
Quark: A secure Web Browser with a Formally Verified Kernel - hershel
http://goto.ucsd.edu/quark/
======
s_q_b
I'm wondering if we should be redesigning all software around formally proven
shims.

I've been thinking a lot about what a system would look like if we re-designed
it from the ground up. Nothing as extreme as throwing out von Neumann
architecture, but starting with our current hardware as the basis, and
reconceptualizing the OS around security and stability.

Certainly it would be more distributed, more sandboxed, and more interface-
agnostic. We've been running so much legacy code for so long that the
abstractions are constraining our thinking about what's possible and
desirable.

Clean-sheet redesign may be both impossible and a little extreme, but it's
definitely time to fundamentally re-imagine the "personal computer."

~~~
cliffu
I vote yes. Formal verification has great benefits for software security and
it's the "final form" (if you will pardon a redditism) of unit testing. It's
one of the top skills I would like to learn.

You might be interested in L4; there's a variant that has been formally
verified (but I think it's closed source?).

~~~
mokus
> You might be interested in L4; there's a variant that has been formally
> verified (but I think it's closed source?).

You are probably thinking of seL4[1] unless there's another I don't know
about. I believe you are correct that it's closed-source. That always bugged
me though, since it seems to defeat the whole purpose of verifying such a
critical part of a system's TCB. In my mind, the whole point is that I as a
user don't need to just take anyone's word for it.

Unless I'm mistaken (and I'd love to find out that I am!), what we have with
seL4 is a commercial vendor handing out an opaque binary blob and saying "we
proved it's correct!" but providing no way for the user to verify that they
really did prove anything. Frankly, these days I just don't trust any
organization's assertions on such things no matter how thoroughly they claim
they have proved it _to themselves_. It's certainly better than "we hit it
with a hammer and it didn't break, most of the time!", but it still leaves
open the possibility that the person asserting it's proved is lying, or that
they did prove it's correct _except for the backdoor the NSA secretly coerced
them into adding to the version they released_.

I wish I had the time to tackle something similar for the open-source world,
but with 2 small kids around I barely have time for the small open-source
projects I do manage. It's very cool too see this article's work being
released in source form, and I really hope some open-source devs pick it up
and run with it. I for one hope to be able to contribute in what time I do
have.

[1]
[http://www.ertos.nicta.com.au/research/sel4/](http://www.ertos.nicta.com.au/research/sel4/)

------
RegEx
Has anyone actually got this running yet? I'm using an Ubuntu 12 VM. I've
spent about an hour trying to build this thing. The authors make it pretty
clear in the INSTALL file that you're in for a fun time if things don't go
according to plan. Maybe the process is seamless on Ubuntu 11.

> Quark has been tested on Ubuntu 11.04. A basic installation process is
> automated in ./install_module.sh file, and you can execute the installation
> script to install most of the requied packages and compile Quark itself. If
> any of the required jobs fails because of some conflicts in your system, you
> have to open the installation script, and track down what went wrong
> manually. As future work, we have a plan to implement a fully functional
> installation script.

The installation script involves creating "tab" users(tab0-tab9), but the
install script doesn't check to see if these users exist before attempting to
create them. If the installation fails after the user creation section, the
install script will error out when it attempts to create users that already
exist.

Here's what I did to save you about 2 minutes of brainpower

    
    
        for i in {0..9}
        do
            if id -u tab$i >/dev/null 2>&1;
            then
                echo "user 'tab$i' already exists"
            else
                echo "creating user tab$i"
                execcomm "sudo useradd tab$i"
            fi
        done
    
        if id -u output >/dev/null 2>&1;
        then
            echo "user 'output' already exists"
        else
            execcomm "sudo useradd output"
        fi
    

As for completing the rest of the install, you're on your own, as I was unable
to get things working. The install script attempts to cd into some python-
browser-8 directory which is supposed to have a makefile, but I never see it
created or even attempted to be created.

~~~
usethisonce
There is a Makefile in python-browser-8/.

~~~
RegEx
I did not see that directory at all. I tried to Grep to see if some process
creates the directory, but I couldn't find it.

