Linked by Thom Holwerda on Fri 28th Jul 2017 19:44 UTC
Google

In the last year while talking to respected security-focused engineers & developers, I've come to fully appreciate Google's Chrome OS design. The architecture benefited from a modern view of threat modeling and real-world attacks. For example, Trusted Platform Module (TPM) hardware chips are built into every Chromebook and deeply incorporated into the OS. The design documents go into some detail on the specific protections that TPM provides, particularly around critical encryption functions.

I also learned that Chromebook is the daily driver for many of Google's own senior developers and security engineers. In short, the combination of the underlying Chromebook hardware with the OS architecture makes for a pretty compelling secure development environment.

[...]

It's pretty neat to consider the possibility of pre-travel "power washing" (resetting everything clean to factory settings) on an inexpensive Chromebook and later securely restore over the air once at my destination. Since there is a wide range in Chromebook prices, the engineering challenge here was to find something powerful enough to comfortably use exclusively for several days of coding, writing, and presenting, but also cheap enough that should it get lost/stolen/damaged, I wouldn't lose too much sleep. The threat model here does not include recovery from physical tampering; if the machine were somehow confiscated or otherwise out of my custody, I could treat it as a burner and move on.

Interesting guide on how to turn an inexpensive Chromebook into a burner developer device safe for international travel.

Thread beginning with comment 647267
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Practical tutorial
by BlueofRainbow on Sat 29th Jul 2017 14:31 UTC in reply to "RE: Practical tutorial"
BlueofRainbow
Member since:
2009-01-06

Alfman:

Good points.

With respect to a "rental chromebook", and from the renter's point of view, how the security model would be different than for the chromebooks currently in schools and shared by the students?

From the user's view point, any interchange of information over the cloud/network could potentially be intercepted and un-encrypted. And, unless there are back-doors in Chrome OS, the risk of the operating system having been tempered should be low.

Rental units could have a hardware "wipe" button. A security conscious user would engage this hardware wipe after receiving the unit and before returning it. The rental company would have, in theory, protocols for doing the same.

Another approach might be the possibility to purchase "travel chromebooks" in the secure area of airport. This would allow use during the outgoing flight and at the destination. However, what to do with the unit for the return trip without being wasteful?

As for wifi interruptions, Chrome OS could conceivably implement a local work space with automatic synchronization to the cloud whenever in range with a wifi connection of sufficient bandwith to have a high probability of doing it properly.

Reply Parent Score: 2

RE[3]: Practical tutorial
by Alfman on Sat 29th Jul 2017 19:15 in reply to "RE[2]: Practical tutorial"
Alfman Member since:
2011-01-28

BlueofRainbow,

With respect to a "rental chromebook", and from the renter's point of view, how the security model would be different than for the chromebooks currently in schools and shared by the students?


I'm not really familiar with this. As I understand it some schools buy a laptop for each student and don't share them, but in other places they are shared. I don't even know how or if they ever get wiped clean, or inspected for hardware bugs (I very much doubt the schools would have the resources to do this, it seems far fetched, but nevertheless within the means of a mischievous student, haha).


From the user's view point, any interchange of information over the cloud/network could potentially be intercepted and un-encrypted. And, unless there are back-doors in Chrome OS, the risk of the operating system having been tempered should be low.


Well, IMHO the main problem is keyloggers and convincing users to disclose their credentials (id/pin/password/fingerprints/etc) such that they could then be impersonated elsewhere.

We're thinking mainly about students here, but just think how a school employee or even administrator (or flight attendant, etc) could be fooled into compromising their own accounts with a convincing login form and clever social engineering on a "rental" device.


Rental units could have a hardware "wipe" button. A security conscious user would engage this hardware wipe after receiving the unit and before returning it. The rental company would have, in theory, protocols for doing the same.


It's not a bad idea to wipe the devices back to a known state, I wonder how long this would take.

As a tangent: Cloning is sometimes discouraged on SSDs because it adversely reduces the number of limited P/E cycles and the limited effectiveness of NAND write leveling in this use case. If the wipes are going to be done on a routine basis, some kind of "rsync" might be better, but care would need to be taken with things like immutable files that might survive through the "wipe".



Another approach might be the possibility to purchase "travel chromebooks" in the secure area of airport. This would allow use during the outgoing flight and at the destination. However, what to do with the unit for the return trip without being wasteful?


You know, this would be impractical for most owners, but at the airport they could actually xray the devices and compare the before/after images to see that no bugs were planted. Ideally this could all be done automatically by the TSA's existing equipment (although bureaucracy would surely get in the way).


Still, in general I feel the question shouldn't be if it can be compromised, but how expensive it would be to do so. No system can guaranty absolute security. A sophisticated attacker could de-solder the chips and replace/reprogram them with compromised chips, which might not show up on an xray. Obviously we're not talking about "script kiddies" here, but I think we need to concede we can't have absolute security.


As for wifi interruptions, Chrome OS could conceivably implement a local work space with automatic synchronization to the cloud whenever in range with a wifi connection of sufficient bandwith to have a high probability of doing it properly.


Yeah, I think that's what jetblue had in mind when they redirected us to an amazon portal (I'm sure jetblue gets paid by amazon). If they had a chromebook loaner program they might do something similar with google.

Reply Parent Score: 2

RE[4]: Practical tutorial
by BlueofRainbow on Sat 29th Jul 2017 21:15 in reply to "RE[3]: Practical tutorial"
BlueofRainbow Member since:
2009-01-06

Alfman:

It its normal (user) mode, a chromebook has a multi-layered self-consistency check on boot. Under such security umbrella, it would be quite difficult for a key-logger to insert it-self into the user interface.

As for social engineering of hooks to get users to disclose their credentials, user awareness and education have been, and will remain, the prime line of defense.

There used to be white-hacker contests to break into various operating systems. Was there ever one involving chromebooks as target? Should there be one?

Low cost chromebooks have plastic shells for a designed life expectancy of maybe three years in the hands of an owner-user. Renter-users tend to be not so gentle with what they rent and there is a high probability that the life expectancy of a rental chromebook would be at the most one year. Physical end-of-life is likely to occur much earlier than wear-exhaustion of the flash chips.

One thing I was forgetting. So far Chrome OS has been relatively unfriendly regarding multi-language capabilities. Smooth switching from a base language (most likely English) to another one would be required for a chromebook rental scheme to even be practical for international flights.

Implementation details of any rental scheme would be most crucial for the concept to be viable.

Reply Parent Score: 2