Chrome security in limelight with Google OS plan

(Credit: Google)

The techniques Google uses to protect Chrome users from browser-based attacks have taken on new importance with the company's plan to make the software the centerpiece of a Netbook operating system.

Two weeks ago, Google announced plans for the open-source Chrome OS designed for people who spend most of their time on the Web. The Google Chrome operating system is a "natural extension" of the Chrome browser, Sundar Pichai, vice president of product management, and Linus Upson, engineering director, said in a blog post, with the browser running atop a Linux foundation.

Like the Chrome browser, the Chrome operating system will be built from the ground up with development focused on three key areas: speed, stability, and security. "We are going back to the basics and completely redesigning the underlying security architecture of the OS so that users don't have to deal with viruses, malware, and security updates," the post said.

Google representatives declined to elaborate on plans for the operating system, but it's highly likely it will align closely with what they have done with the browser, particularly given the fact that attacks on the browser now outnumber those targeting the underlying operating system. The number of new browser vulnerabilities has increased rapidly every year since 2003, and the number discovered in Web browser plug-ins has more than quadrupled, according to the National Vulnerability Database.

It's also notable that Google put features in its browser that are typically associated with operating systems.

"Google Chrome from day 1 had its own task manager, just like Windows did, showing memory consumption and CPU utilization. I said that's what an operating system has. It's a fairly clean translation," said Billy Hoffman, manager of Web Security Research Group at HP Software and Solutions.

Chrome OS, whose source code is due to be released publicly later this year as Google tries to enlist open-source programming allies, is likely to change the operating system landscape just like Chrome the browser did, prompting rivals to try to match or beat its features.

"The innovation (coming out) of the browser wars is bringing more and better security," Hoffman said. "The Chrome browser itself is fairly hardened, and we hope they move into more user protections like IE 8 and Firefox."

Chrome has several design features that optimize security: sandboxing, which restricts privileges of key parts of the browser so it's harder to coopt them for mounting an attack, and multiprocess architecture, which stores Web sites and Web applications in separate areas of browser memory areas and isolates them from the rest of the computer.

Overall, security experts say Chrome shows that Google takes security seriously and its developers are willing to try new approaches to achieve it.

"Google has done a lot of innovation in terms of security in Chrome," said Matt Wood, a senior researcher in Hoffman's department at Hewlett-Packard.

Google added a Task Manager to its Chrome browser, spotlighting a design decision that parallels operating systems.

(Credit: Screenshot by Stephen Shankland/CNET)

Starting from scratch
Being new to the browser game helped.

"By starting fresh, we had the option to do very innovative things we wouldn't have been able to do otherwise," said Ian Fette, the Chrome product manager specializing in security features.

What set Chrome apart when it launched in beta last September was that it splits the browser up into multiple parts. The browser kernel interacts with the operating system and handles only trusted code, storing things like bookmarks and cookies on the computer. Other main components, the rendering and JavaScript engines that figure out how to display Web pages and execute Web-based JavaScript programs, run with restricted privileges in a sandbox that limits access to the underlying system.

Chrome's initial line of defense is to check a site being visited against several anti-malware and anti-phishing blacklists that comprise Google's Safe Browsing service.

If some malware evades the safe browsing screen it's likely to be blocked by Chrome's sandboxing technology. The sandbox runs an application in a restricted environment, isolating HTML rendering and JavaScript execution to prevent them from writing to the hard drive or registry or accessing files.

"The goal is to make it impossible for malware to install itself and access your data on your local computer," Fette said.

Chrome also restricts each the browser tab to its own computing process. That further prevents malware from being downloaded or interacting with other Web pages that are open in other tabs.

Automatic updates
Another aspect of Chrome that security experts praise is the so-called "silent" auto update feature. New versions of the browser are automatically updated on computers in the background without the user taking any action.

Chrome checks for updates every five hours using the open-sourced Google Update software code-named Omaha that polls for updates even when the browser is not running. When a new update is available on the Google server, the client automatically downloads and installs it in the background without prompting the user. The new version of the software gets applied when the browser is restarted.

Given that more than 45 percent of Internet users don't use the latest Web browser version, according to Google research, it would seem that there is a huge need for this.

"Our philosophy is users shouldn't have to care," Fette said. "Everything should keep working for them."

