Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Google's Chrome Shakes Up Browser Design



 By: Larry Seltzer
2008-09-03
Article Rating:starstarstarstarstar / 5


There are 1 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
I wouldn't assume they'll be successful with it, but Google's got a lot of great ideas with their new browserexcuse me, application environment. Have they turned those ideas into good code?

Everyone's talking about Chrome, Google's new Web browser that endeavors to be more than a web browser. It's an exciting program in many ways, but none more so than in what they are attempting to do with browser security.

I won't go into everything security-related in the program. For instance, the Incognito mode and blacklists are useful stuff but not exactly unique or innovative. It's the architecture that has me intrigued.

If you want to learn about security in Chrome you can read the cartoon version or you can read  the paper that the Chrome team wrote with people from UC Berkeley, Stanford and the University of Washington: The Security Architecture of Chromium. Chromium appears to be an application framework on which Google built Chrome.

Google has attempted to make Chrome more of a legit environment for applications than other browsers by giving the browser architecture some of the same protections that applications have on modern operating systems. Essentially, they run different pages in the browser, i.e., different tabs, as separate processes, and run them in a sandbox. Each of these processes is limited in ways that should limit the damage of any malicious programs that execute. More specifically, the browser is divided into two components: a privileged browser kernel and a rendering engine which runs in a sandbox. This is the component which performs many of the tasks, such as file parsing and Javascript execution, which are prone to vulnerabilities.

Resource Library:

The notion of the browser as an application platform is not a new one. Apple tried to claim for quite a while that Safari was the application development platform for the iPhone, but that didn't satisfy many people. And security in general, let alone in Safari, has not been one of Apple's strong suits. Google doesn't have a real track record here, but they seem to have the right ideas.

I'm not the only one excited by Google's nerve in this regard: Microsoft's Robert Hensing notes, and I think fairly, that much of Google's approach mirrors Microsoft's attempts with IE Protected Mode and related features, but that Google goes further by isolating tabs as processes. Read Robert's second blog on Chrome for a short version of how Google is implementing their sandbox in Windows. There are more details here in the Chrome Design Documentation.

If you go through the docs, though, one interesting fact is that they are using Windows-specific security features to implement the sandbox (CreateRestrictedToken, Job objects), features which mostly don't have counterparts in Linux, the Mac and other platforms on which they might wish to implement Chrome. The only version available now (that I can see) is the Windows version. How are they going to implement the sandbox on other platforms?

I'm a big fan of such architectural improvements that attempt to limit the reach of any successful attack or reduce the attack surface, but it's not yet clear that Google has done what they set out to do. Even just on Tuesday, the first day that Chrome was released to the public, the security research community dropped what they were doing and produced what could be real problems. Look for more of this stuff as people have more time to work on it.

A revelation on Full-Disclosure of a crash bug in the browser at first brought forth scorn from me; a crash in a beta browser? Stop the presses! But as others pointed out, just about everything from Google is forever in beta, so they deserve more scrutiny than most companies would get for a beta product. On the other hand, someone suggested that because of the Chromium architecture just the one tab was crashed, not the whole browser. I'm not so sure.

I tried the proof of concept for this bug. The browser successfully restarted ("Whoa! Google Chrome has crashed. Restart now?"), but it seems to me as if each of the pages is being reloaded, which means the whole browser crashed. Perhaps Google will comment on the report.

Another more interesting report was a ZDNet report that Chrome is vulnerable to same "Carpet Bombing" bug as Apple's Safari  (credit for the research to the prolific Aviv Raff). Click the big button in the demo and the app drops a file (named "Free Coupwns!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.jar") in the Chrome download folder. For me, this folder defaulted to c:\temp. ZDNet says that some users are reporting the file on their desktop, so perhaps Chrome makes the desktop the download location some times. Note that this PoC belies the general notion that the jail/sandbox blocks file system access.

It also reports that the Chrome user-agent string identifies it as "AppleWebKit/525.13" (my full Chrome user-agent is "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.27 Safari/525.13". Apple fixed the Carpet Bombing bug in a slightly later version. You see this sort of old version nonsense in open source a lot.

All of this goes to show that architecture can mitigate security bugs, but it can't eliminate them. Still, architectural changes in browsers can make a big positive difference in security and I applaud Google for trying. Have they actually accomplished what they have set out to do? That will take more than zero-day hacking to demonstrate. Will Chrome be good enough that users will go to the effort of installing and using it? That's a hard thing to do.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.





