Chrome OS security: 'Sandboxing' and auto updates

With most computers threatened by attacks coming through Web applications, it's no surprise that security would be a key piece of Chrome OS, Google's browser-based operating system that stores data in the cloud.

In this video, Google security engineer Will Drewry explains how Chrome OS separates user data from root or system data, which makes the system more secure and easier to re-install the operating system.

(Credit: Google)

Google showed off its new lightweight operating system designed for Netbooks and cloud computing on Thursday. As anticipated, it will rely on many of the same security features and concepts used by the Chrome browser.

"The browser is the operating system. We've expanded the browser to add operating system functionality," Caesar Sengupta, a group product manager at Google, said in an interview.

Chrome OS uses a combination of operating system-level protections and exploit mitigation techniques to limit the attack surface, or amount of code that can be targeted in an attack, and to reduce the likelihood of an attack being successful. "The biggest security impact is that all applications run within the browser," Sengupta said.

Chrome relies heavily on sandboxing, keeping different processes and applications in separate partitions. This limits the interaction between applications and the OS kernel.

For example, with conventional operating systems, if an application crashes, it can crash or otherwise affect other programs that are running, Sengupta said. "But if everything is sandboxed, that becomes more difficult to do," he added.

Many systems are compromised by deceptive attacks, such as when a user opens an innocent-looking PowerPoint file which unleashes a virus or other malware that can get access to everything on the computer.

With Chrome, "applications can't just download any binary and run it," Sengupta said.

Chrome has a verified boot process that uses cryptography to ensure that the Linux kernel, the nonvolatile system memory, and the partition table are not tampered with when the system starts up, according to a security overview of Chrome. (Google security engineer Will Drewry explains the security concepts of Chrome OS in a video on YouTube.)

"Right now, on your conventional operating system, any kind of process can run, which makes it difficult to predict what any process will do," Sengupta said. "On Chrome, because the whole operating system is essentially signed by Google, there is a lot we can do to make it secure."

If an application manages somehow to break out of the browser sandbox, to get through the kernel hardening and processing infrastructure, and manages to change something on the operating system, the changes will be detected the next time the user boots up the machine. "As soon as it detects something is different and not signed by Google, it will warn the user and try to clean itself again," Sengupta said.

Cleaning up is easier than with a standard operating system, too, because the system data is separated from the user data, which includes user preferences, system settings, and a local cache of data stored on the Google servers in the cloud, he said.

All user data stored by the operating system, browser, and any plug-ins are encrypted and users cannot access each others' data on a shared device, according to the Chrome OS security page.

Meanwhile, Chrome will automatically update to get the most recent software and patches for the operating system, just like the Chrome browser updates in the background while users are online, Sengupta said. Users will not run the risk of having their system get infected or compromised before they can install updates, as happens with Windows and other software.

In addition, the antiphishing technology found in the Chrome browser will protect Chrome OS users from inadvertently visiting malicious Web sites, he said.

Google is publishing detailed design documents on Chrome OS, which will allow security experts to scour the code for weaknesses over the next year before the operating system is released to the public, according to Sengupta.

There are some security and networking technologies that are supported in other operating systems that Google is passing on, at least for now.

Google will keep an eye on biometric authentication technologies, but believes that the cost/reliability trade-off is not where it needs to be just yet, according to the security overview for Chrome OS. Smart cards and USB crypto tokens are "interesting technology, but we don't want our users to have to keep track of a physically distinct item just to use their devices," the overview concludes.

Google is likewise not interested in Bluetooth, a wireless protocol widely used in laptops and handheld devices, for authentication. "Bluetooth adds a whole new software stack to our login/screenlocker code that could potentially be buggy, and the security of the pairing protocol has been criticized in the past," the security overview says.

Updated November 24to clarify that Bluetooth is not being considered for authentication.

[t8]

Chrome OS makes perfect sense to me.

[gerrrg]

The verified boot process seems key to keeping your machine clean...wouldn't it be nice if all OSs would do that?

[Lerianis3]

Windows does do that. So does OSX. The problem is that it is VERY EASY to impersonate the 'verified' things in those operating systems.... at least up until Windows 7, I don't know what they do there to verify things and protect the boot.

[YankeePoodle]

Chrome OS is bah humbug!!!

[censorshipblows]

Rock on G-Men.

[autuumn]

My four concerns are: <br /> <br />1. Can I impersonate a "verified" component? What if this component is uploaded to the cloud, is there a chance it could always be downloaded after a reboot? <br /> <br />2. What if I don't reboot for a long time and I'm compromised, am I going to always infect my files until I reboot? How destructive could the virus be...erasing and/or changing my data? Seems like a bad idea to wait until a reboot. <br /> <br />3. If a virus is uploaded via a netbook, could it infect the cloud? <br /> <br />4. Could a virus be uploaded (in)directly into the cloud?

[t8]

No.

[sundance808]

sandboxing? sounds like java.

[robbtuck]

You're right, this concept has been around for quite a while, and Sun Java was on the road to enabling cross-platform applications running within the browser until Microsoft adopted and corrupted it into J++ and then C# which supports only heavy-client Windows apps. It will be interesting to see how Google's Chrome OS does against Microsoft's efforts to maintain desktop dominance.

