Exclusive Interview: Google Chrome's Chromium Core Explored

In our continuing series on personal computing security, we’re talking with Collin Jackson and Adam Barth to discuss the security features of Google Chrome. Both Collin and Adam are members of the Web Security Group at Stanford University. Collin is still finishing his PhD at Stanford, while Adam completed both his Masters Degree and a PhD at Stanford.  After completing his training at the Best School in the Bay Area, Adam spent some time as a post-doc at the second-rate public school across the bay (UC Berkeley). Both of them have worked at Google.  While there, they were the lead authors on an academic analysis of the security architecture of Chromium, the core upon which Google Chrome is built.

Alan: Thanks for taking the time to talk with us. Let’s start with the basics. Why don’t you tell me a little bit about yourself? How did you decide to specialize in security research, and why did you both choose Stanford University?

Collin: I picked Stanford because it is has top-notch professors working in a broad range of fields, and I wasn't yet sure what I wanted to do. When I got there, I got drawn in to Web security because all the most interesting applications are moving to the Web, yet the details of the Web security model are still poorly understood.

Adam: I've been interested in security since I was a kid. One of my favorite games growing up was to invent ciphers for my friends to break. I chose Stanford because I have a personal connection with Stanford: I grew up in Palo Alto and my mother is a professor in the business school.

Alan: When I was in CS106B, I won first place in the programming contest (Fastest Algorithm: Panex Puzzle). The instructor was from Google, which was then only about a year and a half old. I’ve always wondered if I could have gotten a job at Google if I wanted to pursue a career in CS. What was the coolest thing about working at Google?

Adam: For me, the coolest thing about working at Google was being able to use their massive computing infrastructure to run experiments. For example, we used this infrastructure to optimize the security of Chrome's content sniffing algorithm (these experiments eventually lead to this paper: http://www.adambarth.com/papers/2009/barth-caballero-song.pdf).

Alan: There have been a few designers who have recently left Google because they felt that the process was too bureaucratic. Was it hard to get them to let you run an experiment on a new algorithm using Google’s database of billions of Web pages as the data set, and then convince them to let you use the QA team to manually test the top 500 sites? How long did it take to run your algorithm through the billions of Web sites?

Adam:  There wasn't any resistance to running the experiments. I'm not sure exactly how long they took to run, but it certainly took less time to run the experiments than to design them in the first place. We did this work in collaboration with the HTML 5 standardization effort, and we hope that other browsers can benefit from these experiments by adopting the HTML 5 content sniffing algorithm.

Create a new thread in the US Reviews comments forum about this subject
This thread is closed for comments
Comment from the forums
    Your comment
  • duckmanx88
    security features? im using chrome right now. love it. but this thing is far from secure. it shows you all your saved passwords with no protection. and i'd like to open my tabs on a page i select and not my most viewed sites for everyone to see.
  • thee_prisoner
    +1 Duckman, I also do not like to have my passwords saved. It is convenient to have your most viewed websites posted, but it can lead to issues with work. Even though I use this function, it might get messy in an environment where you have competitive co-workers to easily see what you are working on.

    What I would like to see, make it so that people have a way to access these features quickly, but still maintain some security.

    Really though in all browsers people can just look at your history of your websites that you visited, unless of course you delete your history all the time.

    Chrome is great. It is fast and easy to use.

    BTW, at least Berkeley and other state schools generally give you better well rounded education. I find accumulation of knowledge helps in all fields, we do not to become a world of engineers.

    Be seeing you...
  • Anonymous
    interesting.. even if i dont know anything about coding....
    i love opera btw....!
  • csuftech
    @duckmanx88, given that it was the only browser that was not compromised at this years Pwn2Own contest, I would say it's pretty secure. Also, if you don't want the most visited sites page, go to Wrench > Options > Basics and then just click on "Open this page".
  • Anonymous
    UC Berkeley is a second-rate school? Ha!
  • deltatux
    Been using Google Chrome since its release and it's fantastic, I love the security built into the browser and I love the multiprocess approach, makes a lot of sense.
  • sunraycer
    @csuftech: That's for the homepage right? I think he's talking about opening a TAB with the +. I'd also like to open to a page and not my most used page list. Nice as an option, but not as a forced function. I'd hope this would change when they have new versions. The settings are fairly sparse in Chrome in general. Hopefully they'll incorporate more. I've been using Chrome since I read the last article in this series and I'm starting to like it already. Might start trying to use the beta to see what's on the way...
  • Anonymous
    Capability-based security is a nice topic, since it fits very well with general Internet infrastructure. I.e. there's no global system of roles, users and ACLs, but even now it's possible to build capability-based systems using browser cookies.

