By Ioana Patringenaru
Computer scientists at the University of California San Diego are part of a $3 million grant from the National Science Foundation to make web browsers safer.
At UC San Diego, the effort will be headed by Deian Stefan, an assistant professor in the Department of Computer Science and Engineering. The grant’s principal investigator is Hovav Shacham, a professor at The University of Texas at Austin. Shacham, Stefan and other members of the team, including Fraser Brown at Stanford, Isil Dillig at UT Austin, UC San Diego professors Ranjit Jhala and Sorin Lerner, have extensive experience in the field of browser security.
Last year, the team developed a framework, called RLBox, that increases browser security by separating third-party libraries that are vulnerable to attacks from the rest of the browser to contain potential damage—a practice called sandboxing. The RLBox framework was integrated into Firefox to complement Firefox’s other security-hardening efforts. Now, the team is expanding their focus to the other huge attack vector: the browser’s JavaScript just-in-time (JIT) compiler.
Browser JITs turn web application code, written in JavaScript, into optimized machine code. Browser JITs are highly tuned and complex systems. Unfortunately, browser JITs also have bugs, and attackers have figured out how to take advantage of those bugs to take over the computers of users who visit their malicious websites. Journalists and dissidents have been targeted by attackers using browser JIT bugs.
“We need to rethink the way browsers execute JavaScript programs from the ground up, by designing and building new JavaScript interpreters and compilers that are extensible, maintainable, and verified secure,” Stefan said.
The goal of the NSF project is to build and deploy more secure JavaScript JITs. To this end, the team will develop new techniques, frameworks, and principles that help browser developers build JIT compilers that are provably secure and don't incur the high costs and development timelines traditionally associated with high-assurance software.
“Everyone should be able to browse the web without worrying that clicking the wrong link will cause their computer to be compromised,” Shacham said. “We hope our project can help make that goal a reality.”