Exclusive Interview: Google Chrome's Chromium Core Explored


In our continuing series on personal computing security, we’re talking with Collin Jackson and Adam Barth to discuss the security features of Google Chrome. Both Collin and Adam are members of the Web Security Group at Stanford University. Collin is still finishing his PhD at Stanford, while Adam completed both his Masters Degree and a PhD at Stanford.  After completing his training at the Best School in the Bay Area, Adam spent some time as a post-doc at the second-rate public school across the bay (UC Berkeley). Both of them have worked at Google.  While there, they were the lead authors on an academic analysis of the security architecture of Chromium, the core upon which Google Chrome is built.

Alan: Thanks for taking the time to talk with us. Let’s start with the basics. Why don’t you tell me a little bit about yourself? How did you decide to specialize in security research, and why did you both choose Stanford University?

Collin: I picked Stanford because it is has top-notch professors working in a broad range of fields, and I wasn't yet sure what I wanted to do. When I got there, I got drawn in to Web security because all the most interesting applications are moving to the Web, yet the details of the Web security model are still poorly understood.

Adam: I've been interested in security since I was a kid. One of my favorite games growing up was to invent ciphers for my friends to break. I chose Stanford because I have a personal connection with Stanford: I grew up in Palo Alto and my mother is a professor in the business school.

Alan: When I was in CS106B, I won first place in the programming contest (Fastest Algorithm: Panex Puzzle). The instructor was from Google, which was then only about a year and a half old. I’ve always wondered if I could have gotten a job at Google if I wanted to pursue a career in CS. What was the coolest thing about working at Google?

Adam: For me, the coolest thing about working at Google was being able to use their massive computing infrastructure to run experiments. For example, we used this infrastructure to optimize the security of Chrome's content sniffing algorithm (these experiments eventually lead to this paper: http://www.adambarth.com/papers/2009/barth-caballero-song.pdf).

Alan: There have been a few designers who have recently left Google because they felt that the process was too bureaucratic. Was it hard to get them to let you run an experiment on a new algorithm using Google’s database of billions of Web pages as the data set, and then convince them to let you use the QA team to manually test the top 500 sites? How long did it take to run your algorithm through the billions of Web sites?

Adam:  There wasn't any resistance to running the experiments. I'm not sure exactly how long they took to run, but it certainly took less time to run the experiments than to design them in the first place. We did this work in collaboration with the HTML 5 standardization effort, and we hope that other browsers can benefit from these experiments by adopting the HTML 5 content sniffing algorithm.

  • duckmanx88
    security features? im using chrome right now. love it. but this thing is far from secure. it shows you all your saved passwords with no protection. and i'd like to open my tabs on a page i select and not my most viewed sites for everyone to see.
  • thee_prisoner
    +1 Duckman, I also do not like to have my passwords saved. It is convenient to have your most viewed websites posted, but it can lead to issues with work. Even though I use this function, it might get messy in an environment where you have competitive co-workers to easily see what you are working on.

    What I would like to see, make it so that people have a way to access these features quickly, but still maintain some security.

    Really though in all browsers people can just look at your history of your websites that you visited, unless of course you delete your history all the time.

    Chrome is great. It is fast and easy to use.

    BTW, at least Berkeley and other state schools generally give you better well rounded education. I find accumulation of knowledge helps in all fields, we do not to become a world of engineers.

    Be seeing you...
  • interesting.. even if i dont know anything about coding....
    i love opera btw....!
  • csuftech
    @duckmanx88, given that it was the only browser that was not compromised at this years Pwn2Own contest, I would say it's pretty secure. Also, if you don't want the most visited sites page, go to Wrench > Options > Basics and then just click on "Open this page".
  • UC Berkeley is a second-rate school? Ha!
  • deltatux
    Been using Google Chrome since its release and it's fantastic, I love the security built into the browser and I love the multiprocess approach, makes a lot of sense.
  • sunraycer
    @csuftech: That's for the homepage right? I think he's talking about opening a TAB with the +. I'd also like to open to a page and not my most used page list. Nice as an option, but not as a forced function. I'd hope this would change when they have new versions. The settings are fairly sparse in Chrome in general. Hopefully they'll incorporate more. I've been using Chrome since I read the last article in this series and I'm starting to like it already. Might start trying to use the beta to see what's on the way...
  • Capability-based security is a nice topic, since it fits very well with general Internet infrastructure. I.e. there's no global system of roles, users and ACLs, but even now it's possible to build capability-based systems using browser cookies.

    Are there any developments in this area?
  • ossie
    "Macs definitely seem to be a favorite among security researchers."
    "In order to take advantage of the most security features, users need to be running NTFS and Windows Vista."
    "While Mac OS X Leopard offers less security features than Windows Vista or Windows 7, it offers better safety because there are fewer threats."

    Very funny mr. Dang. Your pathetic attempts to push m$ corporate spin failed miserably...
    No serious professional would use m$ crap for it's important work. OS X (BSD Unix) is still more secure than windblow$ even if you try hard to suggest otherwise.
  • dvader
    @ossie: you are pretty clueless, sir. Read the Charlie Miller interview.