[wjsteele]

What do you mean "C# which supports only heavy-client Windows apps???" C# can be used on a whole range of devices, just like Java can. (In fact, I have a watch that is running C# in the .NET Micro Framework without Windows at all!) <br /> <br />They're both based on the same concept of using a runtime and a bytecode based language, a la Smalltalk. I might add, Microsoft's Silverlight allows C# to run in the browser, along with VB and several other .NET based languages as well. <br /> <br />Also, I fail to see how Microsoft's efforts prevented Sun from truly implementing their vision. They didn't... Sun's vision was too optimistic... the concept of "Write Once, Run Anywhere" didn't hold up because of the different types of devices available, from Mobile to Server. Java found it's niche on the app server platform, so that is where Sun (and others) invested their efforts.

[heulenwolf]

I think the approach is brilliant: The trick with any backup and restore, secure boot, or read-only boot scheme has been the applications, historically. Separating user *data* was never challenging, but Windows just didn't do it. Use existing PKI to verify the code and then there's no more local storage needed for applications (when connected). I'm curious to see about the implementation. If they're successful in caching web apps that do the things you want while away from the connection (e.g. movie player for a 6 hour plane ride), maintain their security principles, and make the UI compelling, keep power consumption low and boot times fast, I think they've got a winner.

[jake3373]

I can see why they are targeting netbooks. This is pretty much all a netbook is used for - internet, watching a DVD on the plane, maybe the occasional video or powerpoint that you have to hand in to your boss the next day.<br /><br />I downloaded the beta source code and compiled it. It runs pretty well, however I have a few concerns:<br />a) The interface needs a bit of work. It looks OK until you open a context menu.<br />b) How are people going to install new drivers? Will it be Google's "it just works" thing?<br />c) I wish it could be more like Dropbox, where you have a copy of everything in the cloud, on your computer, and on other computers, and it all automatically syncs. This way, you can still access files while offline, and the changes will just apply once you re-connect. (I guess you could do this with offline Google Docs with Google Gears)

[knowles2]

How are people going to install new drivers? Will it be Google's "it just works" thing?<br /><br />The only way I can truly figure this is that google would work with the hardware companies to produce the drivers. Then when someone plug something into the computer the os will seek out the drivers from google servers. <br /><br />As to the sync function think the new bookmark sync google Chrome browser demostrate that the path they are slowly going down.

[freemarket--2008]

What drivers? It will come pre-installed with all necessary drivers and most likely standard USB support.

[sylentz]

HOW CAN I GET GOOGLE OS FOR MY COMPUTER

[forever4now]

It's great, that Google open sourced ChromeOS early. This will allow outside industry &#38; academic individuals &#38; institutions to evaluate &#38; contribute to ChromeOS, to rapidly advance the platform, before it releases next year.<br /><br />Hopefully, over the next year, we'll also start to see some VERY powerful web apps based on HTML5, SVG, WebGL, O3D, Native Client, etc., thanks to strong support for these technologies in ChromeOS.

[noesnoesnoes]

This certainly sounds rugged and since this is built from the ground up, Google can get security right the first time, unlike Microsoft Windows.<br /><br />However, the real question of security is: how safe are Google's servers? What kind of policies do they have to prevent people going through our data? How do we know they won't meddle around? When Google owns our data, we have to be really, really careful.

[Highlowsel]

Noes: You say..."he real question of security is: how safe are Google's servers? What kind of policies do they have to prevent people going through our data? "<br /><br />Indeed. Call me paranoid but I hold to this maxum. No one will EVER have as focused a concern about your data than YOU. I operate from this first principle always. This is not to say I don't see value in what Google is attempting to do. I do. It's just that I don't expect, them to have my best interests at heart. They are, after all, a profit driven enterprise and will always act from this position. I, in turn, will act from mine. <br /><br />Consequently I will always only expose myself in Cyberspace (a la "the Cloud") in just such sufficiency to meet my needs, not theirs.....trusting in the keepers of a Cloud repository is a fools dream....besides...think of it this way....and to paraphrase Milton Friedman's recent commentary...would you trust any such organization that bends so willfully to the dictates of a government such as Communist China? Clearly they would have no compunction in using your data, however "encrypted", if it serves their purposes.....buyer beware!

[RompStar_420]

I love it!!! Apple got their crap together and got the OS X (proven good), Then even before that we have Linux, that has improved leaps and bounds and now we will have Chrome, YES AND YES!!<br /><br />This will force Microsoft to start doing a good job, and drinking less beer in their office. Comply and change or go out of business. Fire Ballmer and bring back Bill Gates.<br /><br />Thank you.

[darthstupid]

OH NOES GOOGLE IS TRYING TO CONTROL MAI COPMUTER!!! WAI WONT THEY LEMME INSTAL SOLITARE ON MAI COPMUTER?!?!

[gfsdfge]

What a bunch of nerds. M$ only goal was to sell you software. Googles goal is to track you, categorize you, and sell information about you all while stuffing advertising in your face. Yet M$ is evil and Google isn't?? <br />Ford or Chevy, who cares.

[servermaker]

if Chrome is anything like Google Enterprise Apps it is going to be DOA for any chunk of the market that will actually pay money for software. I have tried really, really hard to like GEA, but we are dumping it this week and heading back to Exchange. The folks at Google really just don't seem to understand the Enterprise IT market --- which is a serious bummer.

[n3td3v]

When they said "Chrome OS Security" did they forget to mention Google will harvest all your data and store it on their servers?