Security

With most computers threatened by attacks coming through Web applications, it's no surprise that security would be a key piece of Chrome OS, Google's browser-based operating system that stores data in the cloud.

In this video, Google security engineer Will Drewry explains how Chrome OS separates user data from root or system data, which makes the system more secure and easier to re-install the operating system.

(Credit: Google)

Google showed off its new lightweight operating system designed for Netbooks and cloud computing on Thursday. As anticipated, it will rely on many of the same security features and concepts used by the Chrome browser.

"The browser is the operating system. We've expanded the browser to add operating system functionality," Caesar Sengupta, a group product manager at Google, said in an interview.

Chrome OS uses a combination of operating system-level protections and exploit mitigation techniques to limit the attack surface, or amount of code that can be targeted in an attack, and to reduce the likelihood of an attack being successful. "The biggest security impact is that all applications run within the browser," Sengupta said.

Chrome relies heavily on sandboxing, keeping different processes and applications in separate partitions. This limits the interaction between applications and the OS kernel.

For example, with conventional operating systems, if an application crashes, it can crash or otherwise affect other programs that are running, Sengupta said. "But if everything is sandboxed, that becomes more difficult to do," he added.

Many systems are compromised by deceptive attacks, such as when a user opens an innocent-looking PowerPoint file which unleashes a virus or other malware that can get access to everything on the computer.

With Chrome, "applications can't just download any binary and run it," Sengupta said.

Chrome has a verified boot process that uses cryptography to ensure that the Linux kernel, the nonvolatile system memory, and the partition table are not tampered with when the system starts up, according to a security overview of Chrome. (Google security engineer Will Drewry explains the security concepts of Chrome OS in a video on YouTube.)

"Right now, on your conventional operating system, any kind of process can run, which makes it difficult to predict what any process will do," Sengupta said. "On Chrome, because the whole operating system is essentially signed by Google, there is a lot we can do to make it secure."

If an application manages somehow to break out of the browser sandbox, to get through the kernel hardening and processing infrastructure, and manages to change something on the operating system, the changes will be detected the next time the user boots up the machine. "As soon as it detects something is different and not signed by Google, it will warn the user and try to clean itself again," Sengupta said.

Cleaning up is easier than with a standard operating system, too, because the system data is separated from the user data, which includes user preferences, system settings, and a local cache of data stored on the Google servers in the cloud, he said.

All user data stored by the operating system, browser, and any plug-ins are encrypted and users cannot access each others' data on a shared device, according to the Chrome OS security page.

Meanwhile, Chrome will automatically update to get the most recent software and patches for the operating system, just like the Chrome browser updates in the background while users are online, Sengupta said. Users will not run the risk of having their system get infected or compromised before they can install updates, as happens with Windows and other software.

In addition, the antiphishing technology found in the Chrome browser will protect Chrome OS users from inadvertently visiting malicious Web sites, he said.

Google is publishing detailed design documents on Chrome OS, which will allow security experts to scour the code for weaknesses over the next year before the operating system is released to the public, according to Sengupta.

There are some security and networking technologies that are supported in other operating systems that Google is passing on, at least for now.

Google will keep an eye on biometric authentication technologies, but believes that the cost/reliability trade-off is not where it needs to be just yet, according to the security overview for Chrome OS. Smart cards and USB crypto tokens are "interesting technology, but we don't want our users to have to keep track of a physically distinct item just to use their devices," the overview concludes.

Google is likewise not interested in Bluetooth, a wireless protocol widely used in laptops and handheld devices, for authentication. "Bluetooth adds a whole new software stack to our login/screenlocker code that could potentially be buggy, and the security of the pairing protocol has been criticized in the past," the security overview says.

Updated November 24to clarify that Bluetooth is not being considered for authentication.

Mozilla and Microsoft don't always see eye to eye when it comes to browser technology, but they agree broadly on one thing: thumbs down for Google Chrome Frame.

Chrome Frame is a plug-in that puts Google's browser engine under the hood of Microsoft's Internet Explorer, and Google argues that it can modernize IE versions 6, 7, and 8 with faster page loading and JavaScript performance. It kicks in only on Web pages that Web developers have labeled with a specific tag. After Google announced it, Microsoft criticized it as creating a potentially increased risk to browsing security.

Google Wave is one site that suggests IE users install Google Chrome Frame.

