At The Heart Of Chrome
Alan: What is your current computer configuration and what Web browser do you use on a regular basis?
Collin: I try not to play favorites, spending equal time on IE, Firefox, Safari, Chrome, and Opera. My primary laptop is a Mac with VMWare Fusion running Windows XP, but I have Vista and Ubuntu machines around if I need them.
Adam: I have a bunch of computers that I use, but my favorite is my Mac Mini because it’s so small and quiet. As for browsers, I'm mostly using the Chrome 2 beta, but I've also been playing around with IE 8 because it's the new kid of the block.
Alan: Macs definitely seem to be a favorite among security researchers. One of the reasons we wanted to talk with you is to learn more about the security features of Chromium (the core of Google Chrome). Were both of you just asked to do the analysis of Chromium or were you involved with the original concept and implementation?
Adam: When we joined the project, the team had already decided to sandbox the rendering engine, but sandboxing the rendering engine isn't enough for security. You also need to think carefully about the interface between the browser kernel and the rendering engine. For example, how can you let users upload files to Web sites without letting the rendering engine read arbitrary files? That's the kind of thing we helped out with.
Alan: What were the goals of Chromium from a security standpoint?
Collin: Chromium's architecture is designed to protect against malware, file theft, and keylogging in the event that there's a vulnerability in the rendering engine. Chromium also provides industry-standard anti-malware and anti-phishing features such as Safe Browsing and Extended Validation. In Google Chrome, these features are complemented by an automatic update mechanism that lets Google roll out security fixes quickly if necessary.
Alan: Our readers understand the differences between multi-threaded and single-threaded applications when it comes to performance, but Chromium is built around multiple processes rather than a single process. How does that help with security rather than performance?
Adam: By separating the browser into to multiple processes, Chromium can leverage security features built into the operating system to sandbox the rendering engine. Using separate processes also makes the interface between the components clear because the components can interact only via a narrow inter-process communication channel.