Google Chrome OS Security Model Breaks the Traditional Mold

With Chrome OS, Google says it has abandoned the traditional operating system security model and put its focus on using process isolation, verified boot, encryption and system hardening to protect users.

Google previewed Chrome OS Nov. 19 and opened up about how its security strategy deviates from the traditional model for securing today's operating systems.

In a presentation, Google painted a picture of a slim operating system that uses a combination of sandboxing, encryption of user data and a verified boot process to protect users.

Google took some criticism earlier in 2009 when it made what some thought were extraordinary claims about Chrome OS-namely that its "users don't have to deal with viruses, malware and security updates." The claims touched off a round of speculation, and many analysts said at the time they expected Chrome OS to use its focus on supporting cloud applications to its advantage.

This prediction turned out to be correct.

"All the end-user applications are Web applications, and Web applications, as you know, have a different security model," explained Google Engineering Director Matthew Papakipos. "Their security model is [that] apps are treated at a system level as if they're fundamentally hostile ... Web applications can't change files on your hard disk [and] can't reconfigure your power settings-there are many things that Web applications intentionally cannot do that give it a better security profile."

"What this security sandbox means is that every tab that you run in Chrome OS is running completely locked down and separated from the other tabs on the system, but also from the underlying operating system," Papakipos continued. "We've protected the OS from Web applications [and] we've protected the Web applications from each other."

But Chrome OS' security actually begins with a process Google calls verified boot, where the system checks to make sure the user is running the most current version of the operating system.

"The essence of the verified boot process is that every time that you boot, we double-check to make sure that you are running what you should be running," he said. "So the basic concept is that [all components] of software in Chrome OS, from the firmware to the kernel to Chrome itself to the whole root file system, have what's called a cryptographic signature attached to them."

If a problem is detected with the signature, the system offers to reboot and then automatically downloads any necessary patches. At the file system level, Google made the root partition read-only, and everything on the user partition is encrypted, Papakipos said.

"This means that if some bad guy gets it, opens up your machine with a screwdriver, pulls out the drive [and] puts it in another computer, they'll have a very hard time reading those bits," he said. "As with all security, anything can be cracked, but we've made it very, very difficult."

More technical detail on how Google has hardened the operating system can be found here. Sundar Pichai, vice president of product management at Google, said the company is aiming to release a netbook running on Chrome OS around the end of 2010. While no operating system is going to be totally secure, it is possible to do better than the industry is today, he said.

"Security is not an abstract issue; it really makes a difference in the lives of people," Pichai said. "People struggle a lot with issues with their computers, so we really want to make it better."