Proposal for Virtual Web Browser by Using HTML5 Tomokazu Hayakawa 1 and Teruo Hikita 1 1 School of Science and Technology, Meiji University Kasawaki, 214-8571, Japan {t_haya, hikita}@cs.meiji.ac.jp Abstract. We propose a method of a virtual Web browser that enables safer Web-browsing environment. The method uses an HTML5 compliant Web browser as client environment and JavaScript-related technologies in server environment. The idea of the method is that (1) the server works as the HTTP/WebSocket proxy, (2) it transforms requested Web pages from clients into equivalent images, and (3) it returns the images to the clients, thereby making Web pages that contain malicious software (e.g., viruses, worms, and so on) harmless and protecting the clients against being infected with such malware. The virtual Web browser also supports other features such as keyboard events, mouse events, Cookies, and so on. The evaluation shows that the method provides a safer way of browsing Web pages without increasing network traffic. Finally, we conclude that the method is useful to realize safer Web-browsing environment. Keywords: security, proxy, Web browser, HTML5, JavaScript 1 Introduction As the World Wide Web becomes an essential part in our business, threats of malicious Web pages that contain viruses, worms, or others are increasing gradually. For example, there is an attack called Drive-by download that causes unintended download of computer software from the Internet. To protect our computers from malicious Web pages, it is required to use the latest Web browsers, the latest browser plugins (e.g., Java Applet, Flash Player, Adobe Acrobat Reader, and others), the latest anti-viruses, and the latest Operating Systems. In spite of these efforts, there still remains another kind of threats called Zero-day attack, because they use vulnerability in computer software before we aware and fix the vulnerability. Unfortunately, as far as we know, there seem few effective solutions for this kind of threats. To solve the problem, we propose a method, named virtual Web browser, that enables safer Web-browsing environment. The virtual Web browser consists of two parts: an HTML5 compliant Web browser as client environment and JavaScriptrelated technologies in server environment. The client side of the virtual Web browser is written in HTML5, and it transparently runs on any Web browser that is compatible with HTML5, as if the browser were not virtualized. The server side of the virtual Web browser consists of two parts: the HTTP/WebSocket proxy server and the
rasterization server. The idea of the method is that (1) the server works as the HTTP/WebSocket proxy, (2) it transforms requested Web pages from clients into equivalent images, and (3) it returns the images to the clients. This makes Web pages that contain viruses, worms, or others, harmless and protects the clients against being infected with them. We have evaluated the method from the point of view of network traffic, and the result shows that the method rarely increases network traffic. The rest of this paper is organized as follows: Section 2 and 3 describe the design and the implementation of the method, respectively. Section 4 reports the result of the evaluation. Section 5 introduces related work. Section 6 gives the conclusion. 2 Design of Virtual Web Browser 2.1 Objectives The virtual Web browser aims to be a light-weight secure browser that strengthens user security. Its main objective is to protect computers that run Web browsers against malicious Web pages with as good user experience as modern Web browsers without any additional cost. We define the user experience as follows: let the user of the virtual Web browser be able to (1) keep using his/her current Web browser as runtime environment without installing any additional software, (2) bookmark Web pages into his/her Web browser, (3) operate the browser with the keyboard and/or the mouse, and (4) use Web applications that use persistent features such as Cookies, Local Storage, and WebSQL. Moreover, there is also another objective: to solve a compatibility problem of RIAs (Rich Internet Applications). The problem is caused by the fact that there is no compatibility among RIA technologies. Hence, already existing RIAs cannot be ported to other environment even if the Web browsers or the plugins on which the RIAs run become obsolete. 2.2 How to Make Malicious Web Pages Harmless The virtual Web browser makes malicious Web pages harmless by transforming them into equivalent images, i.e., rasterization, in controlled and isolated environment. Although it is not impossible to embed malicious software in images in some situations, we believe that this method undoubtedly strengthens user security. Although there are a large number of methods that realize virtualization such as application virtualization, desktop virtualization, OS virtualization, and so on, we have decided to use HTML5 as client environment and several Unix s APIs, namely setuid(2), setgid(2), and chroot(2), in server environment to realize a safer browser without any cost nor installing any software 1. 1 The rasterization process, described in Section 2.5, is launched under a jailed directory with a limited privilege in the server, and the contents of Cookie, Local Storage, and WebSQL are stored under the directory, which minimizes and contains the influence of malware.
