Sign in with
Sign up | Sign in

Comparing To The Competition

Exclusive Interview: Google Chrome's Chromium Core Explored
By

Alan: Speaking of other browsers born in the research lab, DARPABrowser was developed as part of a research contract from the Defense Advanced Research Projects Agency. If JavaScript were disabled, do you think Chrome could offer the same level of security?

Adam: The DARPABrowser has very different security goals than Chromium. For example, the DAPRABrowser aims to limit the damage a compromised rendering engine can do while displaying an honest Web page. Worrying about these threats ends up making the privileged component as complex as the rendering engine, and it's not clear how much security that buys you.

Alan: Let’s move onto commercially available Web browsers. How is Internet Explorer’s “Protected Mode” different from what Chromium does?

Collin: Protected Mode is designed to protect local files from being overwritten by an attacker who exploits a browser vulnerability. This is a good start--it makes it harder for the attacker to install malware. But the attacker can still read all your files. There is a lot of important stuff on the file system and that's why the Chromium architecture is designed to protect the confidentiality of files as well.

Alan: Opera has made a big deal about supporting NX bit and ASLR. These are also features supported by IE8. Are they also implemented in Chromium?

Adam: Yes.  Chromium uses NX, ASLR, and StackCheck.

Alan: While Mac OS X Leopard offers less security features than Windows Vista or Windows 7, it offers better safety because there are fewer threats. Dino A. Dai Zovi made the analogy of leaving your front door unlocked; whether or not you are safe depends on where you live. What are the technical challenges of implementing Chromium’s sandboxing on other operating systems, such as Mac OS X or Linux?

Adam: Mac OS X has a powerful built-in sandboxing mechanism that Chromium can use to sandbox its rendering engine. My understanding is that there are some challenges with drawing to the screen in a multi-process application, but I expect the team will find a clever solution. Different distributions of Linux offer different sandboxing mechanisms, including SELinux and AppArmor. The Linux team is evaluating which of these best fits Chromium's security needs.

Display all 26 comments.
This thread is closed for comments
  • 5 Hide
    duckmanx88 , April 17, 2009 7:08 AM
    security features? im using chrome right now. love it. but this thing is far from secure. it shows you all your saved passwords with no protection. and i'd like to open my tabs on a page i select and not my most viewed sites for everyone to see.
  • 1 Hide
    thee_prisoner , April 17, 2009 10:01 AM
    +1 Duckman, I also do not like to have my passwords saved. It is convenient to have your most viewed websites posted, but it can lead to issues with work. Even though I use this function, it might get messy in an environment where you have competitive co-workers to easily see what you are working on.

    What I would like to see, make it so that people have a way to access these features quickly, but still maintain some security.

    Really though in all browsers people can just look at your history of your websites that you visited, unless of course you delete your history all the time.

    Chrome is great. It is fast and easy to use.

    BTW, at least Berkeley and other state schools generally give you better well rounded education. I find accumulation of knowledge helps in all fields, we do not to become a world of engineers.

    Be seeing you...
  • 0 Hide
    Anonymous , April 17, 2009 11:37 AM
    interesting.. even if i dont know anything about coding....
    i love opera btw....!
  • 1 Hide
    csuftech , April 17, 2009 5:59 PM
    @duckmanx88, given that it was the only browser that was not compromised at this years Pwn2Own contest, I would say it's pretty secure. Also, if you don't want the most visited sites page, go to Wrench > Options > Basics and then just click on "Open this page".
  • 0 Hide
    Anonymous , April 17, 2009 6:02 PM
    UC Berkeley is a second-rate school? Ha!
  • 0 Hide
    deltatux , April 17, 2009 8:25 PM
    Been using Google Chrome since its release and it's fantastic, I love the security built into the browser and I love the multiprocess approach, makes a lot of sense.
  • 0 Hide
    sunraycer , April 17, 2009 9:52 PM
    @csuftech: That's for the homepage right? I think he's talking about opening a TAB with the +. I'd also like to open to a page and not my most used page list. Nice as an option, but not as a forced function. I'd hope this would change when they have new versions. The settings are fairly sparse in Chrome in general. Hopefully they'll incorporate more. I've been using Chrome since I read the last article in this series and I'm starting to like it already. Might start trying to use the beta to see what's on the way...
  • 0 Hide
    Anonymous , April 18, 2009 2:12 AM
    Capability-based security is a nice topic, since it fits very well with general Internet infrastructure. I.e. there's no global system of roles, users and ACLs, but even now it's possible to build capability-based systems using browser cookies.