(Credit: Google)

Mike Shaver, vice president of engineering for Firefox backer Mozilla, published a different concern in a blog post Monday night.

"I certainly share that longing for a Web in which the vast majority of Web users enjoy the performance and capabilities we see in Chrome, Safari, Firefox, and Opera. Unfortunately, I don't think that Chrome Frame gets us closer to that Web," Shaver said.

Specifically, Shaver said Chrome Frame can disable IE features and muddle users' understanding of Web security matters. And users of the reviled IE 6 browser, he added, often won't be able to run Chrome Frame anyway because their computer is locked down to prohibit changes or lacks sufficient power in the first place.

"As a side effect, the user's understanding of the Web's security model and the behavior of their browser is seriously hindered by delegating the choice of software to the developers of individual sites they visit. It is a problem that we have seen repeatedly with other stack plug-ins like Flash, Silverlight and Java, and not one that I think we need to see replayed again under the banner of HTML5," he said.

Shaver's advice is to rely on that ages-old technique: an upgrade suggestion on the Web site.

"It would be better for the Web if developers who want to use the Chrome Frame snippet simply told users that their site worked better in Chrome and instructed them on how to install it," Shaver said. "The user would be educated about the benefits of an alternate browser, would understand better the choice they were making, and the kudos for Chrome's performance would accrue to Google rather than to Microsoft."

Google has fixed two high-severity vulnerabilities in the stable version of its Chrome browser that could have let an attacker remotely take over a person's computer.

With one attack on Google's V8 JavaScript engine, malicious JavaScript on a Web site could let an attacker gain access to sensitive data or run arbitrary code on the computer within a Chrome protected area called the sandbox, Google said in a blog post Tuesday. With the other, a page with XML-encoded information could cause a browser tab crash that could let an attacker run arbitrary code within the sandbox.

Chrome 2.0.172.43 (click to download for Windows) fixes the issues and another medium-severity issue. Once Chrome is installed, it retrieves updates automatically and applies them when people restart the browser.

Google won't release details of the vulnerabilities until "a majority of users are up to date with the fix," Engineering Program Manager Jonathan Conradt said in the blog post.

Two researchers for Hewlett-Packard have created a browser-based darknet, an idea that could make it easier for businesses to keep eavesdroppers from uncovering confidential information.

Darknets are encrypted peer-to-peer networks normally used to communicate files between closed groups of people. Most darknets require a certain level of technological literacy to set up and maintain, including taking care of the necessary servers. However, HP researchers Billy Hoffman and Matt Wood plan next week to demonstrate a browser-based darknet called "Veiled," which they claim requires little proficiency to set up and run.

"This will really lower the barriers to participation," Wood told ZDNet UK. "If you want to create a darknet, you can send an encrypted e-mail saying, 'Here's the URL.' When (the recipient visits) the Web site, the browser can just get (the darknet application) going."

Hoffman and Wood are scheduled to demonstrate the technology next week at the Black Hat security conference in Las Vegas.

Wood said HP does not want to turn the project into a commercial product. While the company does not plan to make the source code available, the researchers do plan to open source their idea, so to speak, so other security researchers can "pick up the baton."

"HP has no desire to patent or copyright or release any code," Wood said. "Black Hat is one of the top security conferences, and we want to get this cool idea into the hands of people who are really smart."

Businesses could use browser-based darknets to set up workgroups to exchange commercially sensitive information, or to have a means of making anonymous suggestions to management, Wood said. "I like the idea of a suggestions box on the Web," he said. "It provides an anonymous way to make suggestions to your boss."

HP's darknet research came about when the researchers realized the potential of new browser technologies, according to Wood.

Browsers with HTML 5 support--such as recent versions of Firefox, Safari and Internet Explorer--allow files to be stored "persistently" on the client, for working on them when offline. This feature, coupled with the distributed grid-computing nature of a darknet, means files can be effectively uploaded in perpetuity, even when the initial browser has been shut down. It also makes the darknet resilient, said Wood.

"One of the benefits of a darknet is that they are distributed," said Wood. "To destroy it, you would have to take down all of the clients, because if one server gets compromised, you just shift to a different server. They can hop around."

