Chrome security in limelight with Google OS plan

Chrome security in limelight with Google OS plan
23 July 2009 | | Technology

The techniques Google uses to protect Chrome users from browser-based attacks have taken on new importance with the company’s plan to make the software the centerpiece of a Netbook operating system.

Two weeks ago, Google announced plans for the open-source Chrome OS designed for people who spend most of their time on the Web. The Google Chrome operating system is a “natural extension” of the Chrome browser, Sundar Pichai, vice president of product management, and Linus Upson, engineering director, said in a blog post, with the browser running atop a Linux foundation.

Like the Chrome browser, the Chrome operating system will be built from the ground up with development focused on three key areas: speed, stability, and security. “We are going back to the basics and completely redesigning the underlying security architecture of the OS so that users don’t have to deal with viruses, malware, and security updates,” the post said.

Google representatives declined to elaborate on plans for the operating system, but it’s highly likely it will align closely with what they have done with the browser, particularly given the fact that attacks on the browser now outnumber those targeting the underlying operating system. The number of new browser vulnerabilities has increased rapidly every year since 2003, and the number discovered in Web browser plug-ins has more than quadrupled, according to the National Vulnerability Database.

It’s also notable that Google put features in its browser that are typically associated with operating systems.

“Google Chrome from day 1 had its own task manager, just like Windows did, showing memory consumption and CPU utilization. I said that’s what an operating system has. It’s a fairly clean translation,” said Billy Hoffman, manager of Web Security Research Group at HP Software and Solutions.

Chrome OS, whose source code is due to be released publicly later this year as Google tries to enlist open-source programming allies, is likely to change the operating system landscape just like Chrome the browser did, prompting rivals to try to match or beat its features.

“The innovation (coming out) of the browser wars is bringing more and better security,” Hoffman said. “The Chrome browser itself is fairly hardened, and we hope they move into more user protections like IE 8 and Firefox.”

Chrome has several design features that optimize security: sandboxing, which restricts privileges of key parts of the browser so it’s harder to coopt them for mounting an attack, and multiprocess architecture, which stores Web sites and Web applications in separate areas of browser memory areas and isolates them from the rest of the computer.

Overall, security experts say Chrome shows that Google takes security seriously and its developers are willing to try new approaches to achieve it.

“Google has done a lot of innovation in terms of security in Chrome,” said Matt Wood, a senior researcher in Hoffman’s department at Hewlett-Packard.

Google added a Task Manager to its Chrome browser, spotlighting a design decision that parallels operating systems.

(Credit: Screenshot by Stephen Shankland/CNET)

Starting from scratch
Being new to the browser game helped.

“By starting fresh, we had the option to do very innovative things we wouldn’t have been able to do otherwise,” said Ian Fette, the Chrome product manager specializing in security features.

What set Chrome apart when it launched in beta last September was that it splits the browser up into multiple parts. The browser kernel interacts with the operating system and handles only trusted code, storing things like bookmarks and cookies on the computer. Other main components, the rendering and JavaScript engines that figure out how to display Web pages and execute Web-based JavaScript programs, run with restricted privileges in a sandbox that limits access to the underlying system.

Chrome’s initial line of defense is to check a site being visited against several anti-malware and anti-phishing blacklists that comprise Google’s Safe Browsing service.

If some malware evades the safe browsing screen it’s likely to be blocked by Chrome’s sandboxing technology. The sandbox runs an application in a restricted environment, isolating HTML rendering and JavaScript execution to prevent them from writing to the hard drive or registry or accessing files.

“The goal is to make it impossible for malware to install itself and access your data on your local computer,” Fette said.

Chrome also restricts each the browser tab to its own computing process. That further prevents malware from being downloaded or interacting with other Web pages that are open in other tabs.

Automatic updates
Another aspect of Chrome that security experts praise is the so-called “silent” auto update feature. New versions of the browser are automatically updated on computers in the background without the user taking any action.

Chrome checks for updates every five hours using the open-sourced Google Update software code-named Omaha that polls for updates even when the browser is not running. When a new update is available on the Google server, the client automatically downloads and installs it in the background without prompting the user. The new version of the software gets applied when the browser is restarted.

Given that more than 45 percent of Internet users don’t use the latest Web browser version, according to Google research, it would seem that there is a huge need for this.

“Our philosophy is users shouldn’t have to care,” Fette said. “Everything should keep working for them.”

When Chrome first launched in September it had two vulnerabilities that were exploitable. Google released patches for them within 24 hours, he said.

“End users don’t know whether to refuse or accept software updates. Chrome just forces them on people,” Hoffman said. “It’s a good example of not letting users make poor security choices.”

Nevertheless, some want the choice. For IT administrators who want to control software updates themselves, Google recently added options to let enterprises customize when and how they get Chrome updates, Fette said.

Chrome, which released its latest security patch this week, had 14 exploits last year based on statistics on the Milmw0rm site, Wood said. However, any comparisons to the number of exploits or patches on Chrome compared to Internet Explorer or Firefox are difficult because Chrome has far fewer users and thus is less targeted by attackers, he said.

Tricking the user
Chrome does a great job of protecting against exploits of vulnerabilities in which attackers sneak code through a hole in the browser to install malware or run code on the computer, experts said. However, it’s not so good when it comes to protecting them against Web-based attacks like cross-site scripting, cross-site forgery, SQL injections, and phishing, in which an attacker tricks users into doing something they didn’t intend via the browser, they said.

