Many of today's web sites contain substantial amounts of client-side code, and consequently, they act more like programs than simple documents. This creates robustness and performance challenges for web browsers. To give users a robust and responsive platform, the browser must identify program boundaries and provide isolation between them.

We provide three contributions in this paper. First, we present abstractions of web programs and program instances, and we show that these abstractions clarify how browser components interact and how appropriate program boundaries can be identified. Second, we identify backwards compatibility tradeoffs that constrain how web content can be divided into programs without disrupting existing web sites. Third, we present a multi-process browser architecture that isolates these web program instances from each other, improving fault tolerance, resource management, and performance. We discuss how this architecture is implemented in Google Chrome, and we provide a quantitative performance evaluation examining its benefits and costs.

While web pages sent over HTTP have no integrity guarantees, it is commonly assumed that such pages are not modified in transit. In this paper, we provide evidence of surprisingly widespread and diverse changes made to web pages between the server and client. Over 1% of web clients in our study received altered pages, and we show that these changes often have undesirable consequences for web publishers or end users. Such changes include popup blocking scripts inserted by client software, advertisements injected by ISPs, and even malicious code likely inserted by malware using ARP poisoning. Additionally, we find that changes introduced by client software can inadvertently cause harm, such as introducing cross-site scripting vulnerabilities into most pages a client visits. To help publishers understand and react appropriately to such changes, we introduce web tripwires---client-side JavaScript code that can detect most in-flight modifications to a web page. We discuss several web tripwire designs intended to provide basic integrity checks for web servers. We show that they are more flexible and less expensive than switching to HTTPS and do not require changes to current browsers.

Web content is migrating away from simple hyperlinked documents towards a diverse set of programs that execute within the web browser. Unfortunately, modern browsers do not provide a safe environment for running these web programs. In this paper, we show how current web security threats are symptoms of four key problems in supporting web programs: vague program boundaries, unwanted code, poor isolation, and inconsistent security policies. In response, we introduce abstractions for web programs and program instances, and we present a set of architectural principles to address these fundamental problems.

Vulnerability-driven filtering of network data can offer a fast and easy-to-deploy alternative or intermediary to software patching, as exemplified in Shield [Wang et al. 2004]. In this article, we take Shield's vision to a new domain, inspecting and cleansing not just static content, but also dynamic content. The dynamic content we target is the dynamic HTML in Web pages, which have become a popular vector for attacks. The key challenge in filtering dynamic HTML is that it is undecidable to statically determine whether an embedded script will exploit the browser at runtime. We avoid this undecidability problem by rewriting web pages and any embedded scripts into safe equivalents, inserting checks so that the filtering is done at runtime. The rewritten pages contain logic for recursively applying runtime checks to dynamically generated or modified web content, based on known vulnerabilities. We have built and evaluated BrowserShield, a general framework that performs this dynamic instrumentation of embedded scripts, and that admits policies for customized runtime actions like vulnerability-driven filtering. We also explore other applications on top of BrowserShield.

Vulnerability-driven filtering of network data can offer a fast and easy-to-deploy alternative or intermediary to software patching, as exemplified in Shield. In this paper, we take Shield's vision to a new domain, inspecting and cleansing not just static content, but also dynamic content. The dynamic content we target is the dynamic HTML in web pages, which have become a popular vector for attacks. The key challenge in filtering dynamic HTML is that it is undecidable to statically determine whether an embedded script will exploit the browser at run-time. We avoid this undecidability problem by rewriting web pages and any embedded scripts into safe equivalents, inserting checks so that the filtering is done at run-time. The rewritten pages contain logic for recursively applying run-time checks to dynamically generated or modified web content, based on known vulnerabilities. We have built and evaluated BrowserShield, a system that performs this dynamic instrumentation of embedded scripts, and that admits policies for customized run-time actions like vulnerability-driven filtering.

We present practical models for the physical layer behaviors of packet reception and carrier sense with interference in static wireless networks. These models use measurements of a real network rather than abstract RF propagation models as the basis for accuracy in complex environments. Seeding our models requires N trials in an N node network, in which each sender transmits in turn and receivers measure RSSI values and packet counts, both of which are easily obtainable. The models then predict packet delivery and throughput in the same network for different sets of transmitters with the same node placements. We evaluate our models for the base case of two senders that broadcast packets simultaneously. We find that they are effective at predicting when there will be significant interference effects. Across many predictions, we obtain an RMS error for 802.11a and 802.11b of a half and a third, respectively, of a measurement-based model that ignores interference.

