In our continuing series on personal computing security, we’re talking with Collin Jackson and Adam Barth to discuss the security features of Google Chrome. Both Collin and Adam are members of the Web Security Group at Stanford University. Collin is still finishing his PhD at Stanford, while Adam completed both his Masters Degree and a PhD at Stanford. After completing his training at the Best School in the Bay Area, Adam spent some time as a post-doc at the second-rate public school across the bay (UC Berkeley). Both of them have worked at Google. While there, they were the lead authors on an academic analysis of the security architecture of Chromium, the core upon which Google Chrome is built.
Alan: Thanks for taking the time to talk with us. Let’s start with the basics. Why don’t you tell me a little bit about yourself? How did you decide to specialize in security research, and why did you both choose Stanford University?
Collin: I picked Stanford because it is has top-notch professors working in a broad range of fields, and I wasn't yet sure what I wanted to do. When I got there, I got drawn in to Web security because all the most interesting applications are moving to the Web, yet the details of the Web security model are still poorly understood.
Adam: I've been interested in security since I was a kid. One of my favorite games growing up was to invent ciphers for my friends to break. I chose Stanford because I have a personal connection with Stanford: I grew up in Palo Alto and my mother is a professor in the business school.
Alan: When I was in CS106B, I won first place in the programming contest (Fastest Algorithm: Panex Puzzle). The instructor was from Google, which was then only about a year and a half old. I’ve always wondered if I could have gotten a job at Google if I wanted to pursue a career in CS. What was the coolest thing about working at Google?
Adam: For me, the coolest thing about working at Google was being able to use their massive computing infrastructure to run experiments. For example, we used this infrastructure to optimize the security of Chrome's content sniffing algorithm (these experiments eventually lead to this paper: http://www.adambarth.com/papers/2009/barth-caballero-song.pdf).
Alan: There have been a few designers who have recently left Google because they felt that the process was too bureaucratic. Was it hard to get them to let you run an experiment on a new algorithm using Google’s database of billions of Web pages as the data set, and then convince them to let you use the QA team to manually test the top 500 sites? How long did it take to run your algorithm through the billions of Web sites?
Adam: There wasn't any resistance to running the experiments. I'm not sure exactly how long they took to run, but it certainly took less time to run the experiments than to design them in the first place. We did this work in collaboration with the HTML 5 standardization effort, and we hope that other browsers can benefit from these experiments by adopting the HTML 5 content sniffing algorithm.

What I would like to see, make it so that people have a way to access these features quickly, but still maintain some security.
Really though in all browsers people can just look at your history of your websites that you visited, unless of course you delete your history all the time.
Chrome is great. It is fast and easy to use.
BTW, at least Berkeley and other state schools generally give you better well rounded education. I find accumulation of knowledge helps in all fields, we do not to become a world of engineers.
Be seeing you...
i love opera btw....!
Are there any developments in this area?
"In order to take advantage of the most security features, users need to be running NTFS and Windows Vista."
"While Mac OS X Leopard offers less security features than Windows Vista or Windows 7, it offers better safety because there are fewer threats."
Very funny mr. Dang. Your pathetic attempts to push m$ corporate spin failed miserably...
No serious professional would use m$ crap for it's important work. OS X (BSD Unix) is still more secure than windblow$ even if you try hard to suggest otherwise.
Clueless users won't be able to protect themselves, if they don't understand the implications of their actions and have at least some knowledge about the inner workings. Here lies the most damaging "contribution" of m$, as it lowered unprecedentedly the perceived needed knowledge and expectations of it's lu$ers. Apple also isn't very far behind in dumbing down their system.
Mr. Miller is not a programmer, he's math scientist and and OS-artist. We are - and U2 - mr. Ossie - are ordinairy mortals compared to his skills.
As for mr.Lang. It's a bit unfair to accuse him of MS-bias. The Miller interview and now the Google interview are technicaly very good.
If you want OS-polictics go to : wwww.slashdot.org.
"Clueless users won't be able to protect themselves."
Agree 100%, but the revelation that I hope these interviews will ultimately help readers understand is that even informed users are unable to protect themselves 100% of the time. Today's threats are different from those of an earlier computing generation. You can fully lock down your system, but then you miss out on rich media, etc. You have to run Lynx if you want a secure browser on the Mac... But that's a problem with the Mac not with BSD Unix. That said, the flash exploit from 2008 Pwn2Own that took down Vista would also have taken down Firefox/Flash on Linux...
The problems are pervasive, the solutions are unclear. In the end, security researchers gravitate toward the Mac because they accept that "everything" is insecure. Risk = Threat * Vulnerability * Consequence
Mac's are highly vulnerable but have few threats/attacks. PCs are less vulnerable than Macs but have more threats and therefore at higher risk. Linux is somewhere in between in terms of risk. No system has zero risk.