“One thing Google needs to work on where they haven’t really focused is on stuff like user security,” said Wood.

Chrome lacks the plug-in support Firefox has to protect against malicious scripts hiding on Web sites. For instance, there is no Chrome equivalent to the NoScript Firefox plug-in that lets users choose which scripts on a site they want to run or block. But that is likely to change.

“We are in the middle of building out our own browser extension system so that something like NoScript could be done,” Fette said. “For many people it’s a noisy option. It asks a lot of questions and if you’re not focused on security it could be hard to make it work.”

Internet Explorer 8 offers a cross-site scripting defense mechanism that protects users against those type of attacks, Wood said.

Google is evaluating cross-site scripting protections, but, Fette said, “You have to make sure it’s based on standards and won’t break sites.”

IE also lets users turn off JavaScript. Chrome doesn’t, but it does sandbox JavaScript.

“If you turn off JavaScript you may turn off navigation on a bank site” or otherwise render a site unusable, Fette said. “It’s not an option we feel is viable, so we don’t offer it.”

Two other popular exploit targets, Adobe Flash and Adobe Reader, are not sandboxed in Chrome because doing so caused problems with auto update or other features, he said. “Sandbox is not a panacea,” Fette said.

The two-browser prescription
Jeremiah Grossman, chief technology officer and co-founder of
Whitehat Security, suggests that people use two different browsers for the safest experience: Chrome for “promiscuous Web surfing” and Firefox with the NoScript plug-in for important activities such as checking e-mail or online banking.

Asked to comment on that suggestion, Fette said that because each Chrome tab is a separate process the system has the same protection as using two different browsers.

Finally, Chrome should do a better job at password management, according to Wood. None of the other browsers does better, but Google should raise the bar, he said.

“There is no real security with password management. You can open it up and see all the passwords in clear text,” he said. “A browser needs a good password manager. People can’t remember all the passwords for all the sites on the Internet.”

In response, Fette said someone with access to the computer already can do plenty of damage–for example installing a key logger to monitor what the user types.

“Chrome came out and lit a fire under Firefox and IE. It’s driven a lot of innovation and a lot of that has been in security and general usability,” said Wood. “We’re moving toward a more secure browser. A lot of that has to do with getting people to understand about the threats that exist on the Web.”

More posts from our team

Previous Post:
Next Post:

Back to all news

Five Star
Reviewed Marketing
5 gold stars
google review logofacebook review with 5 stars
"Excellent service from James at Dental Design, thank you very much for your prompt attention whenever I get in touch! Would definitely recommend to a friend" Alison Tarmey View Full Testimonial
Google reviews logo "Would definitely recommend to a friend"
5 gold stars
"As a dental practice manager I cannot recommend Dental Design highly enough. They are just brilliant at what they do. Lucy and her colleagues are just an email or a phone call away...." Emma Smith View Full Testimonial
Google reviews logo "I cannot recommend Dental Design highly enough"
5 gold stars
"Really great company to deal with. They always respond quickly and are truly reliable. I would 100% recommend, the staff are so friendly and helpful." Michelle Molloy View Full Testimonial
Google reviews logo "Really great company to deal with"
5 gold stars
"I got increased traffic and new patients applying to my surgery, once Dental Design upgraded my website. They are very professional, efficient & adaptive to new situations..." Joanna Gallop View Full Testimonial
Google reviews logo "Very professional, efficient & adaptive to new situations"
5 gold stars
"Lucy has been a star, responding to and acting upon our requests in a prompt, efficient and professional manner, as well as the rest of the Dental Design team..." Abhay Shah View Full Testimonial
Google reviews logo "I cannot recommend them highly enough"
5 gold stars
"...Since the website has been up and running Lucy Mander has been our point of contact. She has been invaluable and gone out of her way to help us, especially during COVID-19 lockdown... " Lucy Jones View Full Testimonial
Google reviews logo "Has been invaluable and gone out of her way to help us"
5 gold stars
"Thank you for all your help and support, and the provision of valuable learning aids for our patients and staff alike in these difficult times. We love the look of our practice website. Very professional!" Sandra Luck View Full Testimonial
Google reviews logo "We love the look of our practice website. Very professional!"
5 gold stars
"Dental Design stood out both in their knowledge of the industry and their professionalism and can-do attitude. All of their staff are exceptionally competent and knowledgeable..." Harvey Rook View Full Testimonial
Google reviews logo "Dental Design stood out both in their knowledge of the industry and their professionalism"
5 gold stars
"Having done extensive research into all the dental website companies, the team and package offered at dental design was unrivalled..." Neil Shah View Full Testimonial
Google reviews logo "The team and package offered at dental design was unrivalled"
5 gold stars
"The team at dental design (especially Rosie) are absolutely fantastic and are always on hand to help. They are professional, friendly and extremely efficient. Rosie always gets back..." KiKi Wilmot View Full Testimonial
Google reviews logo "absolutely fantastic and are always on hand to help"
5 gold stars
"Dental Design are fantastic to work with, our website is amazing and the support they provide is second to none. Our account manager Rosie L is a fabulous point..." Luke Lucas View Full Testimonial
Google reviews logo "Dental Design are fantastic to work with"
5 gold stars
"Having worked with the Dental Design team for the last six months, I've found them not only helpful, but friendly and approachable too. I bombard Marcus with regular..." Sophie Harper View Full Testimonial
Google reviews logo "always met with a swift and professional response"
5 gold stars
desk with branded documents