    Are there any developments in this area?
  • -2 Hide
    ossie , April 18, 2009 9:46 AM
    "Macs definitely seem to be a favorite among security researchers."
    "In order to take advantage of the most security features, users need to be running NTFS and Windows Vista."
    "While Mac OS X Leopard offers less security features than Windows Vista or Windows 7, it offers better safety because there are fewer threats."

    Very funny mr. Dang. Your pathetic attempts to push m$ corporate spin failed miserably...
    No serious professional would use m$ crap for it's important work. OS X (BSD Unix) is still more secure than windblow$ even if you try hard to suggest otherwise.
  • 0 Hide
    dvader , April 18, 2009 8:24 PM
    @ossie: you are pretty clueless, sir. Read the Charlie Miller interview.
  • 0 Hide
    shurcooL , April 19, 2009 3:05 AM
    I love Chrome too, but mostly for its amazing UI/usability. I can get to pretty much any of my favourite websites with just 3-5 key strokes. Ctrl+T, type 1-3 letters, enter. No other browser comes even close. Oh, and I don't really like/use favourites for commonly visited sites.
  • 0 Hide
    ossie , April 19, 2009 9:46 AM
    And you, mr. dvader are even less than clueless. A Safari browser vulnerability (that means an application with explicit luser contribution) was used to hack the used macbook user account and not the OS itself. I clearly specified the underlying BSD Unix and not some crap added by apple.
    Clueless users won't be able to protect themselves, if they don't understand the implications of their actions and have at least some knowledge about the inner workings. Here lies the most damaging "contribution" of m$, as it lowered unprecedentedly the perceived needed knowledge and expectations of it's lu$ers. Apple also isn't very far behind in dumbing down their system.
  • 0 Hide
    dvader , April 19, 2009 12:16 PM
    @ossie: Surely, you can not accuse Mr. Charlie Miller not knowing antything about the inner workings of OSX. Denying that Safari is not tied to into OSX is just plain wrong.
    Mr. Miller is not a programmer, he's math scientist and and OS-artist. We are - and U2 - mr. Ossie - are ordinairy mortals compared to his skills.

    As for mr.Lang. It's a bit unfair to accuse him of MS-bias. The Miller interview and now the Google interview are technicaly very good.

    If you want OS-polictics go to : wwww.slashdot.org.



  • 1 Hide
    AlanDang , April 19, 2009 1:35 PM
    Don't forget about my interview with Dino A. Dai Zovi either. Charlie Miller is ex-NSA. Dino A. Dai Zovi is ex-Sandia Red Team. The funny thing is that I've been accused of being both MS-biased and Apple-biased ;) 

    "Clueless users won't be able to protect themselves."

    Agree 100%, but the revelation that I hope these interviews will ultimately help readers understand is that even informed users are unable to protect themselves 100% of the time. Today's threats are different from those of an earlier computing generation. You can fully lock down your system, but then you miss out on rich media, etc. You have to run Lynx if you want a secure browser on the Mac... But that's a problem with the Mac not with BSD Unix. That said, the flash exploit from 2008 Pwn2Own that took down Vista would also have taken down Firefox/Flash on Linux...

