The ServiceOS Project

Overview

The computing industry has been rapidly transitioning to a software-as-a-service paradigm, embracing service portability across devices, enabling rapid cycles of innovations from software vendors, and incurring minimal software management from users. Services differ from traditional applications in three fundamental ways: 1) a service's master copy is remote (in the cloud); 2) services are untrusted to access one another and to user-private resources (like sensors or data); 3) services often embed other services to enable rich service compositions. These differences have signficant implications on the design of client operating systems in terms of protection, resource sharing and access control. In the ServiceOS project, we rethink the client platform design in these dimensions. Our ServiceOS vision is detailed in this HotSec position paper.

MashupOS

Our first subproject is MashupOS in which we observed that web sites are OS principals on web browsers and web applications demand browsers to offer OS abstractions for protection and cross-principal communications. The full paper on MashupOS is published at SOSP 2007 and a position paper was published at HotSec 2007.

Gazelle

Although web browsers function as operating systems, they have never been designed and implemented as an OS. We then built the Gazelle web browser which is the first browser that takes a multi-principal OS-based design and construction, where web sites are OS principals and unit of protection and all OS logic (such as the same-origin policy and resource access) is exclusively done in a browser kernel in a separate protection domain from that of browser renderers. We detailed this work in a paper published at Usenix Security 2009. The special characteristics of services also required rethinking of resource scheduling, which is detailed in this technical report.

WebAnalyzer

With any new browser design, one often worries about its compatibility cost. Gazelle enforces an unified same-origin policy (SOP), applying SOP to all resources (DOM or cookie or remote access) and to all content types (HTML, Flash, Java programs or images). In contrast, existing web browsers' access control policies have evolved piecemeal in an ad-hoc fashion with the introduction of new browser features, resulting in numerous incoherencies. Although we can make Gazelle compatible with existing browsers through the use of cross-principal communications, we want to enable browser vendors to make tradeoffs between security and compatibility and have a data-driven browser design. To this end, we built a WebAnalyzer tool to crawl the web, emulate page browsing, and measure the compatibility cost of ridding unsafe browser features. We detailed this work in a paper published at Oakland 2010.

HTTPi for practical end-to-end web integrity

Widespread growth of open wireless hotspots has made it easy to carry out man-in-the-middle attacks and impersonate web sites. Although HTTPS can be used to prevent such attacks, its universal adoption is hindered by its performance cost and its inability to leverage caching at intermediate servers (such as CDN servers and caching proxies) while maintaining end-to-end security.

To complement HTTPS, we revive an old idea from SHTTP, a protocol that offers end-to-end web integrity without confidentiality. We name the protocol HTTPi and give it an efficient design that is easy to deploy for today’s web. In particular, we tackle several previously-unidentified challenges, such as supporting progressive page loading on the client’s browser, handling mixed content, and defining access control policies among HTTP, HTTPi, and HTTPS content from the same domain. Our prototyping and evaluation experience show that HTTPi incurs negligible performance overhead over HTTP, can leverage existing web infrastructure such as CDNs or caching proxies without any modifications to them, and can make many of the mixed-content problems in existing HTTPS web sites easily go away. Based on this experience, we advocate browser and web server vendors to adopt HTTPi.

An initial writeup on the work is here.

Generalization

We further generalize Gazelle's design to that of a client OS. With cloud centric computing, remote content has become the first class citizen for all applications including not only web browsers, but also document-processing applications, such as word processors, photo viewers, and media players. The implication here is that the client OS needs to adopt the same-origin policy kind of mentality from that of browsers and offer protection for remote content of different owners. We are pursuing an OS design that offers this protection while being compatible with existing web security and at the same time allowing easy adaptation of existing native applications.

User-Driven Access Control

Modern client platforms, such as iOS, Android, web browsers, and ServiceOS, run each application in an isolated environment with limited privileges. A pressing open problem in such systems is how to allow users to grant applications access to user-owned resources, e.g., to privacy- and cost-sensitive devices like the camera or to the user's data that resides with various applications. A key challenge is to enable such access in a way that is non-disruptive to users while still maintaining least-privilege restrictions on applications. We propose user-driven access control, whereby permission-granting is built into existing user actions, rather than added as an afterthought via manifests or prompts. To this end, we introduce two OS-level techniques, access control gadgets and kernel-recognized gestures, for controlling access to user-owned resources. Our initial writeup of the work is detailed here.

