Submitted by Google has put up a very interesting document explaining the security features underlying its Chrome OS. The document also details the underlying guiding principles of Chrome OS’ security features.
Chrome OS comes with a number of security features which we’ve already addressed in our item on the launch of Google’s new operating system. In short, it comes down to process isolation, secure auto-update, verified boot, encryption, and more. Google’s goal was to make the system practically secure and easy to use. In order to achieve this goal, the team followed four guiding principles.
The perfect is the enemy of the good – According to Google, no security solution can ever be perfect. There will always be unanticipated problems, for instance due to unexpected interactions of complex systems or because of bugs that weren’t caught during testing. Google states that the “search for some mythical perfect system [should not] stop [Google] from shipping something that is still very good”.
Deploy defenses in depth – As a consequence of the first guideline, Chrome OS will employ several different lines of defence. Chrome OS will make it hard for attackers to get into the system, but Google still assumes they will. As such, the next line of defence will make it very hard for attackers to turn a user account exploit into a root or kernel exploit. As a last line of defence, Chrome OS will make it hard for attackers to remain on the system by preventing him from adding services or accounts to the system, and by making it impossible to re-compromise the system after a reboot.
Make it secure by default – Google states that security is not an option, nor is it an advanced feature. “Until now, the security community has had to deploy solutions that cope with arbitrary software running on users’ machines,” Google claims, “As a result, these solutions have often cost the user in terms of system performance or ease-of-use.” Google explains that because they know which software should be running on a Chrome OS device, they can better keep the system safe.
Don’t scapegoat our users – This is one that I particularly like. Google states that the web is a complicated system of complex overlapping standards, and that it is no surprise that users have trouble keeping their machine safe while using it. Google clearly states that this is not the user’s fault. “We’re working to figure out the right signals to send our users, so that we can keep them informed, ask fewer questions, require them to make decisions only about things they comprehend, and be sure that we fail-safe if they don’t understand a choice and just want to click and make it go away,” the company says.
The document further explains in more detail what security measures Chrome OS has to “implement”, if you will, these guidelines. At the OS level, Chrome OS will have process sandboxing, toolchain hardening (NX, ASLR, stack cookies, etc.), kernel hardening and configuration paring, and additional file system restrictions (read-only root partition, tmpfs-based /tmp, and limited home directories). In the future, Google will also explore things like driver sandboxing.
Chrome OS will also be made secure on higher levels, such as the Chromium browser, but also the web applications themselves will receive the secure treatment. The auto-update process will be hardened too, as this is obviously a very likely attack surface. Updates will be signed over SSL, and the integrity of each update is verified on the subsequent boot using the verified boot technology.
This is just a selection of the things the Chrome OS team is working on, and the document itself contains links to more detailed documents about security in Google’s operating system. Quite the interesting read.
So when does SRWare release Iron OS? Okay I am kidding about that…
Personally I would rather see Google contribute out in the open,with paid developers/engineers not just GSoC, to an already established OS for instance by improving haiku with security and better hardware acceleration support via gallium3d. As far as that goes Google could maintain a fork of Haiku similar to how Apple does with webkit for safari.
Google has no business interest in conventional OS development. Chrome OS is an engine for running a browser. Ive pointed this out before, and it doesn’t seem to be a very popular opinion, but all Google wants in the end is a shim to but a browser on top of some hardware – the OS is the shim, and that is all it needs to be.
The fact that it has started out as essentially equivalent to a full Linux distribution is just for convenience to get the ball rolling. It won’t be long before it gets whittled down to the bare minimum needed to run Chrome and thats about it. The point is that Google’s goals do not at all coincide with Haiku’s or even the goals of Linux for that matter – they are only interested in the OS to the point of enabling them to run their browser on as little hardware as possible.
Thats not to say they couldn’t for instance use Haiku (instead of Linux) as their “OS” for running Chrome. Hell, that might even be a good idea. But would the Haiku project benefit much from that? To put it bluntly, their notion of security is to make the OS a black box that the user cannot alter – that isn’t of much use if you actual intend to let users run anything native on it…
It’s completely open source. As such, your statement is rather incorrect, as anyone will be able to run whatever he wants on Chrome OS – you’ll just need the proper skills.