    Are there any developments in this area?
  • ossie
    "Macs definitely seem to be a favorite among security researchers."
    "In order to take advantage of the most security features, users need to be running NTFS and Windows Vista."
    "While Mac OS X Leopard offers less security features than Windows Vista or Windows 7, it offers better safety because there are fewer threats."

    Very funny mr. Dang. Your pathetic attempts to push m$ corporate spin failed miserably...
    No serious professional would use m$ crap for it's important work. OS X (BSD Unix) is still more secure than windblow$ even if you try hard to suggest otherwise.
  • dvader
    @ossie: you are pretty clueless, sir. Read the Charlie Miller interview.
  • shurcooL
    I love Chrome too, but mostly for its amazing UI/usability. I can get to pretty much any of my favourite websites with just 3-5 key strokes. Ctrl+T, type 1-3 letters, enter. No other browser comes even close. Oh, and I don't really like/use favourites for commonly visited sites.
  • ossie
    And you, mr. dvader are even less than clueless. A Safari browser vulnerability (that means an application with explicit luser contribution) was used to hack the used macbook user account and not the OS itself. I clearly specified the underlying BSD Unix and not some crap added by apple.
    Clueless users won't be able to protect themselves, if they don't understand the implications of their actions and have at least some knowledge about the inner workings. Here lies the most damaging "contribution" of m$, as it lowered unprecedentedly the perceived needed knowledge and expectations of it's lu$ers. Apple also isn't very far behind in dumbing down their system.
  • dvader
    @ossie: Surely, you can not accuse Mr. Charlie Miller not knowing antything about the inner workings of OSX. Denying that Safari is not tied to into OSX is just plain wrong.
    Mr. Miller is not a programmer, he's math scientist and and OS-artist. We are - and U2 - mr. Ossie - are ordinairy mortals compared to his skills.

    As for mr.Lang. It's a bit unfair to accuse him of MS-bias. The Miller interview and now the Google interview are technicaly very good.

    If you want OS-polictics go to : wwww.slashdot.org.
  • AlanDang
    Don't forget about my interview with Dino A. Dai Zovi either. Charlie Miller is ex-NSA. Dino A. Dai Zovi is ex-Sandia Red Team. The funny thing is that I've been accused of being both MS-biased and Apple-biased ;)

    "Clueless users won't be able to protect themselves."

    Agree 100%, but the revelation that I hope these interviews will ultimately help readers understand is that even informed users are unable to protect themselves 100% of the time. Today's threats are different from those of an earlier computing generation. You can fully lock down your system, but then you miss out on rich media, etc. You have to run Lynx if you want a secure browser on the Mac... But that's a problem with the Mac not with BSD Unix. That said, the flash exploit from 2008 Pwn2Own that took down Vista would also have taken down Firefox/Flash on Linux...

    The problems are pervasive, the solutions are unclear. In the end, security researchers gravitate toward the Mac because they accept that "everything" is insecure. Risk = Threat * Vulnerability * Consequence

    Mac's are highly vulnerable but have few threats/attacks. PCs are less vulnerable than Macs but have more threats and therefore at higher risk. Linux is somewhere in between in terms of risk. No system has zero risk.
  • ossie
    @dvader Don't confuse OS X with windblow$. Safari is just an application, it's not "tied into" OS X, as exploder in windblow$ - that's the exclusive monumental "innovation" of mr. BillG's "The Internet? We are not interested in it" team.
    Mr. Miller did compromise just the user account under which the browser was running, and not the machine itself - it's a difficult concept to grasp for windblow$ lu$ers.

    @alan Well, you might be apple-biased in other articles, in that one the bias was m$ oriented (that's the impression I got). I don't need vi$hta/drm to be more secure (that's an elusive desideratum in m$ world), there are a lot of other possibilities which offer much more (real) security (better said less vulnerabilities) as the (imaginary) UAC based one. While it's very difficult to escalate rights in a well designed multi-user/tasking OS (*nix), that's not the case with windblow$, as history teaches us over and over again. The more security (an oxymoron in conjunction with m$) "features" (not a bug) of windblow$ don't offer more safety than OS X. Informed users prefer OS X (or linux and other *nix-es) over windblow$, for it's much more secure inner core (BSD), and can evade threats by not using vulnerable applications, or limiting potential damage by sandboxing them (chroot, VMs, etc.).
    As for the theory of "more threats = higher risk", so dear to m$ evangelists (to "explain" windblow$ failures), most servers on the internet are *nix based and proved to be quite secure, despite a lot of "benevolent" people trying to compromise them - windblow$ is a much more facile target.
    Regarding the false Mac/PC dialectics, it's pure BS. Macs are PCs - it's the same (now almost identical) HW architecture. Just the OS differs: OS X, windblow$, DOS-es, and the rest of *nix-es. If you run linux, isn't it an (IBM compatible) PC anymore?
    Sadly, from those interviews the typical windblow$ lu$er is getting just the impression that other OS-es are (more) vulnerable - see the "tied in" commentary above - and not some crappy designed application/browser/plugin, with limited effects (on the underlying OS, if it's well designed). Also they get no clue about the OS/app partitioning, where the vulnerabilities are, and how to limit their (potential) damage, resulting just in the usual "Windows is great(er/est)" comments. The lack of education and knowledge spells disaster.
  • AlanDang
    These interviews are really just questions. At the end of the day, anyone who believes that Apple is 100.0% awesome or Microsoft is 100.0% awesome is delusional. There are strengths and weaknesses to each platform and people who claim that I'm biased for one or the other are simply missing the point. If you come to the article with a anti-MS bias, you'll read into neutral statements as being anti-MS. You see my interview as being pro-MS when I talk about strengths of Vista. On the other hand, every security researcher I've interviewed uses a Mac and I use a Mac too, and this is mentioned. Someone who's anti-Apple will see me being biased in favor of Apple.