------
bsaul
How long do you think it's going to take before program formal proof becomes
the new standard in commercial applications quality standard?

Today is focused on unit-testing and test code coverage, but formal proof
seems really even better.

I only have heard about Coq , which i think implies code has to be written in
OCaml , but i suppose the same kind of tool exists / could be done for Haskell
or Scala. What about less strict and more used languages like C or Java ?

~~~
geoka9
I think never. Between the "ship early" ethos and SaaS becoming increasingly
popular, software quality has been going downhill for quite a while. Most
parties seem to be OK with it, so I expect it to get even worse.

~~~
Silhouette
_Most parties seem to be OK with it, so I expect it to get even worse._

Are they OK with it, or do they just not see that they have a viable
alternative at present?

I can think of numerous cases where from a personal and/or professional point
of view I would have happily spent real money on upgraded/alternative software
to what I've got if it fixed bugs that waste my time or make the results I get
worse than they should be. Obviously some people will just rip off software
whatever you do, but for paying customers, I'd be very surprised if quality
alone couldn't drive a significant movement in a market, other things being
equal.

I think it's all the unrelated things that aren't equal that are holding back
that kind of competition. An interesting question is therefore at what point
the willingness to use good software to develop more good software could cost
less than putting up with poor quality incumbents, given that the real cost of
both strategies is high. Even as a glass-half-full kind of guy, believing that
a relatively small part of the industry could begin to pull that off without
requiring the entire mainstream to shift, it would still have to involve far,
far more people than are involved at the moment if we're going to create a
sufficiently comprehensive foundation of development tools and essential
libraries to bootstrap a whole quality-first ecosystem. The good news is that
if you can establish that foundation, everything you do afterwards is easier
in quality-first world has that advantage over the quick and dirty status quo,
so momentum is on your side.

------
alexanderri
I don't really like that a "secure" browser run: 'xhost +' on my computer.

------
meta-coder
The seL4 operating system microkernel also aims to be formally correct.
[http://www.ertos.nicta.com.au/research/l4.verified/](http://www.ertos.nicta.com.au/research/l4.verified/)

------
wslh
How this secure approach benchmarks with Bromium micro hypervisor one?

~~~
X4
I initially thought that you were trolling, because Bromium sounds insincere,
but it appears to be another startup funded by Andreessen Horowitz
[http://www.bromium.com/](http://www.bromium.com/) and it's not a Browser
you've linked to, it's a hardware-software-policy solution for enterprises.
Still interesting to know about.

~~~
wslh
Trolling? no, since I researched this market for my company and I found
Bromium virtualization approach "unique", every new product following an
innovative approach is interesting.

Currently there are many different approaches to virtualization and I am
bullish to application oriented approaches like App-V and ThinApp.

------
helloTree
How does this work, if the kernel is supposed to be TM-complete?

~~~
andor
1) The halting problem only states that you cannot create a program that can
decide whether _any given program_ will finish. It _is_ possible for special
cases, though.

2) They didn't automatically verify the kernel. Coq is a proof _assistant_.

~~~
DannyBee
The halting problem is also decidable for finite memory machine, like our real
ones, so ...

~~~
cantankerous
Yes, but our memory is so big and our machines can have so many states that
the problem is still intractable in the general case.

~~~
maaku
But still very much solvable in the specific domains of real world
applications.

~~~
cantankerous
You know what. I think I agree with you. I would actually go as far as to
posit that most common applications don't require a Turing-Complete
environment to run. If you could strip away the trouble spots and limit
yourself to what you really _need_ you can get a lot back in terms of software
checking and assurance.

~~~
shelf
[http://www.cs.dartmouth.edu/~sergey/langsec/occupy/](http://www.cs.dartmouth.edu/~sergey/langsec/occupy/)

~~~
cantankerous
That's awesome. Thanks for sharing. It's nice to know that people a lot
smarter than me are thinking about this already :).

------
sesm
There is a typo in the paper, both 'Response Integrity' and 'Tab Non-
Interference' are called 'second property'.

------
woah
Does it support all the latest css3?

~~~
Pitarou
Yes.

Happy now?

------
volokoumphetico
is this like phantomjs fully headless?

