BrowserShield: Helping Make the Web Safe for Surfers
By Rob Knies
August 25, 2006 12:00 AM PT

It’s a familiar cliché: The best offense is a good defense.

You hear it all the time in a sporting context. But, as it turns out, that hoary truism applies to Web surfing, as well.

Consider BrowserShield, a research project being conducted by Helen Wang and John Dunagan of the Systems & Networking group at Microsoft Research’s Redmond lab. The project, the product of a discussion on HTML-based vulnerabilities with Opher Dubrovsky of Microsoft’s Internet Security and Acceleration Server (ISA) team, is examining ways to inspect and cleanse dynamic HTML content on Web pages, denying bad code the opportunity to execute and thereby protecting Internet users.

“We want to save people,” Dunagan says, “from the problem that they’re worried about.”

BrowserShield’s suggested solution to nefarious forces who try to hijack your computer for personal gain is to comb through a Web page for JavaScript or Visual Basic® script and encapsulate it with associated logic that is executed at run time on the user’s computer. By this means, the page is transformed into a safe equivalent designed not to exploit browser vulnerabilities, turning the tide in the battle against malicious Netizens.

“Today, when you surf the Web,” Wang says, “at any point, you may wander to a bad neighborhood, and when you click on a link and navigate to a malicious Web site, your computer can be compromised, your private personal information can be stolen, and your machine can be used as a zombie for a larger botnet.”

“What are the problems with those bad links, bad neighborhoods? Some links include a bad executable download. On other occasions, a Web page is crafted especially so a particular vulnerability in your browser is exploited, and your computer can be compromised.”

In fact, with the growing popularity of Web services, browsers have become a popular vector for attacks. BrowserShield is designed to thwart such threats.

While it is easy to cleanse a static, unchanging Web page, the key challenge lies in cleansing the dynamic content of a Web page, such as embedded JavaScript code. Such embedded script code can cause the Web page to be modified at run time, enabling attacks to be generated when the browser renders the page. Determining whether a piece of script code will carry out malicious action is an instance of the halting problem, well-known in computer science.

BrowserShield tackles this challenge through script rewriting and vulnerability-driven filtering. When a user visits a Web site, as the page flows from the Web server toward the user’s PC, the BrowserShield system intercepts the page and transforms it into a safe equivalent for a browser to render. The transformation includes policies that serve as vulnerability filters performing run-time checks and denying any activity designed to attack browser vulnerabilities.

As it turns out, the logic for transforming the Web page can be injected at various stages and has numerous application scenarios.

“This transformation logic,” Wang says, “can be injected at a firewall, as a browser extension, or by Web publishers.”

Dunagan provides an enthusiastic elaboration.

“That’s something that we both think is really, really nice about this,” he says. “It’s something where ISA can help protect all the people within a corporation, or it can be something where MSN Search® makes it so that any of the cached Web pages that you can see on their site cannot contain these exploits; they can help protect everybody who is going to MSN Search to look at these things. There are two different value propositions, and they appeal to many people.”

Some search engines have been trumpeting something called “safe search,” which amounts to a blacklist of known malicious sites.

“BrowserShield can enable a much more powerful way of doing this safe search,” Wang states. “Basically, even for a malicious site that is not already blacklisted, BrowserShield can help prevent it from doing known bad things, such as exploiting a vulnerability of a browser.”

The technology, similarly, can deliver security-enhanced browsing.

“Say there’s a zero-day browser exploit,” Wang says. “At a particular time, a patch might not be available. But in the meantime, we can allow users to browse through a BrowserShield-enabled toolbar. Users would then be able to type URLs into the toolbar rather than in the usual address bar. This allows all Web sites to be sanitized by the BrowserShield toolbar and enables a safe browsing experience.

Such potential has gained the attention of a number of Microsoft product groups, including ISA, Internet Explorer®, Windows Live™ OneCare™, the Security Technology Unit, and a number of MSN teams, including Live.com, MSN Search, and its anti-phishing group.

And the policies BrowserShield applies to the Web pages it examines can be updated as new threats emerge.

“If there’s a new vulnerability that is discovered,” Wang says, “new policies can be distributed to clients, if it’s a client-based deployment model. If it’s a firewall deployment model, it only needs to be distributed to the firewall. That is the flexibility aspect of our system.”

Work on BrowserShield began in the spring of 2005, by Wang, Dunagan, then-intern Charlie Reis, Dubrovsky, and then-intern Saher Esmeir. It extends previous work called Shield, a predecessor that provided similar protection features to static content such as application-level protocol traffic. During that effort, Wang had a conversation with Dubrovsky, an ISA program manager who wanted to know if Shield could play a role in fixing HTML bugs.

“In the middle of that discussion,” Wang recalls, “we basically came to a realization that, if the attackers can dynamically generate attacks, why can’t we dynamically generate defense? We started pursuing that very seriously.”

Dubrovsky and Esmeir contributed to the project, particularly on applying BrowserShield at an ISA firewall. The collaboration was an example of how Microsoft Research, working closely with product groups to address pressing real-world problems, can more easily channel research findings to product groups.

The concept of rewriting code to help provide security is not new. What’s new with BrowserShield is applying such techniques to dynamic Web content. But such an undertaking is not without its challenges.

“The JavaScript rewriting was very fun,” Dunagan says, “because there’s a lot of new territory where people had never solved this problem before, so they’d find it very interesting the way we solved it. Then, in terms of ‘OK, now let’s build some kind of measurement infrastructure so we can figure out how well our technique works and measure it against a bunch of real Web sites,’ that turns into a really big chunk of work where you are not solving new problems, you’re just solving them in your context. We had a fair amount of both kinds of work.”

New challenges beckon.

“We are still exploring the applications of BrowserShield,” Wang says. “Ultimately, what BrowserShield brings to the table is, given a Web page, BrowserShield can change its behavior. What are the desirable behaviors people like their Web surfing experience to have? We’ve explored a number of pretty interesting possible business applications, like secure search results, secure browsing, secure Web publishing, sanitized ads—those sort of things.

“There are also some new territories we would like to explore further. For example, how can we author certain policies to enhance the browsing experience, to make the browsing experience secure? Browsers are very complicated; Web services are very complicated. We’re entering this new paradigm of Web 2.0, and we’re exploring how BrowserShield can help here.”

Adds Dunagan: “We have a number of candidates for additional killer apps, but we felt like security was a good initial killer app.”

BrowserShield is now at the stage where Wang and Dunagan are out talking with product groups—marketing their technology, you might say. Those efforts must be gratifying, because their pride in what they have accomplished is evident.

“Shield covers the static content well,” Wang says. “Now we have a really good technology for protecting dynamic content. With Shield, Browser Shield, and advanced anti-virus software, we have good coverage of the most prevalent vulnerabilities out there today.

“Also, reviving this idea of rewriting JavaScript for the Web is really significant. The community has shown enthusiasm in embracing this topic.”

Dunagan, too, relishes the potential that BrowserShield offers.

“It’s really exciting to extend the scope of rewriting to this additional domain,” he says. “I feel very optimistic that BrowserShield will find more applications as compelling as the first one.

“I feel like it has a great chance of really changing our customers’ experience and making it much better.”