Advances in JavaScript engines, such as Google's Chrome V8 and Mozilla's TraceMonkey, have also helped make browser-based darknets possible, according to Wood. These engines allow browser-based communications to be set up quickly and encrypted. The Veiled darknet uses RSA public key cryptography, but any cryptography will work.

"Cool advances in JavaScript technology allow encryption in the browser," said Wood. "Browsers are getting really powerful."

Tom Espiner of ZDNet UK reported from London.

(Credit: Google)

The techniques Google uses to protect Chrome users from browser-based attacks have taken on new importance with the company's plan to make the software the centerpiece of a Netbook operating system.

Two weeks ago, Google announced plans for the open-source Chrome OS designed for people who spend most of their time on the Web. The Google Chrome operating system is a "natural extension" of the Chrome browser, Sundar Pichai, vice president of product management, and Linus Upson, engineering director, said in a blog post, with the browser running atop a Linux foundation.

Like the Chrome browser, the Chrome operating system will be built from the ground up with development focused on three key areas: speed, stability, and security. "We are going back to the basics and completely redesigning the underlying security architecture of the OS so that users don't have to deal with viruses, malware, and security updates," the post said.

Google representatives declined to elaborate on plans for the operating system, but it's highly likely it will align closely with what they have done with the browser, particularly given the fact that attacks on the browser now outnumber those targeting the underlying operating system. The number of new browser vulnerabilities has increased rapidly every year since 2003, and the number discovered in Web browser plug-ins has more than quadrupled, according to the National Vulnerability Database.

It's also notable that Google put features in its browser that are typically associated with operating systems.

"Google Chrome from day 1 had its own task manager, just like Windows did, showing memory consumption and CPU utilization. I said that's what an operating system has. It's a fairly clean translation," said Billy Hoffman, manager of Web Security Research Group at HP Software and Solutions.

Chrome OS, whose source code is due to be released publicly later this year as Google tries to enlist open-source programming allies, is likely to change the operating system landscape just like Chrome the browser did, prompting rivals to try to match or beat its features.

"The innovation (coming out) of the browser wars is bringing more and better security," Hoffman said. "The Chrome browser itself is fairly hardened, and we hope they move into more user protections like IE 8 and Firefox."

Chrome has several design features that optimize security: sandboxing, which restricts privileges of key parts of the browser so it's harder to coopt them for mounting an attack, and multiprocess architecture, which stores Web sites and Web applications in separate areas of browser memory areas and isolates them from the rest of the computer.

Overall, security experts say Chrome shows that Google takes security seriously and its developers are willing to try new approaches to achieve it.

"Google has done a lot of innovation in terms of security in Chrome," said Matt Wood, a senior researcher in Hoffman's department at Hewlett-Packard.

Google added a Task Manager to its Chrome browser, spotlighting a design decision that parallels operating systems.

(Credit: Screenshot by Stephen Shankland/CNET)

Starting from scratch
Being new to the browser game helped.

"By starting fresh, we had the option to do very innovative things we wouldn't have been able to do otherwise," said Ian Fette, the Chrome product manager specializing in security features.

What set Chrome apart when it launched in beta last September was that it splits the browser up into multiple parts. The browser kernel interacts with the operating system and handles only trusted code, storing things like bookmarks and cookies on the computer. Other main components, the rendering and JavaScript engines that figure out how to display Web pages and execute Web-based JavaScript programs, run with restricted privileges in a sandbox that limits access to the underlying system.

Chrome's initial line of defense is to check a site being visited against several anti-malware and anti-phishing blacklists that comprise Google's Safe Browsing service.

If some malware evades the safe browsing screen it's likely to be blocked by Chrome's sandboxing technology. The sandbox runs an application in a restricted environment, isolating HTML rendering and JavaScript execution to prevent them from writing to the hard drive or registry or accessing files.

"The goal is to make it impossible for malware to install itself and access your data on your local computer," Fette said.

Chrome also restricts each the browser tab to its own computing process. That further prevents malware from being downloaded or interacting with other Web pages that are open in other tabs.

Automatic updates
Another aspect of Chrome that security experts praise is the so-called "silent" auto update feature. New versions of the browser are automatically updated on computers in the background without the user taking any action.

Chrome checks for updates every five hours using the open-sourced Google Update software code-named Omaha that polls for updates even when the browser is not running. When a new update is available on the Google server, the client automatically downloads and installs it in the background without prompting the user. The new version of the software gets applied when the browser is restarted.