  Reader Comments: Google's Chrome Shakes Up Browser Design
>>> Post your comment now!
browser security
Hi, I'm Larry Seltzer. How important is an innovative security architecture to you?
Posted At: 09-03-08
By: Larry Seltzer
>>> Post your comment now!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Larry Seltzer
 


x}r۸j9kmH)ْcX+S$H"Hʎg~u~|.K&w-`h F?o~$ricÚ=^#;$T;87>{cϪUQ!CSQ2dDMs@ ;x|McjU3#jG-_ߨTھoùN }!*{|LJ%h' Qu3_眼ady4U+S8&CNM[ ȓ -Al<tif23!!k߶Rz$6iO4Cd jI$:2`ITi1܋msQހݑm.LNX\BZsÄ计G-ɣ1lI1F )432bYpt2XpnBlʆO?1 Il.ܺa?uoczZ;undᚯfvQw1T)v'`>6cݛQx~1ٮ \:f/Dzc{md۬E}ydޞhjPʊr+%_9ފW5=Ӱ_ Te󷷣jޥRT5MQ*U뢛!> Mݺ7k9Sn]wz>|l^^r - Fw߉+Q"*b.w2IhfAGIZmoVS7B-|%)ډS\'80q " J0zĢJ<7'SK߼^zMo]^H>߉egby 1=|J{ =#7獛KUs#kh~l5{H K|Hc0\28֪׷V7`GK']/sQ&Z#4<[* IͼEb96̇N/[g$#MLE}I 黺(-tSW3}.kS-AX*,>J~gXӀ7'1ddα(|úrN 'Y^uM'Jf-ͨ>ƿ#E/x%Kus7p#Sc΃wAwҪ9QZ' K+\M]eGWp57u;W~j7{&8^%glh|X.B2iK1.QW5MGTDv+/E*'8ʍ/;3B e&t/L?{Η > *:9u >ӱWeŞ!|emx=Z. G34!>&u dz'l`x0 }C1o̩T3ZL@"wK h&];TZ]60_9n0c@\:^(_jx?k1 !@&.$Hc"D%  h4AfjE|ENNlb($w$]q+P`z"®BI—BH {TKh+K@f:30YIBM&힟GѺń(VFNH!t0Vn)L2CɥaHīd- W6p7l{`(`R59J ȄiMJKx[2 ʸA6`/@DLl5I=mms\<"73ga[*gb>eۙ^g {BSjl3=Äや _%t0t/ma8_, {uaGKK1$A>8xp$'Z>pb`/R3̇Mάc!bcQ_,(9UPG[d"vd\6˰@e9ִ &=MӾOG z4n= 8R mX P`P݄scHL("`';s]rEaaj˓uUgPxW5wdd{>70MCLKw3:Ԥ4Q~Mքk&.=2z4bs8'}y _:3M?; q>3wI ~_m^٤?09X>.: ˟112& z#Cv5,? OˌPcGU*J9]sjTyEثV‡1"e H!3#2>z q[kh0h f;;pLj' 9rp+sJbOW2E޲iz=[CP$,/,4?~كLogg9~ɴ(vreP˷BgfRWo騙kQ_f葫V% lH@O" G~:T{F[,93?{˕B 2߼=n%t+>]8r_"1OR@7 PUL xg4DcG6jE+'F&-U*Z(lZlwc')ATb΁RPe@V^Aұg / O}1F/\]~;;4tʀkhG`d^rHUm{\ cԡw6]qTYe)re8e3 S`e3*勥"~gosJY-~ t­726PG#Iȕ?LJżAkB9@;a>&6c#uL>_HP?o3m\,*\vI *s>P|[ɷw>ք{+Tf6n{_L&7F@"'! M+Ԣ3,`j\Uܘό&dv!VV_&/!(0H_d`m٦dU]uvhEw%]7F4O}޹Kv1KF_ǤpB`uUCjlb0K=LAIP 4t>!!F}ׇ́{1ymhI6eDp0\<!>Ni 8֕Ys͏❐US:t{Oz܉ꗭwW, Y# B]6 ͦ npcQqH3z0M6 :uy͉b9kq*D|=x_5g@ܠ aԏgl5/OI֭ Bb.