Calling it a black box makes it seem as if it is closed source – which it isn’t.
I’m willing to be that chances are pretty good that google’s hardware partners may “Tivo” the heck out of the hardware devices that run it. Especially, if its subsidized by 3G internet providers that are getting a share of the ad revenue. So it may be open source, but it might be non changeable on your hardware. Jail breaking (if it proves to be necessary) is going to be a bitch, with all of the security set up
The fact that it is open source isn’t really relevant to my point. Some one else beat me to it the Tivo analogy, but its a good one. Actually I expect the official hardware will probably be harder to hack than a Tivo, custom BIOS and all that. Come to think of it, is the BIOS work they are doing actually open source? I have heard nothing to that effect myself.
Anyways, you could probably run a fork of Chrome OS on your own (not blessed by Google) hardware… It may even be a useful thing to do. But that doesn’t change the fact that Google doesn’t much care about the capabilities of the underlying OS beyond their own purposes – they are not going to roll changes into Chrome OS that involve running user binaries or adding features that do not meet their internal needs. People should really take them at their word when they say it is for running web apps – that is ALL it is for.
So yes, Chromium OS may end up being useful to the community at large (although I doubt it), but Chrome OS never will be. This is much the same as Chromium vs Chrome (browsers) now – there are a lot of features in the multitude of community builds of Chromium that have not and will never find their way into Chrome itself.
Although I have doubts about what Google will do with all the data trusted to its cloud, I welcome Google’s efforts to create a more secure computing environment. The weakest point of Chrome OS in my opinion is the Google account authentication. It’s unfortunate that Google has not yet made two-factor authentication available. That would improve the security of Google accounts significantly.
deleted…
Edited 2009-11-24 21:15 UTC
So they sit down and make an OS that does nothing but show you a full screen browser, and stores absolutely no user data locally, and then brag about how secure the OS is. There’s nothing to crack or hack on the damned PC, so who cares how secure it is.
What matters is how secure the web services you are using are.
All somebody has to do to hack into your google account and compromise all your data is throw up a web page that looks like the Chrome OS login and hope you aren’t all that savvy, or aren’t paying attention. And guess what – it will work, no matter how damned secure the OS that launched the browser is.
This said Microsoft about Windows 98.
We really care, just for sake of how will be oriented the attacks. Moving the attacks from OS to a higher level like a web-page which supposedly will be easier to be tested. Also Google have the knowhow to use a blacklist-whitelist just to block most of those attempts. Or at least I just hope they will!
Sure, they can use a blacklist, but that is an inherantly reactionary approach. They can’t blacklist what they don’t know, and the odds are they won’t know until a user has been tricked.
That certainly hasn’t stopped Norton and McAfee from from becoming insanely popular. Perhaps they’d be willing to sell a monthly subscription service to a proxy that would protect you from all that bad stuff. As everyone knows, studies show that malware exists for Chromium OS. And once it becomes as popular as Microsoft Windows, its security problems will be just as bad.
Don’t allow your family to fall victim to such online identity theft, leaving you, your wife, and your children destitute and on the street. Purchase your subscription now at this special monthly rate.
Edited 2009-11-25 02:07 UTC
Using HTTPS instead of plain HTTP should help to avoid man-in-the-middle attacks. As far as I know all Google services support HTTPS.
Does Google Caja (javascript capabilities) fit anywhere in this scheme? I’d really like to see a capability-based security model.
Google Caja : http://code.google.com/p/google-caja/
On the other hand, as someone who opens Synaptic and other privileged GUI apps in a dedicated X session for the sake of security, I like the fact they took this possiblility into account: “Full-screen mode in some plugins could allow an attacker to mock out the entire user experience of a Chromium OS device. We are investigating a variety of mitigation strategies in this space.”
Edit: link
Edited 2009-11-24 21:58 UTC
By C. Scott Ananian, who was a developer at OLPC for the XO-1, and now similarly for the Littl Webbook (a device for which Google Chrome OS is a competitor, already on the market).
http://cananian.livejournal.com/59091.html
I like what Google is offering here. We all know that eventually Google is going to target the desktop market as well. Google has maybe the best browser and they are going to take advantage of it. Plain and simple.
-2501