When Chrome first launched in September it had two vulnerabilities that were exploitable. Google released patches for them within 24 hours, he said.

"End users don't know whether to refuse or accept software updates. Chrome just forces them on people," Hoffman said. "It's a good example of not letting users make poor security choices."

Nevertheless, some want the choice. For IT administrators who want to control software updates themselves, Google recently added options to let enterprises customize when and how they get Chrome updates, Fette said.

Chrome, which released its latest security patch this week, had 14 exploits last year based on statistics on the Milmw0rm site, Wood said. However, any comparisons to the number of exploits or patches on Chrome compared to Internet Explorer or Firefox are difficult because Chrome has far fewer users and thus is less targeted by attackers, he said.

Tricking the user
Chrome does a great job of protecting against exploits of vulnerabilities in which attackers sneak code through a hole in the browser to install malware or run code on the computer, experts said. However, it's not so good when it comes to protecting them against Web-based attacks like cross-site scripting, cross-site forgery, SQL injections, and phishing, in which an attacker tricks users into doing something they didn't intend via the browser, they said.

"One thing Google needs to work on where they haven't really focused is on stuff like user security," said Wood.

Chrome lacks the plug-in support Firefox has to protect against malicious scripts hiding on Web sites. For instance, there is no Chrome equivalent to the NoScript Firefox plug-in that lets users choose which scripts on a site they want to run or block. But that is likely to change.

"We are in the middle of building out our own browser extension system so that something like NoScript could be done," Fette said. "For many people it's a noisy option. It asks a lot of questions and if you're not focused on security it could be hard to make it work."

Internet Explorer 8 offers a cross-site scripting defense mechanism that protects users against those type of attacks, Wood said.

Google is evaluating cross-site scripting protections, but, Fette said, "You have to make sure it's based on standards and won't break sites."

IE also lets users turn off JavaScript. Chrome doesn't, but it does sandbox JavaScript.

"If you turn off JavaScript you may turn off navigation on a bank site" or otherwise render a site unusable, Fette said. "It's not an option we feel is viable, so we don't offer it."

Two other popular exploit targets, Adobe Flash and Adobe Reader, are not sandboxed in Chrome because doing so caused problems with auto update or other features, he said. "Sandbox is not a panacea," Fette said.

The two-browser prescription
Jeremiah Grossman, chief technology officer and co-founder of Whitehat Security, suggests that people use two different browsers for the safest experience: Chrome for "promiscuous Web surfing" and Firefox with the NoScript plug-in for important activities such as checking e-mail or online banking.

Asked to comment on that suggestion, Fette said that because each Chrome tab is a separate process the system has the same protection as using two different browsers.

Finally, Chrome should do a better job at password management, according to Wood. None of the other browsers does better, but Google should raise the bar, he said.

"There is no real security with password management. You can open it up and see all the passwords in clear text," he said. "A browser needs a good password manager. People can't remember all the passwords for all the sites on the Internet."

In response, Fette said someone with access to the computer already can do plenty of damage--for example installing a key logger to monitor what the user types.

"Chrome came out and lit a fire under Firefox and IE. It's driven a lot of innovation and a lot of that has been in security and general usability," said Wood. "We're moving toward a more secure browser. A lot of that has to do with getting people to understand about the threats that exist on the Web."

[FF2009]

I like what I hear from Google. I just wish they get add-ons for Chrome like Firefox has, them I might use Chrome again.

[abcd9009]

@FF2009,

I hear ya. Not even al the add-ons. I just need 2 - NoScript and Adblock Plus. That is all I am asking.

[cb3431]

Google has done a great job of convincing people it's not spyware. Google harvests your personal information and sells it to advertisers. Is this not what spyware does?

It's nice how Chrome is given credit where credit isn't due.

[cougar888]

Personally, I would rather ads that apply to me than ads that don't. Advertisers need money too. Heck, they fund most everything that is free to the end user. If the ad actually applies to me, I am more willing to look at it. I think Google has a good balance of what information can be shared (such as what sites I visit) and information that shouldn't be shared (my passwords or name).

[freemarket--2008]

"Is this not what spyware does?" Umm, no. Spyware operates without your consent or knowledge.