    On record, I don't believe that any single platform can provide adequate security. The best solution is heterogenous computing -- the equivalent of genetic variability. This includes software diversity including Linux, but also hardware diversity. We have BIOS hacks in proof of concept stages. Imagine if the US government uses the same Dell platform across the nation. If that system's BIOS is compromised via a 0-day remote flaw, every system is vulnerable. Same thing. Imagine if we all switched to Firefox and someone discovered a new flaw that allowed remote execution.

    Don't think it can't happen. Think about when Red Hat's private keys were compromised allowing someone to randomly sign packages containing malware, or Debian's OpenSSL bug which existed for years...
  • ossie
    I agree, that interviews should (mostly) be good questions from the interviewer and (hopefully better) answers from the interviewee. But, when your question is formulated like a conclusion with a question attached: "In order to take advantage of the most security features, users need to be running NTFS and Windows Vista. What specifically about FAT32 and Windows XP make them more vulnerable to attack?", it's not any more an interview, it's biasing the discussion towards a desired response. Adam's answer was quite clear: there is no pratical difference between xpire and vi$hta "security". As for the FAT32 question, Adam was more than polite, by pointing out the obvious.
    What an uninformed reader would understand, is that he needs to run vi$hta, to be secure - the direct implication for him is, the other OS-es are insecure, except m$'s one. That's what I call bias.
    Of course, no OS is fully secure, but m$'s are notoriously unsecure - there is no benefit for consumers to paint it in a different light. Your statements were not at all neutral, and it's obvious, and I don't hide it, that I have a very critical attitude towards the business practices of m$ and their so called OS, which is geared solely to generate profit for themselves.
    I also am critical on every other OS's aspects that affect it's security or functionality, and that includes OS X and unnecessarily dumbed down linuxes. The way some software vendors try to "make it easy" to the user, has direct negative implications on the security of their products, and their ecosystem. The lu$er has no clue about how it works and to what dangers he exposes himself and others. For a moment, try to conceptualize an environment in which car drivers with the equivalent average knowledge of m$ product users, were let loose. I shiver at that thought.
    Your genetic variability argument would have more validity in an heterogeneous threat environment, but in our real world we have mostly a single endangered species, with almost no variability, artificially sustained by a monopolistic economic behavior. The most damaging contribution of m$ is to create the lu$er the illusion to be in control of the machine. Sadly, other vendors followed suit.
    Your BIOS hack example is just another aspect of the wrong evolution caused by ignoring the KISS principle. As there are a lot of chipsets and Flash/EEPROM chips, with different programming interfaces, it's still very difficult to write a universal BIOS malware. Also, the boot block should always be write protected, to enable BIOS recovery, even if the rest of the BIOS is corrupted. CIH/Chernobyl opened the way, but it only hosed the HDD and BIOS on select M/B (TX), over a decade ago - 26 april is just a few days away ;) . Lessons learned? Almost none, it seems. For some penny pinching, the same chip is still used to store and update system configuration data, so it can't be easily HW write-protected.
    That's small fish, you forgot the failed attempt to insert a backdoor in the linux kernel source...
    I'd rather trust an open entity - linux folks are much more open on disclosing such blunders - than a corporation, who's first, and usually only, reaction is to push it under the rug.
    Remember the Cisco IOS blunder? Their "solution" was litigation and gagging.
    I would be more worried by trendy HW RA technologies, like intel's AMT and vPro - a single critical point of failure. If it's hacked, the damage would be incommensurable.
  • AlanDang
    The NTFS/Vista thing reflects the "holes" in the sandbox. Chromium is application-based sandboxing and mounted FAT32 drives do not have any protection through the sandbox. The TCP/IP stack in Windows XP also does adhere to the sandbox protection (while it does in Windows Vista). This means that a compromise of the sandboxed renderer can open up ports in XP but not in Vista. The question was designed to get a response regarding these details.