÷߅B!lL'<؇AP{ z P)'$V{YN αz_dA@npkz!NU ¯e,%$+e32p%5g:' <:9gdD>7Po>b ~_!cߗ&8~P6p Vf:nh}$#BR^'28/[=h1 OH/p]Zqly zsLfxLR9mũ͡ݱi'y0:&}8耒N>{7ORߣu]>MSs$S ФcdǡAgJȄaye5 a5R!MLCYOC/%$b;B2zw njwڀشƧ{6g3KZw{/GX ;[ ViH_8_`ꗁ",GwXkq)h[U+?vƇ!6 OY=x>tA^crU+|]ȩZ$}ݙ[piY,?hX;8AlG/syO+:Y,':]WO_,zϜGQM21?);f}Z,}HKG,a43&vb˒^\[5("Ξefk; ZulnWsk؞놅CF\u~o^էarJs $ނ.3Q':l 2'|4K$hnVwƭt&۽Vu,d1oqP:|}>--8t砚CTϑɘΧBAUU-uJln({jY9sJUOV2ld+N$Qd16P2]:pOʤEs5bw-u___3{KLW+<|}U,u׫2n8~J]åiD)]s2"v%ދJQɇyirГEDãCk&bi8W=T]}~ZcB*>dO1\jCk*zX 2?zԯk A[ʰ=DΙ a d<JLvNpw*'cc7ψF#%{gxySͰ&솃@|ՐqhZ0q ajcZqbuD{ʷχGɎ?wemz s2q TWeT7Ϧw_C !C94y˭ L H x̛+Vx[bT?3ׇ| |wxtnXJ3;~vk$rpV>] 1TԢR*JsfN9>@B.{ɍӤ舩/ MY6׶Gk QzZ}lGtQ"&x1=qw;J; amz/8vM:΂pjZU!aҲ�zʮ( Gl7(>.0n֞ b%䀞mRV q?9vt 3a&<틜lcafNҤ᲌K&k` HL](I@:2L<,W3Ks -T&"2<u)9~#Cq $CeQ0X 20,l7ǽ#&/H4&,;ʰ dMR^m!iMh[hcZ*j(38m&:&rEXx; ~أ7mZsy_NAOYrwHRc{Ri/ $G+voWݎJCycByY7zo4|R#7rsXe9,Mam̋P:i҄S\$˜b%wXef7c2A-#/>å'&uui0WXEpi+)kشjy}D{.'Ŵfg*|1Pg@؈=?|{*j5V VH.A5I?y%S?a@(1 rS=&L`y~W6Kb֪ԠwԴf ԟ yR`iXsמifJT%<~{l8 ""5D: ,788:2<:ڎWo8\{X{{咪JZu$[ Ei/MQ[`;wR/6ߖ:r @K)r9B"7MS{#ΣZdJV$+K=}K,-aHux7{ T.WTbp K$${D` Pؓ1 屈==iO)J+O{"vư0cHj MėuS^եr>W(Kx&"uZAA "=a.Qѵ$Imw!w&W&JPNmۗgҍ-$(_S j^۟A{F8\R"_wZ"܆>_RKoICT>KoIeE ۭo,fC`o߄B~^mQ{k/I^hD9.5q3; )uBIYxhl^.SH2L$|D8hMDUGOѯOjyl p&3GG8))))O9+i#e*@ly{~IŮlwJ=9uԕ&+=RN*j)^ep(`:[!<'  smV.}BH gGz63P@jZSl~ɾ#7cL2Pރ]`X3ڶ;xƓbƪ' &حBJi:Өo;6ͶLbP a0p 0+SL^(U}GR rj,m9A>)"JZ9W TA/ˎ\Va cYN:bQ:σqOEXv )y-Πs8Ȣ Sx CO!ުǿ^imrm;Bݴ H7,*,w$PuuKQHlv݀nx5Pui]Ym4G%0D(&q$%%W(}%3Q)7:ߠ8ϲWgcy< Z  ):ڶ_A(N= ՂԶaڲ&:Xt' 7*>x-^D8$lx' Mq'^iL ak A'.[؝ +| tY|V׍kPK› 6 ?/ dU]q`YmZ8K]T:b5MneiwS73?烐y{وj|ubC⪠8tF87?5*,✱ffmO% _dC5P D^WГutze!`*56Ư(C5/yjg闶SũK}ra5ɼ vu\FܓMɁawb6Y}gj /Q4q!u`CUٹ>-±9wCst{xyy&řݳYxH])GZHL7e ~Z+ R(CZPZ]’[Md]Irx8Q'55xg+a7ڝb9>#ǀŸ R".+> l?QXӑ2=S_7`\7W$_ \sb619܉P>sjpCVR*z~r[ZJ,w!Ydo={d&"rT K#XWxpU! &G8_[Z k>A0{[sblOk[btk;XiVi n&",i]қ, UlԭuЩltlQa=XXYe!EzFƟ"hO2lKaZ$e~TRuu cIZ"9˹R~NRP!