mutually distrusting sites in a single tab and a web page may contain an iframe with content from an untrusted site (e.g., ads)," the authors explain.

Gazelle separates same-origin domains, such as ad.datacenter.com and user.datacenter.com, whereas Google Chrome considers them from the same site. The browser kernel even manages address bars and menus in the browser, plus it controls whether or not browser plug-ins can interoperate with the operating system.

The overlay of transparent content, which can trick users into clicking on content from another origin, is thwarted by a policy that makes dynamic content-containing windows opaque.

Gazelle still has leaps and bounds to travel to get beyond its prototype stage. In many instances, Gazelle is slower than IE7 due to greater overhead, although it does start up faster than IE7.

Gazelle also may choke on the browser plug-in issue. The authors explain that "existing plugin software must be adapted (ported or binary-rewritten) to use Browser Kernel system calls to accomplish its tasks."

The authors did test Gazelle successfully on 19 of 20 Alexa-reported popular Web sites, calling the browser's performance "acceptable." Some of the overhead problems caused by "IE instrumentation" can be eliminated, the authors say.