Behind Pwn2Own: Exclusive Interview With Charlie Miller

By Alan Dang
published

You’ve probably seen the headlines: “Pwn2Own 2008: MacBook Air hacked in 2 minutes” or “Pwn2Own 2009: Safari/MacBook falls in seconds.” But there’s a story behind every headline and who better to get it from than Charlie Miller, the man behind the buzz.

An Intro To Sandboxing

Alan: Let’s talk a little bit of tech. Mac owners are often smug about their system being "more secure" and yet it would seem as if Chrome/Vista offered the most secure solution this year. A lot has been said about Chrome's "Sandboxing" model. How is this different from IE7's Protected Mode? What does Sandboxing really mean when Chrome's first exploit allowed remote applications to be launched from Java?

Charlie: Sandboxing helps quite a bit, if done properly. It’s one of the many exploit mitigation technologies being used. The idea is there will always be bugs and vulnerabilities in software, but you can make it difficult for attackers to get code running on the system and even if they do, limit the amount of damage that can be done. Basically, the attacker has to get code running and then figure out how to get out of (or break) the sandbox.

Alan: Interrupt me if I’m wrong. My understanding of it is that you compartmentalize the different parts of the application. Historically, the Web renderer is the point of entry, since that’s what interacts with the rest of the Internet. Once code is arbitrarily run, that application can then do all sorts of stuff like track keystrokes, format your hard drive, etc.

The idea behind sandboxing in a Web browser is that the application is split into different threads. The thread that manages user input/keystrokes is separated from the thread that deals with rendering the Web page. An application like Google Chrome will rely on the Windows security model to give the renderer zero privileges. That way, the randomly executed code by the “renderer thread” is blocked from accessing other stuff by the operating system. The “main browser thread” will only pull bitmaps from the renderer. So, even if you hacked into the renderer component, you couldn’t go any further than messing around with the text, pictures, etc.

The main weakness with relying on the sandbox, though, is that I could hack the renderer so the next time I went to a legit Web site, it altered the HTML so that I had a realistic “You Need a Newer Version of Flash” message. All of a sudden, I’m downloading a Trojan Horse and now I’m screwed.

Charlie: I don’t know the nuts and bolts of Chrome, but I imagine you could start a new renderer each time. I also think they use processes as opposed to threads.

[Alan’s Comment: Charlie is correct. Chrome uses processes instead of threads. The difference is that the memory space for each process is different--better sandboxing]

Alan Dang
32 Comments Comment from the forums
  • crisisavatar
    he was born to kill
    Reply
  • Niva
    Blah, sad he didn't give an estimate to linux security. He said it has some method of protection but didn't expand on that much...

    As osx market share grows we'll see more exploits.
    Reply
  • Silluete
    Interesting thing about sandboxing, it's mean chrome more safe than other browser? or i missing something here?
    Reply
  • lire210
    whats up mac
    Reply
  • pcfxer
    Chrome uses processes instead of threads. The difference is that the memory space for each process is different--better sandboxing.

    Processes have increased headroom: they are making a copy of local variables and structures at the time of "forking".

    Threads "fork off" as functional code and work with their own memory space... in a nutshell.

    Sandboxing doesn't mean that Chrome is safer, it does mean that if sandboxing is implemented correctly Chrome CAN be safer. Security is so relative ;).
    Reply
  • AlanDang
    Exactly, Chrome is currently safer than any other web browser on Windows Vista or Windows 7. We have an upcoming interview that talks a little bit more about this, but we haven't made plans on a dedicated article. Is that something people are interested in?
    Reply
  • echdskech
    AlanDangExactly, Chrome is currently safer than any other web browser on Windows Vista or Windows 7. We have an upcoming interview that talks a little bit more about this, but we haven't made plans on a dedicated article. Is that something people are interested in?count me in A
    Count me in. Come to think of it, I spend more time on my browser than any other piece of software (except the OS ofcourse) at any given day. primarily because I use it both at work for research and for play (ie reading articles here). Also, trend these days seem indicate it becoming more and more a target rather than the OS.

    Would be extra nice if the level of detail would be like the articles you guys write when a new cpu architecture is discussed. =)
    Reply
  • anthony lackey
    There is less ppl attacking Mac's because they aren't the mainstream. Hackers would rather try to infect as many ppl as possible thats why they target PC users.
    Reply
  • If Apple does not allow cloning mac os may be safe for a long while, nobody likes to be tied to a single hardware vender. I really don't see how Apple could pull more that 15% to 18% market share without clones. JMO.
    Reply
  • dedhorse
    Good interview. Makes up for that Mac review.
    Reply