Conclusions

  We have presented the architecture of a secure web browser, that protects against malicious incoming objects. We have implemented a first version of our prototype on a SubOS-capable OpenBSD 2.8 [2] operating system using Perl.

There are several advantages in our modular architecture versus the monolithic architecture of popular Web browsers, such as Netscape Navigator and Microsoft Internet Explorer. Our design adds a stage of authentication before any incoming object is processed. The burden of access control is moved from the browser and its helper applications, to the operating system, allowing for a simpler and therefore more secure design. Finally the user is not involved in the processing of incoming objects, and therefore cannot be tricked into executing hostile code. Presently however, our architecture requires that the operating system provides a data centric protection mechanism, that associates permissions and privileges to data objects. This limits us to our experimental SubOS-enabled OpenBSD operating system.

There are still some things that remain to be added to our prototype browser in order to offer more complete functionality:

• We currently don't support frames. Frames require special handling since each frame consists of an HTML document with possibly individual security properties. In future versions of our browser we will add this functionality to the browser display daemon.
• Only a subset of HTML was implemented so there are a number of tags that need to be added, along with their possible variables.
• We want to expand the <SCRIPT> tag to deal with additional embedded scripting languages other than JavaScript and Perl.
• Finally we need to have some kind of secure authentication mechanism for the browser log-in daemon. The possible solutions we are considering are either an additional tag that carries a certificate in the down-loaded web page, or a certificate attached to the HTTP request.