Given that more than 45 percent of Internet users don't use the latest Web browser version, according to Google research, it would seem that there is a huge need for this.

"Our philosophy is users shouldn't have to care," Fette said. "Everything should keep working for them."

When Chrome first launched in September it had two vulnerabilities that were exploitable. Google released patches for them within 24 hours, he said.

"End users don't know whether to refuse or accept software updates. Chrome just forces them on people," Hoffman said. "It's a good example of not letting users make poor security choices."

Nevertheless, some want the choice. For IT administrators who want to control software updates themselves, Google recently added options to let enterprises customize when and how they get Chrome updates, Fette said.

Chrome, which released its latest security patch this week, had 14 exploits last year based on statistics on the Milmw0rm site, Wood said. However, any comparisons to the number of exploits or patches on Chrome compared to Internet Explorer or Firefox are difficult because Chrome has far fewer users and thus is less targeted by attackers, he said.

Tricking the user
Chrome does a great job of protecting against exploits of vulnerabilities in which attackers sneak code through a hole in the browser to install malware or run code on the computer, experts said. However, it's not so good when it comes to protecting them against Web-based attacks like cross-site scripting, cross-site forgery, SQL injections, and phishing, in which an attacker tricks users into doing something they didn't intend via the browser, they said.

"One thing Google needs to work on where they haven't really focused is on stuff like user security," said Wood.

Chrome lacks the plug-in support Firefox has to protect against malicious scripts hiding on Web sites. For instance, there is no Chrome equivalent to the NoScript Firefox plug-in that lets users choose which scripts on a site they want to run or block. But that is likely to change.

"We are in the middle of building out our own browser extension system so that something like NoScript could be done," Fette said. "For many people it's a noisy option. It asks a lot of questions and if you're not focused on security it could be hard to make it work."

Internet Explorer 8 offers a cross-site scripting defense mechanism that protects users against those type of attacks, Wood said.

Google is evaluating cross-site scripting protections, but, Fette said, "You have to make sure it's based on standards and won't break sites."

IE also lets users turn off JavaScript. Chrome doesn't, but it does sandbox JavaScript.

"If you turn off JavaScript you may turn off navigation on a bank site" or otherwise render a site unusable, Fette said. "It's not an option we feel is viable, so we don't offer it."

Two other popular exploit targets, Adobe Flash and Adobe Reader, are not sandboxed in Chrome because doing so caused problems with auto update or other features, he said. "Sandbox is not a panacea," Fette said.

The two-browser prescription
Jeremiah Grossman, chief technology officer and co-founder of Whitehat Security, suggests that people use two different browsers for the safest experience: Chrome for "promiscuous Web surfing" and Firefox with the NoScript plug-in for important activities such as checking e-mail or online banking.

Asked to comment on that suggestion, Fette said that because each Chrome tab is a separate process the system has the same protection as using two different browsers.

Finally, Chrome should do a better job at password management, according to Wood. None of the other browsers does better, but Google should raise the bar, he said.

"There is no real security with password management. You can open it up and see all the passwords in clear text," he said. "A browser needs a good password manager. People can't remember all the passwords for all the sites on the Internet."

In response, Fette said someone with access to the computer already can do plenty of damage--for example installing a key logger to monitor what the user types.

"Chrome came out and lit a fire under Firefox and IE. It's driven a lot of innovation and a lot of that has been in security and general usability," said Wood. "We're moving toward a more secure browser. A lot of that has to do with getting people to understand about the threats that exist on the Web."

New versions of Google Chrome are out, fixing bugs and patching security holes in both the stable build and the beta build.

Two serious security flaws have been plugged. One had allowed for malicious code exploitation within the Chrome tab sandbox. Found by the Google security team, the threat was serious enough that Google has declined to be more specific until "a majority of users are up to date with the fix," the company said in a blog post on Thursday.

A second security risk caused by memory corruption was found in the browser tab processes. It could have been used to run arbitrary code that would crash all of the browser tabs, creating a second security hole through which an attacker might be able to run code with the privileges of the logged-on user.

Other bug fixes include updates to the V8 JavaScript engine, updates to Google Gears, and getting forward and backward navigation to work even when site redirection is involved.

The full list of changes can be read here.