Mr. Miller did compromise just the user account under which the browser was running, and not the machine itself - it's a difficult concept to grasp for windblow$ lu$ers.
@alan Well, you might be apple-biased in other articles, in that one the bias was m$ oriented (that's the impression I got). I don't need vi$hta/drm to be more secure (that's an elusive desideratum in m$ world), there are a lot of other possibilities which offer much more (real) security (better said less vulnerabilities) as the (imaginary) UAC based one. While it's very difficult to escalate rights in a well designed multi-user/tasking OS (*nix), that's not the case with windblow$, as history teaches us over and over again. The more security (an oxymoron in conjunction with m$) "features" (not a bug) of windblow$ don't offer more safety than OS X. Informed users prefer OS X (or linux and other *nix-es) over windblow$, for it's much more secure inner core (BSD), and can evade threats by not using vulnerable applications, or limiting potential damage by sandboxing them (chroot, VMs, etc.).
As for the theory of "more threats = higher risk", so dear to m$ evangelists (to "explain" windblow$ failures), most servers on the internet are *nix based and proved to be quite secure, despite a lot of "benevolent" people trying to compromise them - windblow$ is a much more facile target.
Regarding the false Mac/PC dialectics, it's pure BS. Macs are PCs - it's the same (now almost identical) HW architecture. Just the OS differs: OS X, windblow$, DOS-es, and the rest of *nix-es. If you run linux, isn't it an (IBM compatible) PC anymore?
Sadly, from those interviews the typical windblow$ lu$er is getting just the impression that other OS-es are (more) vulnerable - see the "tied in" commentary above - and not some crappy designed application/browser/plugin, with limited effects (on the underlying OS, if it's well designed). Also they get no clue about the OS/app partitioning, where the vulnerabilities are, and how to limit their (potential) damage, resulting just in the usual "Windows is great(er/est)" comments. The lack of education and knowledge spells disaster.
On record, I don't believe that any single platform can provide adequate security. The best solution is heterogenous computing -- the equivalent of genetic variability. This includes software diversity including Linux, but also hardware diversity. We have BIOS hacks in proof of concept stages. Imagine if the US government uses the same Dell platform across the nation. If that system's BIOS is compromised via a 0-day remote flaw, every system is vulnerable. Same thing. Imagine if we all switched to Firefox and someone discovered a new flaw that allowed remote execution.
Don't think it can't happen. Think about when Red Hat's private keys were compromised allowing someone to randomly sign packages containing malware, or Debian's OpenSSL bug which existed for years...
What an uninformed reader would understand, is that he needs to run vi$hta, to be secure - the direct implication for him is, the other OS-es are insecure, except m$'s one. That's what I call bias.
Of course, no OS is fully secure, but m$'s are notoriously unsecure - there is no benefit for consumers to paint it in a different light. Your statements were not at all neutral, and it's obvious, and I don't hide it, that I have a very critical attitude towards the business practices of m$ and their so called OS, which is geared solely to generate profit for themselves.
I also am critical on every other OS's aspects that affect it's security or functionality, and that includes OS X and unnecessarily dumbed down linuxes. The way some software vendors try to "make it easy" to the user, has direct negative implications on the security of their products, and their ecosystem. The lu$er has no clue about how it works and to what dangers he exposes himself and others. For a moment, try to conceptualize an environment in which car drivers with the equivalent average knowledge of m$ product users, were let loose. I shiver at that thought.
Your genetic variability argument would have more validity in an heterogeneous threat environment, but in our real world we have mostly a single endangered species, with almost no variability, artificially sustained by a monopolistic economic behavior. The most damaging contribution of m$ is to create the lu$er the illusion to be in control of the machine. Sadly, other vendors followed suit.
Your BIOS hack example is just another aspect of the wrong evolution caused by ignoring the KISS principle. As there are a lot of chipsets and Flash/EEPROM chips, with different programming interfaces, it's still very difficult to write a universal BIOS malware. Also, the boot block should always be write protected, to enable BIOS recovery, even if the rest of the BIOS is corrupted. CIH/Chernobyl opened the way, but it only hosed the HDD and BIOS on select M/B (TX), over a decade ago - 26 april is just a few days away
That's small fish, you forgot the failed attempt to insert a backdoor in the linux kernel source...
I'd rather trust an open entity - linux folks are much more open on disclosing such blunders - than a corporation, who's first, and usually only, reaction is to push it under the rug.
Remember the Cisco IOS blunder? Their "solution" was litigation and gagging.