    The problems are pervasive, the solutions are unclear. In the end, security researchers gravitate toward the Mac because they accept that "everything" is insecure. Risk = Threat * Vulnerability * Consequence

    Mac's are highly vulnerable but have few threats/attacks. PCs are less vulnerable than Macs but have more threats and therefore at higher risk. Linux is somewhere in between in terms of risk. No system has zero risk.
  • 0 Hide
    ossie , April 19, 2009 8:29 PM
    @dvader Don't confuse OS X with windblow$. Safari is just an application, it's not "tied into" OS X, as exploder in windblow$ - that's the exclusive monumental "innovation" of mr. BillG's "The Internet? We are not interested in it" team.
    Mr. Miller did compromise just the user account under which the browser was running, and not the machine itself - it's a difficult concept to grasp for windblow$ lu$ers.

    @alan Well, you might be apple-biased in other articles, in that one the bias was m$ oriented (that's the impression I got). I don't need vi$hta/drm to be more secure (that's an elusive desideratum in m$ world), there are a lot of other possibilities which offer much more (real) security (better said less vulnerabilities) as the (imaginary) UAC based one. While it's very difficult to escalate rights in a well designed multi-user/tasking OS (*nix), that's not the case with windblow$, as history teaches us over and over again. The more security (an oxymoron in conjunction with m$) "features" (not a bug) of windblow$ don't offer more safety than OS X. Informed users prefer OS X (or linux and other *nix-es) over windblow$, for it's much more secure inner core (BSD), and can evade threats by not using vulnerable applications, or limiting potential damage by sandboxing them (chroot, VMs, etc.).
    As for the theory of "more threats = higher risk", so dear to m$ evangelists (to "explain" windblow$ failures), most servers on the internet are *nix based and proved to be quite secure, despite a lot of "benevolent" people trying to compromise them - windblow$ is a much more facile target.
    Regarding the false Mac/PC dialectics, it's pure BS. Macs are PCs - it's the same (now almost identical) HW architecture. Just the OS differs: OS X, windblow$, DOS-es, and the rest of *nix-es. If you run linux, isn't it an (IBM compatible) PC anymore?
    Sadly, from those interviews the typical windblow$ lu$er is getting just the impression that other OS-es are (more) vulnerable - see the "tied in" commentary above - and not some crappy designed application/browser/plugin, with limited effects (on the underlying OS, if it's well designed). Also they get no clue about the OS/app partitioning, where the vulnerabilities are, and how to limit their (potential) damage, resulting just in the usual "Windows is great(er/est)" comments. The lack of education and knowledge spells disaster.
  • 4 Hide
    AlanDang , April 19, 2009 9:06 PM
    These interviews are really just questions. At the end of the day, anyone who believes that Apple is 100.0% awesome or Microsoft is 100.0% awesome is delusional. There are strengths and weaknesses to each platform and people who claim that I'm biased for one or the other are simply missing the point. If you come to the article with a anti-MS bias, you'll read into neutral statements as being anti-MS. You see my interview as being pro-MS when I talk about strengths of Vista. On the other hand, every security researcher I've interviewed uses a Mac and I use a Mac too, and this is mentioned. Someone who's anti-Apple will see me being biased in favor of Apple.

    On record, I don't believe that any single platform can provide adequate security. The best solution is heterogenous computing -- the equivalent of genetic variability. This includes software diversity including Linux, but also hardware diversity. We have BIOS hacks in proof of concept stages. Imagine if the US government uses the same Dell platform across the nation. If that system's BIOS is compromised via a 0-day remote flaw, every system is vulnerable. Same thing. Imagine if we all switched to Firefox and someone discovered a new flaw that allowed remote execution.

