Microsoft eyes ditching browser for secure Web apps

Microsoft researchers have developed the prototype of a client-side architecture that would replace the Web browser with a much more secure virtualized environment that isolates Web applications.

Called Embassies, the technology would have applications run in low-level, native-code containers that would use Internet addresses for all external communications with applications. The architecture is based on the notion of a "pico-datacenter," a client-side version of a shared server datacenter.

"Since the datacenter model is designed to be robust to malicious tenants, it is never dangerous for the user to click a link and invite a possibly hostile party onto the client," Microsoft researchers said in a paper presented this month at the USENIX Symposium on Networked System Design and Implementation.

The problem Microsoft is trying to solve is the insecurity of today's browsers, brought on by their complexity. In the 1990s, when browsers were introduced, the software was mostly responsible for formatting Web pages that were text, links and simple graphics.

Today's browsers have many more application programming interfaces (APIs) that are used for far more complicated tasks, such as video, animation and 3D graphics. This high level of complexity has brought a never-ending string of vulnerabilities that hackers can exploit.

"I think [Embassies is] an interesting idea and shows enough promise to be worth additional investigation and investment," Jason Taylor, chief technology officer of Security Innovation, said on Friday. "The premise of strong isolation for each Web application versus isolation for the browser itself is intriguing."

Embassies is Microsoft's attempt to present a simpler alternative than the browser. The architecture would provide a simple execution environment that would use only 30 functions in interacting with the client's execution interface (CEI). Displaying content would essentially be a screencast from the container to the user's screen.

The simplicity of the environment would require developers to do more than they do now in building applications for a browser, which provides lots of libraries through the APIs. With Embassies, developers would be responsible for packaging their own libraries with their applications, a difficult process that in effect would hand security responsibilities to the developer. If malicious code gets in, the container would theoretically prevent it from infecting the computer.

That approach has its skeptics. "The problem with the idea is that developers of web applications are often terrible at security and the idea that you are going to make them the ones responsible for the security instead of the web browser developer just seems like out of the frying pan and into the fire," said Peter Bybee, president and chief executive of Security On-Demand. "I think this is more about wishful thinking and less on realistic change."

[BASICS: Software security for developers]

Wolfgang Kandek, chief technology officer of Qualys, said the added responsibilities would likely overwhelm most developers, but he believed that the process of packaging libraries could eventually be automated within development tools.

"It is an architecture that will require lots of changes on the client side and on the developer side, which is probably why this is not something that will happen overnight," Kandek said.

Indeed, the authors of the paper, Microsoft researchers Jon Howell, Bryan Parno and John R. Douceur, acknowledged that Embassies would require dramatic changes in application development and adoption of the architecture would take years.

While Microsoft described the architecture as a browser replacement, the company also believed it could become a more secure alternative to desktop operating system apps. Shlomo Kramer, president and chief executive of Imperva, said Embassies was "promising in theory," but believed it would not scale to that level.

"The main reason is that it makes collaboration, workflows, sharing of data and transacting across virtual machines very cumbersome," Kramer said.

Matthew Neely, director of research at SecureState, said rather than replace today's browsers, security could be dramatically improved just by developers treating it as an integral part of the development process.

"A lot of people like to focus on new technology to fix something when really if you just apply the basics to what we have already, you can usually get more impact," Neely said.

Read more about application security in CSOonline's Application Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags web appsapplicationsEmbassiesbrowser securitysecurityData Protection | Application SecurityMicrosoftAccess control and authenticationsoftwaredata protection

More about HowellImpervaKramerMicrosoftQualys

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place