By this decision, there exist advantages and disadvantages. Some of the advantages are: users can use the virtual Web browser transparently through their browsers, and they can bookmark any Web page as their browsers bookmark, not the virtual Web browser s bookmark. Some of the disadvantages are: users cannot download/upload any file because the virtual Web browser does not allow any file system access, and users cannot view Web pages that require any plugin. In spite of these disadvantages, we consider them acceptable to increase security in exchange for usability. 2.3 Screenshots of Virtual Web Browser Fig. 1 shows a screenshot of the virtual Web browser that shows the CSA 2013 Web site, indicating that there is no View Page Source in the context menu. This is because the entire Web page is rasterized as a single image. Since the virtual Web browser handles user events, any link shown in the browser is clickable; if a link of an already-loaded page is clicked, the virtual Web browser moves to the new URL, and then it shows a new image of the new page indicated by the URL. 2.4 Network Model and Assumptions We assume that the network structure in which our proposed method is applied as shown in Fig. 2. The client computers are to be in the internal network and the network to which they belong is required to contain at least one DMZ (Demilitarized Zone) that is located between the two firewalls. The HTTP/WebSocket proxy server and the rasterization server are required to be placed in the DMZ. This network structure reduces the risk of the client computers being cracked even if one or both of the servers are cracked, because the firewall between the internal network and the DMZ does not allow access from the DMZ to the internal network. Fig. 1. Screenshot of Virtual Web Browser that Shows CSA 2013 Web Site.
Fig. 2. Network Structure of Virtual Web Browser. 2.5 Behavior of Virtual Web Browser Fig. 3 shows the behavior of the virtual Web browser, which indicates as follows 2 : (1) Each Web browser of the clients requests a Web page by entering a URL, by selecting a bookmark, or by clicking a link contained in an already-loaded Web page. (2) In response to the first request 3, the proxy server requests the digest access authentication that queries a username and a password; both are used to launch the rasterization process in the rasterization server under the isolated environment. (3) The browser re-requests the Web page with the proxy authentication information. (4) The proxy server launches the rasterization process on the rasterization server according to the information of proxy authentication. (5) The proxy server returns the virtual Web browser written in HTML5. (6) The virtual Web browser sends a request to the Web page by using a WebSocket. (7) The proxy server transfers the request to the rasterization server. (8) The rasterization server transfers the request to the original destination server or an upstream HTTP proxy server. (9) The rasterization server receives the response from the server. (10) The rasterization server transforms the response into an equivalent image. (11) The rasterization server returns the image to the proxy server as a binary image. (12) The proxy server returns the binary image to the browser as a base64 image. (13) Finally, the browser shows the base64 image onto its <img>. 2 Whenever the size of the user s Web browser changes, the virtual Web browser sends the new size to the server, so that the rasterization process rasterizes requested Web pages into equivalent images with the correct resolution. 3 Once the proxy authentication succeeds, the Web browser caches the authentication information, so that the user will never be asked to input his/her username/password anymore.
Fig. 3. Behavioral Overview of Virtual Web Browser. It is important to use WebSocket instead of HTTP to communicate with the proxy server, because it can communicate bidirectionally and asynchronously. Hence, the virtual Web browser can almost completely be synchronized with the launched rasterization process. For example, if a loaded Web page in the rasterization process moves to other URL, then the process sends a URL-changed notification to the virtual Web browser, which causes the browser to move to the new URL. For another example, if any of supported events such as onresize, onscroll, onmouseup, onmousedown, onmousemove, onclick, ondblclick, onkeyup, onkeydown, and onkeypress is occurred, the information of the event is sent to the process through the WebSocket, which means that the virtual Web browser supports user interaction events such as keyboard, mouse, scroll, and resize events. 3 Implementation of Virtual Web Browser 3.1 Used Software and Implementation We have used the software products shown in Table 1 to implement the virtual Web browser. JavaScript is used as the single programming language of the system to reduce development costs. jquery makes our virtual Web browser portable among modern Web browsers. PhantomJS [6] is a CUI-based Web browser that is used as the rasterization engine. Apache HTTP server is used to act as the HTTP/WebSocket proxy. Node.js [5] is used to implement the HTTP/WebSocket proxy software that runs behind the Apache and communicates with PhantomJS.
To reduce network traffic, we have decided to compress the contents between the virtual Web browser and the proxy server. Table 2 shows the compression methods that current Web browsers support. We choose deflate over gzip, because it is supported by the Apache module named mod_deflate. Fig. 4 shows the skeleton of the virtual Web browser. As figure shows, it has only one <img> element that shows a rasterized image. All events related to user interaction such as keyboard and mouse events are handled by the embedded JavaScript and are notified to the server through the WebSocket. In addition, all events fired in the rasterization process are also notified to the virtual Web browser through the WebSocket. This event-handling lets the virtual Web browser act as though it were the browser itself on which the virtual Web browser runs. Table 1. Used Software for Virtual Web Browser Implementation. Software Version Description jquery 2.0.3 JavaScript library. PhantomJS 1.9.1 Used as rasterization engine. Node.js 0.10.15 Used for HTTP/WebSocket proxy implementation. Apache HTTP Server 2.4.6 Used as HTTP/WebSocket proxy server. CentOS 6.4 Operating System. Table 2. HTTP 1.1 Compression Methods Supported by Web Browsers. Web Browser Version gzip compress deflate Internet Explorer 10.0 Yes No Yes Firefox 22.0 Yes No Yes Chrome 28.0 Yes No Yes Opera 12.15 Yes No Yes Fig. 4. Skeleton of Virtual Web Browser.