I would be more worried by trendy HW RA technologies, like intel's AMT and vPro - a single critical point of failure. If it's hacked, the damage would be incommensurable.
The other detail to always keep in mind is that these interviews are designed for the Tom's Hardware reader (not Tom's Guide, or a general mainstream reader). I do think Vista is more secure than XP thanks to things like ASLR, better TCP/IP protection, etc. I don't think a single reader thinks that Vista is the *only* secure operating system as you suggest. That is just your bias and inability to write Microsoft with an "S" rather than a $.
A good car driver needs to know how to drive defensively and how to interpret road signs. Knowing if his wireless remote is frequency hopping or not, or knowing how to rebuild the engine is not critical. In the perfect world, all users would be intelligent. In the real world, computers are ubiquitous and their value is so immense that anyone and everyone has a computer. Do you truly think that a user of a OLPC will have the full understanding of the security issues of a networked system?
We agree on the genetic variability argument. We should not be running in a world dominated by Microsoft operating systems. But that's true for any dominant force. If OpenBSD had a monopoly, you'd have many of the same problems (but less so, given that OpenBSD has inherently fewer vulnerabilities than Windows due to audited code).
Intel AMT,vPro, etc. all true -- but more and more, threats are for specific targets. A company running a single brand of computer with a single configuration may have easier IT management, but place itself at higher risk for attack. Companies should consider the risk/benefits of running single platforms versus multiple platforms and decide for themselves what the right course of action is.
That's a good point, as m$ encourages the world and it's dog to use fat(32) for portable storage. While exFAT will supposedly support ACLs, it's still a long way to it's wide adoption - and m$'s patent/royalties model will not exactly encourage it.
ASLR is still in it's infancy, and the perceived/advertised security improvements are much too optimistic, as it's usage is quite limited.
I wouldn't be so sure that there is no reader to consider vi$hta to be the non plus ultra of current secure OSs - you are neglecting the m$ fanboyism on TH.
As long as m$ proves all over again that their single major goal is profit and control at all costs (especially customers ones), customer needs usually remaining aside along the road, it's the only fit way to describe them (and I would never use an "S" in place of an "s"). Also, their blunders "fixes" are of debatable quality and benefit to the customer.
While you mentioned the TCP/IP stack, let's see some of m$'s "fixes":
- to "limit"(?) malware spread, since xpire sp2, the number of simultaneous opening connections is limited to 10 - that is affecting the whole network stack, including internet and LAN. Did you ever wondered why you shiny new fast connection is sometimes so sloppy?
If you think that it just happened once, the same "innovative" approach was used again in vi$hta.
- to "prevent"(?) media playback skipping in "heavy network traffic", m$ implemented a "fix", by choking other network connections. Another side effect, was also high CPU load during media play and choked network traffic.
That "problem solving" approach is akin carpet bombing a village and killing everyone, just to get some supposedly hidden hostiles. Sounds familiar? That's exactly current policy for some governments/armed forces.
In that light, I'm wondering how much other less known "innovation" is hidden in m$ products, which is affecting customers.
A good driver does not necessarily know in detail the physics/chemistry/mathematics behind his car, but some general knowledge notions are indispensable. In the "modern" real world we have sadly obtained the button-pushing idiot, which has no clue of the effects of his actions.
A OLPC user doesn't need to know the full implications, but he really should need to know that there are some, and it would be good for him, and the others, to know at least the dangerous ones, and how to prevent damage. The lack of common education in computer(ised) equipment usage is staggering, and the most damaging effect is generated by the illusion encouraged by m$, and similar vendors, that the lu$er is in control.
That's exactly the crux of security, auditing critical code offers a lot more assurance that no nasty surprises are hidden - even if some corporate entities favor security by obscurity.
There is nothing wrong in itself by using a standardized platform, as long the risks are correctly estimated and properly taken care of. But, more often than not, enterprises trust some third party "miraculous" security solutions of which inner workings they have no knowledge about.
As for the RM tools mentioned previously, there is no easy way to get more variation in platforms, as they are almost exclusively intel and those tools are forged in HW. All boils down to trust in some outside entity. Who do you really trust, blindly and unquestionably?
"if you don't formulate your questions accordingly unambiguous, you'll get the corresponding reaction, more often different to the expected one."
You're telling him to structure his questions properly when you can't even do that yourself. It's painful reading what you've written thus far. The worthwhile portions of your arguments are clouded by terrible analogies, horrific grammar, and unnecessary misspellings of words. Some slang can be used to make a point but when you are unable to even follow an M with an S, just say XP, or stop abusing quotation marks your bias becomes palpable. You've spent the entire time crucifying Alan for speaking from a place of bias and for being a Microsoft fanboy, but are you in any position to talk?