Inside the Google Chrome OS security model

Inside the Google Chrome OS security model

Summary: Google will use a combination of system hardening, process isolation, verified boot, secure auto-update and encryption that thwart malicious hackers from attacking its new Google Chrome OS.

SHARE:

Google plans to use a combination of system hardening, process isolation, verified boot, secure auto-update and encryption to thwart malicious hackers from planting malware on its new Google Chrome OS.

Much like the Google Chrome browser, the operating system will use process sandboxing as the key weapon in a series of anti-exploitation mitigations and attack surface reduction techniques.  The end goal is to recover from a successful compromise by simply applying an update and rebooting the infected machine.

[ SEE: Google Chrome browser, the security tidbits ]

The operating system borrows much of its security posture from the Chrome browser and, at first glance, resembles the security model used by Apple to secure its iPhone device.

"It's like the iPhone for your netbook. It will be very tough to break into," said one prominent security researcher who read the document.

Here's how Google plans to harden the OS to reduce the likelihood of successful attack and reduces the usefulness of successful user-level exploits.

  • Process sandboxing

    • Mandatory access control implementation that limits resource, process, and kernel interactions
    • Control group device filtering and resource abuse constraint
    • Chrooting and process namespacing for reducing resource and cross-process attack surfaces
    • Media device interposition to reduce direct kernel interface access from Chromium browser and plugin processes

  • Toolchain hardening to limit exploit reliability and success

    • NX, ASLR, stack cookies, etc

  • Kernel hardening and configuration paring
  • Additional file system restrictions

    • Read-only root partition
    • tmpfs-based /tmp
    • User home directories that can't have executables, privileged executables, or device nodes

  • Longer term, additional system enhancements will be pursued, like driver sandboxing

In the short term, Google Chromium OS will look to thwart an "opportunistic adversary" who is attempting to compromise an individual user's machine and/or data.

On the Web side, Google Chrome OS will use a modular browser with sandboxing and process isolation to limit malware attacks:

Phishing, XSS, and other web-based exploits are no more of an issue for Chromium OS systems than they are for Chromium browsers on other platforms.  The only JavaScript APIs used in web applications on Chromium OS devices will be the same HTML5 and Open Web Platform APIs that are being deployed in Chromium browsers everywhere.  As the browser goes, so will we.

[ SEE: Google's Chrome OS: Will you give up desktop apps? ]

The new OS will also be fitted with a secure auto-update system:

  • Signed updates are downloaded over SSL.
  • Version numbers of updates can't go backwards.
  • The integrity of each update is verified on subsequent boot, using our Verified Boot process, described below.

On the data protection front, Google says users shouldn't need to worry about the privacy of their data if they forget their device in a coffee shop or share it with their family members.  This will be done by ensuring the data is unreadable except when it is in use by its rightful owner.

Here's how that will work:

  • Each user has his own encrypted store.
  • All user data stored by the operating system, browser, and any plugins are encrypted.
  • Users cannot access each other's data on a shared device.
  • The system does not protect against attacks while a user is logged in.
  • The system will attempt to protect against memory extraction (cold boot) attacks when additional hardware support arrives.
  • The system does not protect against root file system tampering by a dedicated attacker (verified boot helps there).

In this video, security engineer Will Drewry discusses Google's mindset around securing Chrome OS:

* Google Chromium security review.

More Google Chrome OS coverage:

Topics: Browser, Google, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

103 comments
Log in or register to join the discussion
  • The proof will be in implementation

    All of these lofty goals are one thing. Making it happen in code is quite another. It sounds like they are just giving a laundry list of what people want them to say. I'm in the "believe it when I see it" camp. Good intentions on paper are nearly always thwarted by the reality of existing "in the wild."
    BillDem
    • The proof will be in implementation

      "All of these lofty goals are one thing. Making it happen in code is quite another. It sounds like they are just giving a laundry list of what people want them to say. I'm in the "believe it when I see it" camp. Good intentions on paper are nearly always thwarted by the reality of existing "in the wild." "

      Dont Be ignorant Man!
      They Have the TOP programmers out There.
      TheCableGuyNY
      • You are the ignorant

        He said something thats completely true and a G fanboy comes with this TOP idiot answer.
        hectormacias
      • No they don't.

        Because I don't work for them :P
        fr0thy2
    • You seem to have learned

      from Microsoft, but don't worry, Google are completely different ;-)
      fr0thy2
      • No, Microsoft is very unique

        fortunately, but this fact doesn't diminish the great idea in securing Google's platform with some extra zeal.
        Viruses and worms should have been ancient history by now, it wouldn't even be on peoples' radar now if not for the second rate platform from Redmond.
        Mikael_z
        • That's a joke, right?

          Anyone that thinks that Linux would survive if it had 90% of the market is at best delusional.

