November 19th, 2009

Inside the Google Chrome OS security model

Posted by Ryan Naraine @ 11:54 am

Categories: Apple, Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Exploit code, Hackers, Microsoft, Open source, Passwords, Patch Watch, Responsible disclosure, Viruses and Worms, Vulnerability research, iPhone

Tags: Google Inc., Operating System, Web Browser, Google Chrome, Attack, End Goal, Web Browsers, Operating Systems, Security, Internet

Google plans to use a combination of system hardening, process isolation, verified boot, secure auto-update and encryption to thwart malicious hackers from planting malware on its new Google Chrome OS.

Much like the Google Chrome browser, the operating system will use process sandboxing as the key weapon in a series of anti-exploitation mitigations and attack surface reduction techniques.  The end goal is to recover from a successful compromise by simply applying an update and rebooting the infected machine.

[ SEE: Google Chrome browser, the security tidbits ]

The operating system borrows much of its security posture from the Chrome browser and, at first glance, resembles the security model used by Apple to secure its iPhone device.

“It’s like the iPhone for your netbook. It will be very tough to break into,” said one prominent security researcher who read the document.

Here’s how Google plans to harden the OS to reduce the likelihood of successful attack and reduces the usefulness of successful user-level exploits.

• Process sandboxing
  • Mandatory access control implementation that limits resource, process, and kernel interactions
  • Control group device filtering and resource abuse constraint
  • Chrooting and process namespacing for reducing resource and cross-process attack surfaces
  • Media device interposition to reduce direct kernel interface access from Chromium browser and plugin processes
• Toolchain hardening to limit exploit reliability and success
  • NX, ASLR, stack cookies, etc
• Kernel hardening and configuration paring
• Additional file system restrictions
  • Read-only root partition
  • tmpfs-based /tmp
  • User home directories that can’t have executables, privileged executables, or device nodes
• Longer term, additional system enhancements will be pursued, like driver sandboxing

In the short term, Google Chromium OS will look to thwart an “opportunistic adversary” who is attempting to compromise an individual user’s machine and/or data.

On the Web side, Google Chrome OS will use a modular browser with sandboxing and process isolation to limit malware attacks:

Phishing, XSS, and other web-based exploits are no more of an issue for Chromium OS systems than they are for Chromium browsers on other platforms.  The only JavaScript APIs used in web applications on Chromium OS devices will be the same HTML5 and Open Web Platform APIs that are being deployed in Chromium browsers everywhere.  As the browser goes, so will we.

[ SEE: Google's Chrome OS: Will you give up desktop apps? ]

The new OS will also be fitted with a secure auto-update system:

• Signed updates are downloaded over SSL.
• Version numbers of updates can’t go backwards.
• The integrity of each update is verified on subsequent boot, using our Verified Boot process, described below.

On the data protection front, Google says users shouldn’t need to worry about the privacy of their data if they forget their device in a coffee shop or share it with their family members.  This will be done by ensuring the data is unreadable except when it is in use by its rightful owner.

Here’s how that will work:

In this video, security engineer Will Drewry discusses Google’s mindset around securing Chrome OS:

* Google Chromium security review.

More Google Chrome OS coverage:

• Microsoft finds security hole in Google Chrome Frame
• Google makes Chrome OS open source
  
• Releasing the Chromium OS open source project
• The Chromium Project
• Google’s Chrome OS: Will you give up desktop apps?