It isn't really
a tool, per se. Sandboxing is just a term used to describe how measures have be
en taken to make Chrome much more secure under the hood. It's just a way of desc
ribing more secure software, to put it simply.Security
Google Chrome Puts Security in a Sandbox
The Google Chrome browser is no longer a beta, and has been outfitted with a coa
t of security armor Google hopes will both protect users and help Chrome compete
with rival browsers.
The toughest piece of that armor involves sandboxing. In Chrome, HTML rendering
and JavaScript execution are isolated in their own class of processes. Running e
ach tab in Chrome in a sandbox allows Web applications to be launched in their o
wn browser windows without the ability to write or read files from sensitive are
as. Plug-ins are run in separate processes that communicate with the renderer.
"I think Google was very proactive in terms of what we've been doing around tryi
ng to help prevent users from being infected with malware," said Ian Fette, secu
rity product manager for Google. "On the Web browser, we're trying to do everyth
ing we can to make sure that users are not becoming affected with malware, and a
big part of that is the sandboxing technology."
Calling it a second level of defense, he said the technology is designed to prev
ent malware from persisting even if there is a flaw in the code that would lead
to the Web browser being compromised.
"It's designed to prevent malware from getting installed on the system, from bei
ng able to start again when you close the browser and restart the computer; it's
designed to help prevent malware from being able to read files on your file sys
tem it's really a defense-in-depth mechanism," Fette explained.
As noted on the Google security blog, however, there are some limitations. Since
it depends on Windows, there is the possibility of a flaw in the operating syst
em security model itself. Another issue is that some legacy file systems used on
certain computers and USB keys, such as FAT32, don't support security descripto
rs. Files on those devices can't be protected by the sandbox, according to the b
log.
In addition, if a third-party vendor configures files, registry keys and other o
bjects in a way that bypasses the access check the mechanism by which the system d
etermines whether the security descriptor of an object grants the rights request
ed to an access token it can give everyone using the machine full access.
In addition to the sandboxing, Google has outfitted Chrome with a number of secu
rity features similar to those of Internet Explorer, such as Incognito mode. Lik
e IE 8's InPrivate Browsing, Incognito mode allows users to hide their Web surfi
ng histories, and no cookies are stored beyond the lifetime of a browser window.
"Incognito mode is designed to reduce the amount of data that gets stored on you
r computer; it's not designed to provide, for instance, anonymous browsing," Fet
te said. "When you go into Incognito mode you are essentially saying, 'Everythin
g I do in this browser window, please don't record that on my computer once [I]
close off that window.'"
Chrome also takes a blacklisting approach using Google's SafeBrowsing API to pro
tect users against known malicious sites.
"I think the biggest advantage that we have is that Chrome is the first browser
built from scratch after bad guys started exploiting other browsers," opined Goo
gle Engineering Director Linus Upson. "We've had the luxury of looking at the se
curity problems other browser vendors have had, and designing around those from
the very beginning."
The layout and structure of firmware for Chromium OS is designed for security (s
ee Verified Boot documentation), recovery and development.
All firmware will contain a recovery code path, which will restore the machine t
o it's original Chromium OS state. This recovery code path will be initiated eit
her when any chain in the boot path is not verified or when a user manually trig
gers recovery mode, likely via an explicit recovery button on the device.
Chromium OS wants to support developers as well. Developers are provided with a
means of running alternate software. In the alternate boot paths, the user is no
tified that they are not running a boot path provided as part of Chromium OS.
The boot and recovery procedures outlined will be implemented and required for b
oth x86 and ARM platforms.
This document describes the firmware boot process, including detection and recov
ery of corrupted or hacked firmware/software.
Potential problems
The firmware boot process must be able to detect the following problems and, if
possible, repair them.
Firmware
Incomplete update: An update of the firmware is interrupted. This leaves the por
tion of the firmware which was being updated in an unknown or corrupt state. For
example, if the update is interrupted after a firmware block is erased but befo
re it is reprogrammed, that block is empty.