          The only way it'd possibly remain secure is if 90% of the population was made up of computer pros.

          Oh wait, you think that Linux as it is right now is good enough for the population at large? Sorry, it's not. Ubuntu is definitely moving in that direction, but it's not there....and it won't be for several years, assuming it ever gets there.

          If you know what you're doing on Windows, you're unlikely to get a virus, trojan or a worm. Most, though not all, attacks rely on users who have no security software (and yes, I know people who operate without a firewall) and many of them don't keep up to date with patching (yes, they actually turn it off).

          notsofast
          • When you say "Windows", which version would that be?

            And do you mean the "just released" pay for beta's? Or the "been in the wild" XP which is being deceased?
            fr0thy2
      • Yeah, sure, its Linux

        The whole article repeats all the same BS Ive been hearing from Linux, nothing special and nothing different.
        hectormacias
        • No it doesn't.

          And if it does, link to your sources please...
          fr0thy2
  • RE: Inside the Google Chrome OS security model

    [i]?It?s like the iPhone for your netbook. It will be very tough to break into,? said one prominent security researcher who read the document.[/i]

    Yeah that guy might want to rethink that one before speaking. Anyways, I don't think the malware issue is of concern on Google Chrome, its the data stored on the servers which is where the jackpot will be.
    Loverock Davidson
    • Who is going to trust this?

      " its the data stored on the servers which is where the jackpot will be"

      Considering Google's policy of "if it's on our servers, it's ours", who is honestly going to replace locally-stored data with this OS, knowing that they agree to allow Google to take whatever they want and sell it to advertisers and market researchers?

      Cost of Linux source code to Google: $0.00

      Cost of consumer data that they stand to profit from: Priceless
      Joe_Raby
    • Trust will have to be earned

      And it won't be earned overnight. They'll basically have to be 100% security flaw free (not counting breaches due to people who give away their own passwords due to their own incompetence) for a good amount of time (years) to prove their worth. Then and only then will the untrusting public be won over.

      And even then, let's face it, some people cannot be trusted not to lose their own passwords to thieves (either through being overly careless or through social engineering attacks). So this will not be a solution for everyone. But that's okay, I wouldn't want this to be the only solution any more than I would want Windows to be the only solution. Choice is good.
      Michael Kelly
      • "basically" 100% security flaw free?

        I guess this is a tacit recognition that it is impossible to know that any system is flaw free with absolute certainty. But by what measures do you judge something to be "basically" security flaw free?

        I agree that choice is good. Too bad these forums degrade so quickly into fanboi flame wars.
        zdnet-gregc
  • does not mater.

    Does not mather if you have invincible walls when your door is made of wood and your window made of glass.


    Nothing can be certain in security... having wild claims of "So and so is impenetrable" will just lead to another disapointment from the gullibles ones.
    Ceridan
  • Here's the problem with Google's "security":

    "11. Content licence from you

    11.1 You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services. [b]By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive licence to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services. This licence is for the sole purpose of enabling Google to display, distribute and promote the Services[/b] and may be revoked for certain Services as defined in the Additional Terms of those Services.

    11.2 [b]You agree that this licence includes a right for Google to make such Content available to other companies, organizations or individuals with whom Google has relationships[/b] for the provision of syndicated services, and to use such Content in connection with the provision of those services.

    11.3 [b]You understand that Google, in performing the required technical steps to provide the Services to our users, may (a) transmit or [u]distribute your Content over various public networks and in various media[/u]; and (b) [u]make such changes to your Content as are necessary[/u] to conform and adapt that Content to the technical requirements of connecting networks, devices, services or media. You agree that this licence shall permit Google to take these actions.[/b]

    11.4 You confirm and warrant to Google that you have all the rights, power and authority necessary to grant the above licence."

    -- www.google.com/accounts/tos
    Joe_Raby
    • Trust us.. your data is secure....

      and will serve us to make profit on your work without your knowledge/agreement...
      Ceridan
      • Except that...

        the agreement is called the EULA, and users do agree to it. See the policy link I posted.

        I wonder if they'll leave out those bits though, or just say "see our policy online", after users have to agree to it to use the OS to check the website.

        I think it's amazing that anybody uses their services, especially businesses that sign up to Google Apps.

        Google Chrome OS: "You don't need to worry about spyware in our OS - it's built-in!"

        FWIW: What did Google say about advertising within their OS?
        Joe_Raby
        • Except that the EULA's

          have already been raising alarms among people by
          saying that they are illegal/unenforceable in most
          cases.
          Lerianis10
          • Don't forget...

            Chrome OS might become illegal in Canada also... there's a law on the table that renders stealth updates illegals

            (Side effect from preventing installation of software without the permission of the user(aka anti-Sony rootkit law... 7 year too late)
            Ceridan