Skip to main content

Exclusive Interview: Google Chrome's Chromium Core Explored

Playing In The Sandbox

Alan: So, if an attacker were to compromise the rendering engine, he still would not be able to circumvent the restriction on writing files because Windows treats the renderer process with restricted access? Unless the attacker could simultaneously crack Windows file security, the threat would be eliminated?

Collin: The threat would be contained within the renderer process, which is a big improvement from having your machine completely pwned. However, the rendering engine is responsible for enforcing origin isolation. If it's compromised, the attacker can try to interfere with that isolation and hijack your sessions with other sites.

Alan: What do you mean by origin isolation?

Collin: With a few exceptions for things like script libraries, Web applications are only supposed to read data from the "origin" server that served up the application. This isolation is what prevents from reading your Gmail, for example. However, a single instance of the rendering engine can often end up in charge of handling data from multiple origins, so Chromium lets the rendering engine handle the enforcement of this policy.

Alan: What happens when you run Chrome with the “safe plug-ins”

Adam: The --safe-plugins option is an experimental feature that causes Google Chrome to run plug-ins (like Flash Player and Windows Media Player) inside the sandbox. Sandboxing plug-ins helps mitigate vulnerabilities in these plug-ins, but might break some of their functionality. For example, a sandboxed plug-in won't be able to auto-update itself.

Alan: In order to take advantage of the most security features, users need to be running NTFS and Windows Vista. What specifically about FAT32 and Windows XP make them more vulnerable to attack?

Adam: The FAT32 file system doesn't have access control lists, so Windows doesn't prevent the rendering engine from accessing FAT32 files. In practice, most Windows users use the NTFS file system, which has been the default since Windows 2000. There are some minor differences in the sandbox on Windows XP and Windows Vista, but these differences are largely theoretical.

Alan: How does Chromium maintain compatibility with Web-based file uploads? What are the instances where the sandbox between the rendering engine and the browser kernel is broken?

Adam: To secure file uploads, we borrowed a trick from the capability literature. The browser kernel displays the file picker dialog and keeps track of which files the user has picked. Later, when the rendering engine asks to upload a file, the browser kernel checks to make sure the user actually picked that file for upload. Without this check, a compromised rendering engine would be able to read arbitrary files by uploading them to

Alan: Why limit the design to a rendering engine and a browser kernel? Why not break Chrome into even more sandboxes so that the cookie database and window management and are all sandboxed from each other, along the lines of Opus Palladium?

Collin: Breaking up the browser into separate sandboxed components is not free--it imposes performance costs and can be hard for developers to maintain. Furthermore, a sandboxed component is as powerful as the interface you provide it, so you have to design this interface carefully to make sure it can't be abused. Despite these obstacles, I suspect we'll see more fine-grained sandboxing in the future, and I'm happy that researchers are trying it out.

  • duckmanx88
    security features? im using chrome right now. love it. but this thing is far from secure. it shows you all your saved passwords with no protection. and i'd like to open my tabs on a page i select and not my most viewed sites for everyone to see.
  • thee_prisoner
    +1 Duckman, I also do not like to have my passwords saved. It is convenient to have your most viewed websites posted, but it can lead to issues with work. Even though I use this function, it might get messy in an environment where you have competitive co-workers to easily see what you are working on.

    What I would like to see, make it so that people have a way to access these features quickly, but still maintain some security.

    Really though in all browsers people can just look at your history of your websites that you visited, unless of course you delete your history all the time.

    Chrome is great. It is fast and easy to use.

    BTW, at least Berkeley and other state schools generally give you better well rounded education. I find accumulation of knowledge helps in all fields, we do not to become a world of engineers.

    Be seeing you...
  • interesting.. even if i dont know anything about coding....
    i love opera btw....!
  • csuftech
    @duckmanx88, given that it was the only browser that was not compromised at this years Pwn2Own contest, I would say it's pretty secure. Also, if you don't want the most visited sites page, go to Wrench > Options > Basics and then just click on "Open this page".
  • UC Berkeley is a second-rate school? Ha!
  • deltatux
    Been using Google Chrome since its release and it's fantastic, I love the security built into the browser and I love the multiprocess approach, makes a lot of sense.
  • sunraycer
    @csuftech: That's for the homepage right? I think he's talking about opening a TAB with the +. I'd also like to open to a page and not my most used page list. Nice as an option, but not as a forced function. I'd hope this would change when they have new versions. The settings are fairly sparse in Chrome in general. Hopefully they'll incorporate more. I've been using Chrome since I read the last article in this series and I'm starting to like it already. Might start trying to use the beta to see what's on the way...
  • Capability-based security is a nice topic, since it fits very well with general Internet infrastructure. I.e. there's no global system of roles, users and ACLs, but even now it's possible to build capability-based systems using browser cookies.

    Are there any developments in this area?
  • ossie
    "Macs definitely seem to be a favorite among security researchers."
    "In order to take advantage of the most security features, users need to be running NTFS and Windows Vista."
    "While Mac OS X Leopard offers less security features than Windows Vista or Windows 7, it offers better safety because there are fewer threats."

    Very funny mr. Dang. Your pathetic attempts to push m$ corporate spin failed miserably...
    No serious professional would use m$ crap for it's important work. OS X (BSD Unix) is still more secure than windblow$ even if you try hard to suggest otherwise.
  • dvader
    @ossie: you are pretty clueless, sir. Read the Charlie Miller interview.