    Don't think it can't happen. Think about when Red Hat's private keys were compromised allowing someone to randomly sign packages containing malware, or Debian's OpenSSL bug which existed for years...
  • 0 Hide
    ossie , April 20, 2009 10:57 AM
    I agree, that interviews should (mostly) be good questions from the interviewer and (hopefully better) answers from the interviewee. But, when your question is formulated like a conclusion with a question attached: "In order to take advantage of the most security features, users need to be running NTFS and Windows Vista. What specifically about FAT32 and Windows XP make them more vulnerable to attack?", it's not any more an interview, it's biasing the discussion towards a desired response. Adam's answer was quite clear: there is no pratical difference between xpire and vi$hta "security". As for the FAT32 question, Adam was more than polite, by pointing out the obvious.
    What an uninformed reader would understand, is that he needs to run vi$hta, to be secure - the direct implication for him is, the other OS-es are insecure, except m$'s one. That's what I call bias.
    Of course, no OS is fully secure, but m$'s are notoriously unsecure - there is no benefit for consumers to paint it in a different light. Your statements were not at all neutral, and it's obvious, and I don't hide it, that I have a very critical attitude towards the business practices of m$ and their so called OS, which is geared solely to generate profit for themselves.
    I also am critical on every other OS's aspects that affect it's security or functionality, and that includes OS X and unnecessarily dumbed down linuxes. The way some software vendors try to "make it easy" to the user, has direct negative implications on the security of their products, and their ecosystem. The lu$er has no clue about how it works and to what dangers he exposes himself and others. For a moment, try to conceptualize an environment in which car drivers with the equivalent average knowledge of m$ product users, were let loose. I shiver at that thought.
    Your genetic variability argument would have more validity in an heterogeneous threat environment, but in our real world we have mostly a single endangered species, with almost no variability, artificially sustained by a monopolistic economic behavior. The most damaging contribution of m$ is to create the lu$er the illusion to be in control of the machine. Sadly, other vendors followed suit.
    Your BIOS hack example is just another aspect of the wrong evolution caused by ignoring the KISS principle. As there are a lot of chipsets and Flash/EEPROM chips, with different programming interfaces, it's still very difficult to write a universal BIOS malware. Also, the boot block should always be write protected, to enable BIOS recovery, even if the rest of the BIOS is corrupted. CIH/Chernobyl opened the way, but it only hosed the HDD and BIOS on select M/B (TX), over a decade ago - 26 april is just a few days away ;)  . Lessons learned? Almost none, it seems. For some penny pinching, the same chip is still used to store and update system configuration data, so it can't be easily HW write-protected.
    That's small fish, you forgot the failed attempt to insert a backdoor in the linux kernel source...
    I'd rather trust an open entity - linux folks are much more open on disclosing such blunders - than a corporation, who's first, and usually only, reaction is to push it under the rug.
    Remember the Cisco IOS blunder? Their "solution" was litigation and gagging.
    I would be more worried by trendy HW RA technologies, like intel's AMT and vPro - a single critical point of failure. If it's hacked, the damage would be incommensurable.
  • 3 Hide
    AlanDang , April 20, 2009 4:04 PM
    The NTFS/Vista thing reflects the "holes" in the sandbox. Chromium is application-based sandboxing and mounted FAT32 drives do not have any protection through the sandbox. The TCP/IP stack in Windows XP also does adhere to the sandbox protection (while it does in Windows Vista). This means that a compromise of the sandboxed renderer can open up ports in XP but not in Vista. The question was designed to get a response regarding these details.

    The other detail to always keep in mind is that these interviews are designed for the Tom's Hardware reader (not Tom's Guide, or a general mainstream reader). I do think Vista is more secure than XP thanks to things like ASLR, better TCP/IP protection, etc. I don't think a single reader thinks that Vista is the *only* secure operating system as you suggest. That is just your bias and inability to write Microsoft with an "S" rather than a $.

    A good car driver needs to know how to drive defensively and how to interpret road signs. Knowing if his wireless remote is frequency hopping or not, or knowing how to rebuild the engine is not critical. In the perfect world, all users would be intelligent. In the real world, computers are ubiquitous and their value is so immense that anyone and everyone has a computer. Do you truly think that a user of a OLPC will have the full understanding of the security issues of a networked system?

    We agree on the genetic variability argument. We should not be running in a world dominated by Microsoft operating systems. But that's true for any dominant force. If OpenBSD had a monopoly, you'd have many of the same problems (but less so, given that OpenBSD has inherently fewer vulnerabilities than Windows due to audited code).