    The other detail to always keep in mind is that these interviews are designed for the Tom's Hardware reader (not Tom's Guide, or a general mainstream reader). I do think Vista is more secure than XP thanks to things like ASLR, better TCP/IP protection, etc. I don't think a single reader thinks that Vista is the *only* secure operating system as you suggest. That is just your bias and inability to write Microsoft with an "S" rather than a $.

    A good car driver needs to know how to drive defensively and how to interpret road signs. Knowing if his wireless remote is frequency hopping or not, or knowing how to rebuild the engine is not critical. In the perfect world, all users would be intelligent. In the real world, computers are ubiquitous and their value is so immense that anyone and everyone has a computer. Do you truly think that a user of a OLPC will have the full understanding of the security issues of a networked system?

    We agree on the genetic variability argument. We should not be running in a world dominated by Microsoft operating systems. But that's true for any dominant force. If OpenBSD had a monopoly, you'd have many of the same problems (but less so, given that OpenBSD has inherently fewer vulnerabilities than Windows due to audited code).

    Intel AMT,vPro, etc. all true -- but more and more, threats are for specific targets. A company running a single brand of computer with a single configuration may have easier IT management, but place itself at higher risk for attack. Companies should consider the risk/benefits of running single platforms versus multiple platforms and decide for themselves what the right course of action is.
  • ossie
    Even if that were your intentions, if you don't formulate your questions accordingly unambiguous, you'll get the corresponding reaction, more often different to the expected one.
    That's a good point, as m$ encourages the world and it's dog to use fat(32) for portable storage. While exFAT will supposedly support ACLs, it's still a long way to it's wide adoption - and m$'s patent/royalties model will not exactly encourage it.

    ASLR is still in it's infancy, and the perceived/advertised security improvements are much too optimistic, as it's usage is quite limited.
    I wouldn't be so sure that there is no reader to consider vi$hta to be the non plus ultra of current secure OSs - you are neglecting the m$ fanboyism on TH.

    As long as m$ proves all over again that their single major goal is profit and control at all costs (especially customers ones), customer needs usually remaining aside along the road, it's the only fit way to describe them (and I would never use an "S" in place of an "s"). Also, their blunders "fixes" are of debatable quality and benefit to the customer.

    While you mentioned the TCP/IP stack, let's see some of m$'s "fixes":
    - to "limit"(?) malware spread, since xpire sp2, the number of simultaneous opening connections is limited to 10 - that is affecting the whole network stack, including internet and LAN. Did you ever wondered why you shiny new fast connection is sometimes so sloppy?
    If you think that it just happened once, the same "innovative" approach was used again in vi$hta.
    - to "prevent"(?) media playback skipping in "heavy network traffic", m$ implemented a "fix", by choking other network connections. Another side effect, was also high CPU load during media play and choked network traffic.
    That "problem solving" approach is akin carpet bombing a village and killing everyone, just to get some supposedly hidden hostiles. Sounds familiar? That's exactly current policy for some governments/armed forces.
    In that light, I'm wondering how much other less known "innovation" is hidden in m$ products, which is affecting customers.

    A good driver does not necessarily know in detail the physics/chemistry/mathematics behind his car, but some general knowledge notions are indispensable. In the "modern" real world we have sadly obtained the button-pushing idiot, which has no clue of the effects of his actions.
    A OLPC user doesn't need to know the full implications, but he really should need to know that there are some, and it would be good for him, and the others, to know at least the dangerous ones, and how to prevent damage. The lack of common education in computer(ised) equipment usage is staggering, and the most damaging effect is generated by the illusion encouraged by m$, and similar vendors, that the lu$er is in control.

    That's exactly the crux of security, auditing critical code offers a lot more assurance that no nasty surprises are hidden - even if some corporate entities favor security by obscurity.

    There is nothing wrong in itself by using a standardized platform, as long the risks are correctly estimated and properly taken care of. But, more often than not, enterprises trust some third party "miraculous" security solutions of which inner workings they have no knowledge about.
    As for the RM tools mentioned previously, there is no easy way to get more variation in platforms, as they are almost exclusively intel and those tools are forged in HW. All boils down to trust in some outside entity. Who do you really trust, blindly and unquestionably?
  • amenpotep

    "if you don't formulate your questions accordingly unambiguous, you'll get the corresponding reaction, more often different to the expected one."

    You're telling him to structure his questions properly when you can't even do that yourself. It's painful reading what you've written thus far. The worthwhile portions of your arguments are clouded by terrible analogies, horrific grammar, and unnecessary misspellings of words. Some slang can be used to make a point but when you are unable to even follow an M with an S, just say XP, or stop abusing quotation marks your bias becomes palpable. You've spent the entire time crucifying Alan for speaking from a place of bias and for being a Microsoft fanboy, but are you in any position to talk?