Gazelle Closer to Shutting down Browser Security Weaknesses


Researchers at Microsoft are set to send out more information this week on their work developing a browser/OS combo, the components of which are named Gazelle and ServiceOS. Head researcher Helen Wang says her team is putting together ideas about the next evolution of the PC and the software folks use on it, with a particular focus on improving security. After the PC, the team expects, the same principles that ground this work will transfer to smartphones, netbooks and other portable devices, as well. Wang is scheduled to present two papers at the USENIX Security Symposium, according to IEEE Spectrum.


Because vulnerabilities in Web apps can cause problems not only by traveling to other Web apps, but to the operating system as well, Wang says the strategy should be to protect Web apps from each other. This contrasts with the basically failed strategy of protecting users from one another. So, the ServiceOS will sit between the apps and the OS, and manage security polices and resource allocations. Then the Gazelle browser will implement the policies, application by application.


One area that requires significant further research, says Wang, is compatibility with sites that run as plug-ins within a browser, such as YouTube. They simply won't work with the prototype at this point.


And if you're interested in more on approaches to the immediate danger from vulnerable Web apps, read Alex Meisel's article, "Safety in the Cloud: 'Vaporizing the Web Application Firewall to Secure Cloud Computing." The Art of Defence CTO writes that the current challenge is dealing with the fact that "... 'as a Service' applications are developed two ways today: by moving on-premise applications to a cloud, and by developing and operating applications directly in a cloud."


Those applications transferred to the cloud as-is "carry the risk of exposing protected software to Web threats it was not designed to combat." And when developed specifically for the cloud, applications become extremely complex, which is a vulnerability itself, says Meisel. He details the distributed Web application firewall concept as the best defense.