3.2 Limitations The virtual Web browser does not support any Web browser plugin such as Java Applet, Flash Player, Adobe Acrobat Reader, and others. This fact is generally considered to be a disadvantage that decreases user experience, but we consider this acceptable as a trade-off between usability and security. We intend to use the virtual Web browser with a PAC (Proxy Auto Configuration) file [4]. Since the PAC file controls what URLs should be browsed directly or through a proxy, the virtual Web browser will be used only to browse URLs that are not listed in the file. This design minimizes deterioration of user experience and enables users to use the virtual Web browser with other proxy and/or other solutions for the Zero-day attack. In addition, the virtual Web browser does not support HTTPS, because the behavior of the virtual Web browser is recognized as the MITM (Man-In-The-Middle) attack by Web browsers, and modern browsers are designed to prevent the attack from occurring. 4 Evaluation To evaluate our proposed method, we measured the amount of transferred bytes between the virtual Web browser and the proxy server. We use the top 5 Web sites ordered by traffic volume ( Alexa Internet, Inc.). Table 3 shows the size of the images of the top pages of the Web sites. The result shows that (1) transforming Web pages into equivalent images rarely increases network traffic 4, (2) encoding the images with base64 increases their size, and (3) by using the deflate, the size of the base64-encoded images becomes almost the same as the original image size. 5 Related Work There are several virtualization technologies such as desktop/application/os virtualization. One of the differences between them and ours is that such virtualizations often require dedicated software and/or OS, but our proposed method requires only an HTML5 compliant Web browser as client environment, which means that our method can be widely used without any additional cost. Table 3. Image File Sizes of Top Pages of Web Sites. Web Site Raw Size PNG PNG PNG (base64) (base64, deflate) Facebook 520,832 88,554 119,626 86,476 Google 184,125 45,392 61,321 42,490 YouTube 1,279,892 814,113 1,099,767 829,920 Yahoo! 978,704 812,161 1,097,133 821,183 Amazon.com 1,316,049 1,114,448 1,505,484 1,132,271 4 Strictly, it strongly depends on the contents of the Web page.
Palanques et al. [2] has proposed the model and architecture called Secure Cloud Browser that supports secure Web navigation. Their work and ours are similar in that both methods rasterize the contents of requested Web pages in controlled environment to protect client computers against malicious software. On the other hand, both methods are different in that their method is based on the assumption that an attacker has administrative privileges on a victim s computer and their method requires a Web browser and JRE (Java Runtime Environment) to run; our method aims to protect client computers against being infected with malware, and our method requires only an HTML5 compliant Web browser. Grier et al. [1] has proposed the OP web browser to enable more secure Web browsing. Their and our methods are similar in that both rasterize requested Web pages in isolated processes and send them back to the clients. However, both methods are different in that their method requires JRE and the dedicated Web browser; our method requires an HTML5 compliant Web browser only. Wang et al. [3] has proposed SafeFox, to create a safe browsing environment. They need light-weight virtualization to protect each Web browser process. On the other hand, we do not need virtual environment; instead, we use Unix s APIs to isolate the behavior of the rasterization process. 6 Conclusion In this paper, we have proposed the virtual Web browser that enables safer Webbrowsing environment. As a result, we conclude that the method strengthens user security of client computers to some extent, and it can be one of the solutions for the malware threats. We plan to enhance our browser to increase usability. For example, partial rasterization of requested Web pages is one idea, since rasterizing entire pages loses some information including links, texts, animations, and others. Or enhancing the browser by using the tag <canvas> is another idea, which enables links to be noticeable, texts to be copied, animations to be runnable, and so on. References 1. Grier, C., Tang, S., and King, S.T.: Secure Web Browsing with the OP Web Browser. In: IEEE Symposium on Security and Privacy, pp. 402--416, Oakland (2008) 2. Palanques, M., Dipietro, R., del Ojo, C., Malet, M., Marino, M., and Felguera, T.: Secure Cloud Browser: Model and Architecture to Support Secure WEB Navigation. In: 31st IEEE Symposium on Reliable Distributed Systems (SRDS), pp. 402--403, Irvine (2012) 3. Wang, J., Huang, Y., and Ghosh, A.: SafeFox: A Safe Lightweight Virtual Browsing Environment. In: 43rd Hawaii International Conference on System Sciences (HICSS), pp. 1- -10, Honolulu (2010) 4. Microsoft TechNet, http://technet.microsoft.com/library/dd361918 5. Node.js, http://nodejs.org/ 6. PhantomJS: Headless WebKit with JavaScript API, http://phantomjs.org/