    Intel AMT,vPro, etc. all true -- but more and more, threats are for specific targets. A company running a single brand of computer with a single configuration may have easier IT management, but place itself at higher risk for attack. Companies should consider the risk/benefits of running single platforms versus multiple platforms and decide for themselves what the right course of action is.
  • -3 Hide
    ossie , April 21, 2009 9:40 AM
    Even if that were your intentions, if you don't formulate your questions accordingly unambiguous, you'll get the corresponding reaction, more often different to the expected one.
    That's a good point, as m$ encourages the world and it's dog to use fat(32) for portable storage. While exFAT will supposedly support ACLs, it's still a long way to it's wide adoption - and m$'s patent/royalties model will not exactly encourage it.

    ASLR is still in it's infancy, and the perceived/advertised security improvements are much too optimistic, as it's usage is quite limited.
    I wouldn't be so sure that there is no reader to consider vi$hta to be the non plus ultra of current secure OSs - you are neglecting the m$ fanboyism on TH.

    As long as m$ proves all over again that their single major goal is profit and control at all costs (especially customers ones), customer needs usually remaining aside along the road, it's the only fit way to describe them (and I would never use an "S" in place of an "s"). Also, their blunders "fixes" are of debatable quality and benefit to the customer.

    While you mentioned the TCP/IP stack, let's see some of m$'s "fixes":
    - to "limit"(?) malware spread, since xpire sp2, the number of simultaneous opening connections is limited to 10 - that is affecting the whole network stack, including internet and LAN. Did you ever wondered why you shiny new fast connection is sometimes so sloppy?
    If you think that it just happened once, the same "innovative" approach was used again in vi$hta.
    - to "prevent"(?) media playback skipping in "heavy network traffic", m$ implemented a "fix", by choking other network connections. Another side effect, was also high CPU load during media play and choked network traffic.
    That "problem solving" approach is akin carpet bombing a village and killing everyone, just to get some supposedly hidden hostiles. Sounds familiar? That's exactly current policy for some governments/armed forces.
    In that light, I'm wondering how much other less known "innovation" is hidden in m$ products, which is affecting customers.

    A good driver does not necessarily know in detail the physics/chemistry/mathematics behind his car, but some general knowledge notions are indispensable. In the "modern" real world we have sadly obtained the button-pushing idiot, which has no clue of the effects of his actions.
    A OLPC user doesn't need to know the full implications, but he really should need to know that there are some, and it would be good for him, and the others, to know at least the dangerous ones, and how to prevent damage. The lack of common education in computer(ised) equipment usage is staggering, and the most damaging effect is generated by the illusion encouraged by m$, and similar vendors, that the lu$er is in control.

    That's exactly the crux of security, auditing critical code offers a lot more assurance that no nasty surprises are hidden - even if some corporate entities favor security by obscurity.

    There is nothing wrong in itself by using a standardized platform, as long the risks are correctly estimated and properly taken care of. But, more often than not, enterprises trust some third party "miraculous" security solutions of which inner workings they have no knowledge about.
    As for the RM tools mentioned previously, there is no easy way to get more variation in platforms, as they are almost exclusively intel and those tools are forged in HW. All boils down to trust in some outside entity. Who do you really trust, blindly and unquestionably?
  • 2 Hide
    amenpotep , April 21, 2009 3:59 PM
    Seriously?

    "if you don't formulate your questions accordingly unambiguous, you'll get the corresponding reaction, more often different to the expected one."

    You're telling him to structure his questions properly when you can't even do that yourself. It's painful reading what you've written thus far. The worthwhile portions of your arguments are clouded by terrible analogies, horrific grammar, and unnecessary misspellings of words. Some slang can be used to make a point but when you are unable to even follow an M with an S, just say XP, or stop abusing quotation marks your bias becomes palpable. You've spent the entire time crucifying Alan for speaking from a place of bias and for being a Microsoft fanboy, but are you in any position to talk?
Display more comments