We analyze wireless measurements taken during the SIGCOMM 2004 conference to understand how well 802.11 operates in real deployments. We find that the overhead of 802.11 is high, with only 40% of the transmission time spent in sending original data. Most of the remaining time is consumed by retransmissions due to packet losses that are caused by both contention and transmission errors. Our analysis also shows that wireless nodes adapt their transmission rates with an extremely high frequency. We comment on the difficulties and opportunities of working with wireless traces, rather than the wired traces of wireless activity that are presently more common.

The World Wide Web has changed significantly since its introduction, facing a shift in its workload from passive web pages to active programs. Current web browsers were not designed for this demanding workload, and web content formats were not designed to express programs. As a result, the platform faces numerous robustness and security problems, ranging from interference between programs to script injection attacks to browser exploits.

This dissertation presents a set of contributions that adapt lessons from operating systems to make the web a more suitable platform for deploying and running programs. These efforts are based upon four architectural principles for supporting programs. First, we must recognize web programs and precisely identify the boundaries between them, while preserving compatibility with existing content. Second, we must improve browser architectures to effectively isolate web programs from each other at runtime. Third, publishers must have the ability to authorize the code that runs within the programs they deploy. Fourth, users must be able to enforce policies on the programs they run within their browser.

In this work, I incorporate these architectural principles into web browsers and web content, and I use experiments to quantify the improvements to robustness and performance while preserving backward compatibility. Additionally, some of these efforts have been incorporated into the Google Chrome web browser, demonstrating their practicality.

Most current web browsers employ a monolithic architecture that combines "the user" and "the web" into a single protection domain. An attacker who exploits an arbitrary code execution vulnerability in such a browser can steal sensitive files or install malware. In this paper, we present the security architecture of Chromium, the open-source browser upon which Google Chrome is built. Chromium has two modules in separate protection domains: a browser kernel, which interacts with the operating system, and a rendering engine, which runs with restricted privileges in a sandbox. This architecture helps mitigate high-severity attacks without sacrificing compatibility with existing web sites. We define a threat model for browser exploits and evaluate how the architecture would have mitigated past vulnerabilities.

Web content now includes programs that are executed directly within a web browser. Executable content, though, creates new reliability problems for users who rely on the browser to provide program services typical of operating systems. In particular, we find that the runtime environments of current browsers poorly isolate applications from one another. As a result, one web application executing within the browser can interfere with others, whether it be through an explicit failure or the excessive consumption of resources. Our goal is to make the browser a safe environment for running programs by introducing an isolation mechanism that insulates one application from the behavior of another. We show how to use OS processes within the browser to safely isolate programs in a way that is both efficient and backwards compatible with existing web sites.

Despite their popularity, modern web browsers do not offer a secure or robust environment for interacting with untrusted content. Today's web users face a variety of threats, including exploits of browser vulnerabilities, interference between web sites, script injection attacks, and abuse of authentication credentials. To address these threats, I leverage an analogy between operating systems and web browsers, as both must run independent programs from multiple sources. My hypothesis is that mechanisms from OS research can improve the security and robustness of modern web browsers. In this report, I propose abstractions and mechanisms to isolate independent web content within the browser, and I propose two separate interposition techniques to support flexible security policies. Combined, these contributions can improve the safety of web browsers, while preserving backwards compatibility and imposing low overhead.

Existing work on understanding 802.11 wireless network behavior has been largely unsatisfactory for practical settings. Widely used simulators rely on unrealistic assumptions about signal propagation, while more detailed radio models are too complex to configure for predicting performance of an actual wireless system. To gain a more accurate understanding of wireless behavior in practice, we use experimentation on a wireless testbed and in controlled settings to effectively characterize packet delivery. We contribute a simple measurement-based model of wireless behavior, supported by empirical observations of relevant physical effects. Our model and observations can be used directly for designing and improving wireless protocols and systems in practice.