Isolating Programs in Modern Browser Architectures Charles Reis , Steven D. Gribble University of Washington / Google, Inc. 1
Web is Evolving Pages Programs More complex, active content Browser now in role of OS, but not designed for it Robustness and performance problems 2
Consider OS Landscape Performance isolation Resource management Failure isolation Clear program abstraction 3
Browsers Fall Short Unresponsiveness Jumbled accounting Browser crashes Unclear what a program is! 4
Outline Looking for Programs New Abstractions Isolation in Chromium Evaluation 5
Programs in the Browser Mail Doc List Doc Consider an example Doc browsing session Blog Several independent programs Mail News Article 6
Monolithic Browsers Most browsers put all pages in one process Mail Doc List Doc Poor performance isolation Poor failure isolation Blog Poor security Mail News Article Should re-architect the browser 7
Process per Window? Breaks pages that Mail Doc List Doc directly communicate Shared access to data structures, etc. Blog Fails as a program Mail abstraction News Article 8
Need a Program Abstraction Aim for new groupings that: Match our intuitions Doc List Doc Preserve compatibility Take cues from browser’s existing rules Isolate each grouping in an OS process Will get performance and failure isolation , but not security between sites 9
Outline Looking for Programs New Abstractions Isolation in Chromium Evaluation 10
Ideal Abstractions Web Program Set of pages and sub-resources providing a service Web Program Instance Live copy of a web program in the browser Will be isolated in the browser’s architecture Intuitive, but how to define concretely? 11
Compatible Abstractions Three ways to group pages into processes: 1. Site: based on browser’s access control policies 2. Browsing Instance: communication channels between pages 3. Site Instance: intersection of the first two 12
1. Sites zoho.com zoho.com zoho.com mail.zoho.com docs.zoho.com docs.zoho.com Same Origin Policy dictates some isolation Mail Doc List Doc (host+protocol+port) http://blogger.com Pages can change https://zoho.com document.domain Blog Registry-controlled Mail domain name limit News Article Site: RCDN + protocol http://bbc.co.uk 13
2. Browsing Instances ) . . . ( n e p o . w o d n i w = w Not all pages can talk References between Mail Doc List Doc “related” windows Parents and children window.opener Blog Lifetime of window Mail Browsing Instance: News Article connected windows, regardless of site 14
3. Site Instances Site Instance: Mail Doc List Doc Intersection of site & browsing instance Safe to isolate from Blog any other pages Mail Compatible notion of a News Article web program instance 15
Outline Looking for Programs New Abstractions Isolation in Chromium Evaluation 16
Multi-Process Browser Browser Kernel Storage, network, UI Rendering Rendering Engine Engine Plug-in Rendering Engines Web program and Browser Kernel runtime environment Plug-ins Implemented in Chromium 17
Chromium Process Models Rendering Rendering Rendering 1. Monolithic Engine Engine Engine Plug-in Plug-in 2. Process-per-Browsing-Instance Browser Kernel Browser Kernel New window = new renderer process 3. Process-per-Site-Instance (default) Create renderer process when navigating cross-site 4. Process-per-Site Combine instances: fewer processes, less isolation 18
Outline Looking for Programs New Abstractions Isolation in Chromium Evaluation 19
Robustness Benefits Failure Isolation Accountability Memory Management Some additional security Rendering Rendering Engine Engine (e.g., Chromium’s sandbox) Plug-in Sandbox Sandbox Browser Kernel 20
Performance Isolation Avg Click Delay on Blank Page 4,000 3,307 Responsive while other 3,000 Time (ms) web programs working 2,000 1,408 1,000 6 6 0 With Top 5 Pages With Gmail Monolithic Chromium Multi-Process Chromium 21
Other Performance Impact Speedups More work done concurrently, leveraging cores e.g., Session restore of several windows Process Latency 100 ms, but masked by other speedups in practice 22
Memory Overhead 130.0 97.5 Robustness benefits Memory (MB) do have a cost 65.0 Reasonable for 32.5 many real users 0 1 2 3 4 5 6 7 8 9 10 Number of Popular Pages Monolithic Chromium Multi-Process Chromium 23
Compatibility Evaluation No known compat bugs due to architecture Some minor behavior changes e.g., Narrower scope of window names: browsing instance, not global ? “Pandora” “Pandora” 24
Related Architecture Work Internet Explorer 8 Multi-process architecture, no program abstractions Gazelle Like Chromium, but values security over compatibility Other research: OP , Tahoma, SubOS Break compatibility (isolation too fine-grained) 25
Conclusion Browsers must recognize programs to support them Site Instances capture this Compatible with existing web content Can prevent interference with process isolation Implemented in Chromium 26
Recommend
More recommend