Does Google not disclose what they do? Do Google apps install without your consent? Case closed.

[mathcreative]

plus it's open source. So yu can be for sure that the software's not doing anything weird

[jessiethe3rd]

If people don't care about their privacy let'em use it. Personally I am not using their garbage - it's Spyware. After things like the Patriot Act people seem more willing then ever to hand their personal information over (their browsing habits (whatever that may be... news, porn, blogs, etc) and essentially allows Google to collect, hold, and profile you. People are stupid to be trusting of any profit seeking company. The more privacy you give up freely the more they'll take. I'm going to enure everyone that I know who asks me about Google OS knows the full story about Google's ambition. I will never use this type of intrusive garbage. Ever since Google bought Doubleclick they have become a spyware company with a "Do no evil" slogan... an oxymoron... make profits and do no evil.

It's too bad that by the time people get this it will be much too late.

[liquidmetalband]

Google is looking to store your data on their servers, so the only security involved is the quality of your password.

[freemarket--2008]

Hardly. There are still viruses, keyloggers, spyware, phishing etc to consider.

[jake3373]

Yeah, but at least they can't destroy your data that's on your computer, because there's nothing there

[CreativeMalcolm]

I can't wait till Google takes out a big chunk of the Netbook market. With Google making a high quality low end product for free, and Apple taking the high end, Microsoft is going to feel real pinched.

[cary1]

Apple has top 5% of the market. Google will get bottom 5%. Microsoft will have to live with only 90%. Indeed, Microsoft is going to feel real pinched.

[Mr. Dee]

Sorry, but that's wishful, hopeless thinking. Look at the Netbook market today, Linux could never satisfy users, so they turned to the next best thing, Windows XP. The reason why Vista was not adopted on Netbooks was because of its disk foot print. With Windows 7, expect Microsoft to own this market entirely. Also, how can you compare Apples weak 35 million user base to Microsoft Windows more 1.2 billion? I don't see a mass migration happening overnight. Google doesn't have marketing, partnership, killer apps and people just don't trust all their personal belongings living in a cloud.

[BtmnHatesRbn]

for the trolls, prove your statements, as Apple now controls around 35% of the market and M$ doesn't have a billion users. Nowhere near. Let's see...30 million still on 95, 70 million still on 98, 50 million on ME, combind total of 120 million NT/2000/XP users, and, of actual Vi$ta users, less than 30 million. that nowhere equals 1.2 billion. nice number to make up. that's the exact number of Islamists on Earth according to estimates.

[jessiethe3rd]

Again more idiot talk.. Google Chrome OS is not free - you pay for it with your privacy. Google stands to make money off your data, your information, your shopping habits, what you search, what you look at... to be quite honest, they are building a system to profile you. Peoples laissez-faire attitude towards their private information is absolutely astounding to me. People complain about sotware like Windows OS as being too much or OS X as being too much and then they openly allow a company to intrude into their habits and profile them for selling to other companies... this is just shocking really - can't understand why people are just so.... open to be exploited.

[FF2009]

@jessiethe3rd

technically. There is not such a thing as privacy on Cyber World. The minute you log on INTERNET you are being watched from every website you browsing from. Dont fool yourself thinking CNET doesn't know where and what you clicking at this moment.

[jessiethe3rd]

And offering up more content and more information is a good thing to do? Keep taking your laissez-faire attitude loving things like Chrome OS which just remove the final barrier between you and the internet. See I can turn off this browser and go work on an application somewhere and no one will know what's going on. With Chrome OS there will be no turning off an applications. With Google Talk there will be no option to opt out of your conversations being recorded or turned from voice to text for internet marketers.

Yes, technically there is no such thing as privacy. Sure not everyone knows how to IP Spoof, VPN, or even turn off cookies (have you ever tried to turn off a cookie lately? Everything basicaly stops working in webpages... pretty funny.)

Regardless of whether I know that the internet is not private or not - a company who believes in its statement of "Do no Evil" yet sells anything you do on the internet to the hghest bidder is scary. People have accepted that having no privacy on the internet is okay. People are okay with:

* Google Health - where all your healthcare information will be collected and sold to the highest bidder
* Google OS - where your every move will be tracked completely... where even the words you type are sent to Google before you send them to cyberspace (I haven't used that term in a while!)
*Google Docs - where anything you post can be sold, marketed, advertised, and shared by Google and it's partner community
*Google Talk - where you can have ads specific to you given to you as ring tones... all conversations will be recorded and converted to text where the words you say will be analyzed with Adsense to provide the best marketing experience. Talk to someone about your parents dying, receive some information from a marketer about caskets.

