helenwang helenwang

Niner since 2009


  • Expert to Expert: Helen Wang and Alex Moshchuk - Inside Gazelle

    "Chromium (chromes base) is separated into two protection domains.  These are a browser kernel and rendering engine.  The rendering engine domain runs in a restricted sand box environment.  Web pages and plugins are both executed in the rendering engine domain which means they have restricted access to your system.  As with Gazelle, all communication to the kernel is done via a tight API proxied through IPC.  From what I can tell, Gazelle offers no specific improvements over chrome in this area."

    Gazelle is fundamentally different from Chromium here.  In Gazelle, there is one protection domain per principal, namely, web site.  So, the number of protection domains is the same as the number of web sites that the user browsers. This means that when a.com embeds ad.com, a.com and ad.com are placed in separate domains. In contrast, Chromium places them into the same protection domain.  The key distinction between Gazelle and all its previous browsers is that the browser kernel manages all cross-principal protections and resource management.  In contrast, Chromium must do cross-principal protection in its rendering engine.  This is what makes Gazelle's browser kernel a real OS, and Chromium's browser kernel not really an OS.  Please refer to Gazelle's tech report's related work for a very detailed comparison.

    I'd also want to clarify that the goal of the Chromium's architecture is to protect the host machine from the browser and the web.   The goal of Gazelle is to protect web site principals from one another  --- such a protection is an operating system's job, hence is the Gazelle approach. The resulting architecture naturally protects the host machine he browser and the web as well.