Google has a long history of tracking user activity, and the introduction of its Chrome operating system later this year is sure to follow suit. While we know that it's being built off of Linux, one big thing we don't know is how its terms of service will differ from those found in other Google products, and what kinds of user data it will be collecting. Based on the company's track record of watching and monetizing user data, it could be anything from which applications you're using, to all the information that's coming in and out of your computer.

To provide a better picture on what to expect, let's take a look at some of the ways Google is currently monitoring user activity in a handful of its products and how that may trickle down into the OS:

Google personalized Web search--Google's bread and butter business is its search engine, and its personalized search is a way to put a face on the data. When you're signed in with your Google account you can opt in to having your Web history tracked; Google archives all of the sites you've clicked on from search results, as well as what time of day you clicked on them.

For those who are not signed in, the company uses identifiers like cookies and IP addresses. But when you're signed in it can actually aggregate that data no matter what computer you're on. With a system-level log-in, it could theoretically do this no matter what browser you're using, giving Google a far richer set of data.

Chrome browser--When Chrome was first released, Google got in some hot water over its terms of service, which stated that Google had the rights to license any content that went through the browser. It quickly backtracked on the claim, citing that the terms heavily borrowed from other Google products and that it didn't make sense for Chrome. This would have given Google licensing control over things like user photos, videos, and words.

The one area where Google's Chrome can still access some of that information is with its reports system. This is an opt-in program for users to provide Google with crash reports and detailed information about what features they're using. Google has said this does not include any information from form fields, or from users' Google accounts. However, it does track what sites and search terms you've entered into the address bar.

Gmail--Google's Web mail service was one of the first Web mail services to provide contextual advertising, meaning it actually goes through your e-mail messages to give you advertisements that match up with a conversation you're having. Did you mention skiing in that last e-mail? Don't be surprised if you start seeing ads for local lift tickets or a new pair of ski boots.

Gmail also tracks what features users are using, including... Read more

Wednesday's two big technology stories--Google's Chrome-based operating system and cyberattacks against U.S. and South Korean government Web sites are oddly related. The stories are connected because if Google does well at gaining market share for its browser, we could see fewer successful attacks. Or maybe we'll see more attacks.

The reason hackers succeeded in launching denial-of-service attacks against government computers in the U.S. and South Korea is because they were able to enlist an army of "zombie" computers to carry out the attack. And what do those computers likely have in common? The vast majority of them likely run Microsoft Windows.

Whether Windows is inherently less secure than Mac OS X or Linux is debatable, but one thing is for sure--it's more popular and therefore a more attractive target to hackers. Indeed with nearly 90 percent of the world's PCs running Windows, it's something of a "single point of failure." Figure out how to infect Windows PCs and you can stage a very successful attack.

Linux--which is the underpinning of Google Chrome--is not entirely exempt from malicious software but historically Linux machines are less likely to be infected. So it stands to reason that the more machines running non-Windows software, the safer we'll all be.

But there's another side to this story. The Chrome OS will be far more Web-centric than Windows, which means that many--if not most--of its applications will be running over the Internet. What's more, people's data will be stored "in the cloud," much of it on servers run by Google. So while Google may help reduce Microsoft's potential as a single point of failure, it increases its own. If hackers were successful in launching an attack on Google, that would affect not only people's ability to use Google apps, but the integrity of their data.

Although there weren't any reported data breaches, there was a day in May of this year when Google sites were partially inaccessible as a result of a technical glitch. On that day, millions of people were unable to use Google services, including Google Docs and Spreadsheets. Say what you want about Microsoft, but even if the company totally shut down its Web operations, its operating system and PC applications would still run.

Personally, I'm a big believer in competition and like cloud computing, so I welcome Google's entry into the operating system arena. But like almost anything worthwhile, it's not without risk.

Google fixed security holes with a new release of its stable version of Chrome--then released a replacement shortly afterward to prevent a batch of crashes that turned up as well.

Chrome 1.0.154.64 (download) emerged Tuesday and was intended to fix one critical security problem and one high-severity one. On Thursday, came 1.0.154.65 to fix a crash during startup that affected "a small percentage of users," said Chrome Program Manager Mark Larson.

With the first problem, an attacker under some circumstances could run attack software with the same privilege as the computer user.

With the second, an issue handling 2D graphics could potentially allow a specially crafted image to crash a tab and run an attacker's code within Chrome's sandbox security isolation system.