The possiblities and consequences are very scary and the part that's even more scarier is that now that Google has done it and become "successful' every company seems to have jumped aboard the target marketing bandwagon. Hey it's cool that Google has all my information and it's open to the public - maybe they should be just as open... talking about their 10,000 layoffs in public a little bit more loudly (yes - they laid off roughly 10,000 in the last few months to shore up CapEx spending.)

"Do no Evil." An oxymoron for a company.

[Police_States_of_America]

Chrome OS cant come soon enough. Ubuntu hasnt really fulfilled its promises of being an easy to use operating system for the average human being, but ChromeOS will no doubt be just that.

Google also have the $ to throw behind getting good apps as well. Still, no 64bit support!

[BtmnHatesRbn]

You can say that again about Ubuntu. Or even gOS. It has WINE, but experiments I conducted is that people have an old copy of Office 97 or they want to install the newest version of iTunes and WINE can't do it. At all. Also, I'm not wasting my time tweaking and teaching. If I have to do that, that's a bad OS.

[vames86]

According to Google, "privacy doesn't exist" so why the hell people give this company any time of day? They are trying to force out native applications so everyone can get online to view ads. You have to look at what might happen if they succeed, all the sites that deals with native applications for download could be crippled, people lose jobs and Google gain.

You know what, Google and their way of trying to change things to their liking can *****************************

[vames86]

oh wow, that last bit was a bad one, so bad it got starred out :) What I am doing now? Using Bing for starters

[mathcreative]

they keep a record of your searches and install cookies in your browser just like google.

[jessiethe3rd]

Yes but Microsoft is no where close to being the internet overlord. They sell software. Unfortunately Google has opened up a whole new stream of revene for them.

Chorme has admittedly come a very long way. But still it is too restrictive as far as plugins, will never
be able to prevent ALL forms of browser attacks, and has specific vlunerabilities to JavaScript still
according to our independant testing. As for ChromeOS, we already know that Hadoop file system
security and cloud security as related. See for instance:http://markmail.org/message/ejya5cwl5pgld754
What more wrisom is tat NSA has recently announced it will be deploying a Cloud Model For Intelligence Analysis, see:http://news.slashdot.org/comments.pl?sid=09/07/22/1446242

Regards,
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng. INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@ix.netcom.com
My Phone: 214-244-4827

[ThatDuckGuy]

If Chrome had it's RSS feeds handles like Firefox I would switch to Chrome.

[ThatDuckGuy]

*handled

[frobots]

When plugins are necessary, it means the App is at a fault. If the App is complete, no plugins are necessary. Plugins must disappear.

[jessiethe3rd]

Most people don't know...
Many people know but take a laissez-faire attitude...

In a Google world, all information will be transparent and available to everyone. There will be no privacy - it's open and available to everyone including marketers. The reality is that Chrome OS exists to give Google access to your data. All of it. Chrome OS might be free of charge but you'll pay for it with your online soul.

Money isn't the currency of the Internet. Data is. Micropayments aren't made in cents or pennies, but in details about your shopping habits, or where you plan to go on vacation, what that disease is you have, or other critical things you search on, or talk about with your friends online. As they reach further outside their realm with great technology like Google Talk, one must understand all words can be translated to text and then stored. In this way all phone calls will be recorded and put on file indefinitely. Yes, you will be targeted and marketed to based on that information but what happens if that information is hacked? Should one company get access to all this information even if this company says they do no evil?

"Do no Evil?"

Latest ammendment to Google Doc's privacy statement:
Section 11.1 of the Terms of Service governing Google Docs is replaced in its entirety by:

"You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Service. By submitting, posting or displaying the Content you give Google a worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through the Service for the sole purpose of enabling Google to provide you with the Service in accordance with its Privacy Policy."

Go see for yourself:
http://www.google.com/google-d-s/addlterms.html

Nothing is free.