Permission Re-Delegation: Attacks and Defenses

Permission re-delegation occurs when an application with permissions performs a privileged task for an application without permissions. This undermines the requirement that the user approve each application’s access to privileged devices and data. We demonstrate this risk by launching real-world attacks on Android system applications; several of the vulnerabilities have been conﬁrmed as bugs. We have devised a new OS mechanism, called "IPC Inspection" for defending against permission re-delegation. IPC Inspection prevents opportunities for permission redelegation by reducing an application’s permissions after it receives communication from a less privileged application. We have published a paper on this at Usenix Security 2011.

Papers

ServiceOS: Convergence of Desktop and Web Applications on a Multi-Service OS
Helen J. Wang, Alexander Moshchuk, Alan Bush
4th Usenix Workshop on Hot Topics in Security, August, 2009, Montreal, Canada. [pdf]

Protection and Communication Abstractions for Web Browsers in MashupOS
Helen J. Wang, Xiaofeng Fan, Collin Jackson, and Jon Howell
21st ACM Symposium on Operating Systems Principles (SOSP), Stevenson, WA, October 2007 [pdf][pptx]

The Multi-Principal OS Construction of the Gazelle Web Browser
Helen J. Wang, Chris Grier, Alexander Moshchuk, Samuel T. King, Piali Choudhury, Herman Venter
18th Usenix Security Symposium, August, 2009, Montreal, Canada. [pdf]

On the Incoherencies in Web Browser Access Control Policies
Kapil Singh, Alexander Moshchuk, Helen J. Wang, Wenke Lee
IEEE Symposium on Security and Privacy, Oakland, CA, May 17-20, 2010 [pdf]

Resource Management for Web Applications in ServiceOS
Alexander Moshchuk and Helen J. Wang
MSR-TR-2010-56, May 2010 [ pdf ]

HTTPi for Practical End-to-End Web Content Integrity
Kapil Singh, Alexander Moshchuk, Helen J. Wang
MSR-TR-2011-63, May 2011, [pdf]

User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems
Franziska Roesner, Tadayoshi Kohno, Alexander Moshchuk, Bryan Parno, and Helen J. Wang
MSR Techical Report MSR-TR-2011-91.

Permission Re-Delegation: Attacks and Defenses
Adrienne Porter Felt, Helen J. Wang, Alex Moshchuk, Steven Hanna, and Erika Chin
Usenix Security 2011 [pdf]

Technology transferred

The communication abstraction proposed in MashupOS influenced the design of the "postMessage" cross-domain communication API in HTML5, which is now implemented in all major browsers.

The sandbox abstraction proposed in MashupOS significantly influenced "iframe sandbox" design in HTML5, which starts to see browser adoption.

Learning from the MashupOS experience, we developed an Ad isolation system using cross-domain iframes for Microsoft Ad Center. Our system is now adopted. Microsoft has also proposed the corresponding API, called Microsoft Display Ad SmartServe API, for standardization in the Ad industry.

In the press

March 18, 2011 by Mary Jo Foley, ZDNet Microsoft's ServiceOS: A potential piece of Microsoft's cloud play, post-Windows 8
May 26, 2010 by Mary Jo Foley, ZDNet ServiceOS: Microsoft's morphing browser-operating system project
July 13, 2009 by Deborah Gage, InformationWeek Microsoft's Gazelle Project Tackles Browser Security
July 12, 2009 by Nicholas Kolakowski, eWeek Microsoft Gazelle Could Take On Google Chrome OS
July 8, 2009 by Ray Valdes, Gartner Google Chrome, Microsoft Gazelle and the cloud-oriented OS
July 8, 2009 n-tv.de Microsoft füttert die Gazelle
July 7, 2009 by Ina Fried, CNet news Microsoft's Gazelle browser takes a radical path
July 7, 2009 by Thom Holwerda, OSnews Gazelle: Applying Operating System Concepts to the Browser
July 3, 2009 by Marius Oiaga, Softpedia Microsoft Gazelle Browser OS Evolving Beyond Windows and IE
July 2, 2009 by Mary Jo Foley, All about Microsoft Microsoft's Gazelle browser: A layperson's explanation
July 2, 2009 by Kurt Mackie, Redmondmag.com Microsoft's 'Gazelle' Browser Concept Going on Tour
June 29, 2009 by Janie Chang, MSR news When is a browser not a browser
Feb 27, 2009 by Neil McAllister, InfoWorld Gazelle: The browser that thinks like an OS
Feb 24, 2009 by Gavin Clarke, The Register Microsoft boffins devise 'secure' Gazelle browser
Feb 23, 2009 by Jeremy Kirk, InfoWorld Microsoft researchers developing new, more secure Web browser
Feb 22, 2009 MS Publishes Papers For a Modern, Secure Browser
Other news on Gazelle