Comparing To The Competition
Adam: The DARPABrowser has very different security goals than Chromium. For example, the DAPRABrowser aims to limit the damage a compromised rendering engine can do while displaying an honest Web page. Worrying about these threats ends up making the privileged component as complex as the rendering engine, and it's not clear how much security that buys you.
Alan: Let’s move onto commercially available Web browsers. How is Internet Explorer’s “Protected Mode” different from what Chromium does?
Collin: Protected Mode is designed to protect local files from being overwritten by an attacker who exploits a browser vulnerability. This is a good start--it makes it harder for the attacker to install malware. But the attacker can still read all your files. There is a lot of important stuff on the file system and that's why the Chromium architecture is designed to protect the confidentiality of files as well.
Alan: Opera has made a big deal about supporting NX bit and ASLR. These are also features supported by IE8. Are they also implemented in Chromium?
Adam: Yes. Chromium uses NX, ASLR, and StackCheck.
Alan: While Mac OS X Leopard offers less security features than Windows Vista or Windows 7, it offers better safety because there are fewer threats. Dino A. Dai Zovi made the analogy of leaving your front door unlocked; whether or not you are safe depends on where you live. What are the technical challenges of implementing Chromium’s sandboxing on other operating systems, such as Mac OS X or Linux?
Adam: Mac OS X has a powerful built-in sandboxing mechanism that Chromium can use to sandbox its rendering engine. My understanding is that there are some challenges with drawing to the screen in a multi-process application, but I expect the team will find a clever solution. Different distributions of Linux offer different sandboxing mechanisms, including SELinux and AppArmor. The Linux team is evaluating which of these best fits Chromium's security needs.