Inside The Google Chrome OS Security Model

Google plans to use a combination of system hardening, process isolation, verified boot, secure auto-update and encryption to thwart malicious hackers from planting malware on its new Google Chrome OS.

Google plans to use a combination of system hardening, process isolation, verified boot, secure auto-update and encryption to thwart malicious hackers from planting malware on its new Google Chrome OS.

Much like the Google Chrome browser, the operating system will use process sandboxing as the key weapon in a series of anti-exploitation mitigations and attack surface reduction techniques.  The end goal is to recover from a successful attack by simply applying an update and rebooting the infected machine.

The operating system borrows much of its security posture from the Chrome browser and, at first glance, resembles the security model used by Apple to secure its iPhone device.

“It’s like the iPhone for your netbook. It will be very tough to break into,” said one prominent security researcher who read the document.

Here’s how Google plans to harden the OS to reduce the likelihood of successful attack and reduces the usefulness of successful user-level exploits.

  • Process sandboxing
    • Mandatory access control implementation that limits resource, process, and kernel interactions
    • Control group device filtering and resource abuse constraint
    • Chrooting and process namespacing for reducing resource and cross-process attack surfaces
    • Media device interposition to reduce direct kernel interface access from Chromium browser and plugin processes
  • Toolchain hardening to limit exploit reliability and success
    • NX, ASLR, stack cookies, etc
  • Kernel hardening and configuration paring
  • Additional file system restrictions
    • Read-only root partition
    • tmpfs-based /tmp
    • User home directories that can’t have executables, privileged executables, or device nodes
  • Longer term, additional system enhancements will be pursued, like driver sandboxing

In the short term, Google Chromium OS will look to thwart an “opportunistic adversary” who is attempting to compromise an individual user’s machine and/or data.

On the Web side, Google Chrome OS will use a modular browser with sandboxing and process isolation to limit malware attacks:

  • Phishing, XSS, and other web-based exploits are no more of an issue for Chromium OS systems than they are for Chromium browsers on other platforms.  The only JavaScript APIs used in web applications on Chromium OS devices will be the same HTML5 and Open Web Platform APIs that are being deployed in Chromium browsers everywhere.  As the browser goes, so will we.

The new OS will also be fitted with a secure auto-update system:

  • Signed updates are downloaded over SSL.
  • Version numbers of updates can’t go backwards.
  • The integrity of each update is verified on subsequent boot, using our Verified Boot process, described below.

On the data protection front, Google says users shouldn’t need to worry about the privacy of their data if they forget their device in a coffee shop or share it with their family members.  This will be done by ensuring the data is unreadable except when it is in use by its rightful owner.

Here’s how that will work:

  • Each user has his own encrypted store.
  • All user data stored by the operating system, browser, and any plugins are encrypted.
  • Users cannot access each other’s data on a shared device.
  • The system does not protect against attacks while a user is logged in.
  • The system will attempt to protect against memory extraction (cold boot) attacks when additional hardware support arrives.
  • The system does not protect against root file system tampering by a dedicated attacker (verified boot helps there).

SEE: Google Chromium security review.

Suggested articles