߾3|YSJZ9 <t\F.1 Օ>.,Qku(y>e䅂ϕ7u| Ra*zd0=xߘTmPG ._IN~[t)l7b>X-^`v.'f`{(]YTFtV̻@'`{n/~݉K2&K=/#iйH Wk2B!1?/\mD ֝z_`9|ywΩmIZ L6vmAUK1wg%9ڥ]baIL`.0r6 @ȅn閁oe0h辎Ds(&53?b)&,]70b%t'jO570[b'h)6qq.?_"ƘSM)<ĬH P#SCw46I$AeЅ5T?0 kvn_r$[[ t bJ 7n,[I}!)7ݤ߄QT1g :᫜rT,Z5 х"Gwۇ/tX2/b53$#1> Cd2zބ8B XJW@7}H['ɍ䏖+623!jlr uZkC@%j.~V ]{@"8"x wuq0 S C;LOK (]AxoSa'h41챷rap>~ m#k^"ʑ5[QyTf8DTROaHP=SѩbX"b\1Q(pxi|zwfcnOK1(6@א0Halk.p26&1CLD:5 kd.FN1(@g )F(vZ]?-Q X G3wĥ4͒`&A=*H 0b9vqU@y'DD݂bAa~­!VS)Aw0\nabf9g6X`,2E<CezY<>wN we~qt>c<:27|LkP!񖃠jIQt#ߛw_x,bsS¤vpn"_o@<P, 4'6' w1y2{xbRVKJ!xeweX z؁zkwy<7NfQ3{8~ROcr%)29uV0`A5#i2ag4t\K~D<LB،Pnr'r޹&ur~lއuouisg5} &XNGݫ;ƧNyٽn]3sMlj_K}mP0,g $UdvʂT/&\ «X]+sxIx>+bh,.6 uQ[0%yї51دǠؼ?&fz uұq ZO[j8ٙEg!g8EIGM_-R͔8jz67alnq4ħeO:WL-0[E%eJ{(R?_C:0O)@y')8h4SϠls9<?R\~.Z[LH)RUJ9L}/\~ /SS o i?a>)l'U>Bǔ (H)# r߫J+@;)ȟȗN|}tS wS޿N22>_?m.!>BǴrǔ}}L ߤޤ  M u$!(Y SӔBvB/"ȋKOi射:O)@y<+*PB/ҮuRn L)/z)^}FN&Vӈ+ť&W*7iKxM}%ksF1jt ba 5KPe^ۛDcGP?ļY}摍 4pk 7"[yDYN{}tEOq>pqLw%<ߔ[nNJ>S\ȜH8VilL _7B0Ԯ@D1KA1w)ͥ,e5;H_5Zx>Ј{s3L=&96n z۵]#p} ~io'n[v<2kӫk+jkp'k͠~%cS$N^x_Uܯz܉eB'`Z`("B7)4\9)XO7n֜8^>LH$,R1iybP*fN~@# dϽC!N 3x uYcW oc_6Ypx^ȗ1co;4mFI#G1MHkfWvzz$_ Kq=v`"ESH!&hxO]-=x {;sH>Իsc-C{1L9 H\}T.Q " 2HH 2s{D|%MቛߝbswQH#Fe v"ѩ#a4`)A >'쭠F Aj]UPe$ӧ&ufG%=\eGY~l/>Eыp`HzB'=XO)Wb8p=*s&zu Th8WOS뚈1e#[~! zGMz1LJ1@Bo)b%&Tuobc|@ăx!$k0Up\2Gd!᳤c)"9.(2Vx9mKod'-Y L3t#-k 5RZs#~HRmLX%sDr1ߠ(b/<% * >.X&">m='>}AuӟIg"@2xܰwOeεaYcm/#8>XmQ޺Ϸ66x}RG1ުTU|,>cx g{Tc :|? Oe Mt8\<@ߦ ܐ}olI CWw 9@/7As| E Oɺ<l8@WD0;"vyun"sEX,8/# ufMrN햁OWtm:[ll/^q=ӸkAўYmQ7[ H2Q _a[0~OY+Kb?o&ʕ.Sܟ>CK̗a҃6^,{QFbzˮjRnã-$c-ԭ全<߀~6?c}'nNQMFڢ¾u4Mm\eљ&ߙqݼ¾,yXOlF\XۙD ya1 g'{yW=?5fO~m,e׎,,L[뙗Z']Y!hXjE" a~!#fK#fxY)[Rj2 1>-O9h<˜4W6AĶqyC6),3y`y/#xV*E .^ Ġo{e75{HR#zry}gLo舵q-Mhm”pbi#sS/f Ax&}{څGQlv* X>!ˣŬ"&D0Ȯ'eR:pshh۟ T*D#L0MmÄ2]"5isoq5~eיH8 pKj8 g! X^XpDT/D4NB}aEotiMV[o4ZW񲞃?`*XkECl_}'`bhP5c\UVF3&HZW'%_tohئ4*i29Z{)qͭ֫BmT˱Y#|Y;6Nv6̈́M .bF;f1Բv*Eg)