Google has put up a very interesting document explaining the security features underlying its Chrome OS. The document also details the underlying guiding principles of Chrome OS’ security features.
Chrome OS comes with a number of security features which we’ve already addressed in our item on the launch of Google’s new operating system. In short, it comes down to process isolation, secure auto-update, verified boot, encryption, and more. Google’s goal was to make the system practically secure and easy to use. In order to achieve this goal, the team followed four guiding principles.
The perfect is the enemy of the good – According to Google, no security solution can ever be perfect. There will always be unanticipated problems, for instance due to unexpected interactions of complex systems or because of bugs that weren’t caught during testing. Google states that the “search for some mythical perfect system [should not] stop [Google] from shipping something that is still very good”.
Deploy defenses in depth – As a consequence of the first guideline, Chrome OS will employ several different lines of defence. Chrome OS will make it hard for attackers to get into the system, but Google still assumes they will. As such, the next line of defence will make it very hard for attackers to turn a user account exploit into a root or kernel exploit. As a last line of defence, Chrome OS will make it hard for attackers to remain on the system by preventing him from adding services or accounts to the system, and by making it impossible to re-compromise the system after a reboot.
Make it secure by default – Google states that security is not an option, nor is it an advanced feature. “Until now, the security community has had to deploy solutions that cope with arbitrary software running on users’ machines,” Google claims, “As a result, these solutions have often cost the user in terms of system performance or ease-of-use.” Google explains that because they know which software should be running on a Chrome OS device, they can better keep the system safe.
Don’t scapegoat our users – This is one that I particularly like. Google states that the web is a complicated system of complex overlapping standards, and that it is no surprise that users have trouble keeping their machine safe while using it. Google clearly states that this is not the user’s fault. “We’re working to figure out the right signals to send our users, so that we can keep them informed, ask fewer questions, require them to make decisions only about things they comprehend, and be sure that we fail-safe if they don’t understand a choice and just want to click and make it go away,” the company says.
The document further explains in more detail what security measures Chrome OS has to “implement”, if you will, these guidelines. At the OS level, Chrome OS will have process sandboxing, toolchain hardening (NX, ASLR, stack cookies, etc.), kernel hardening and configuration paring, and additional file system restrictions (read-only root partition, tmpfs-based
/tmp, and limited home directories). In the future, Google will also explore things like driver sandboxing.
Chrome OS will also be made secure on higher levels, such as the Chromium browser, but also the web applications themselves will receive the secure treatment. The auto-update process will be hardened too, as this is obviously a very likely attack surface. Updates will be signed over SSL, and the integrity of each update is verified on the subsequent boot using the verified boot technology.
This is just a selection of the things the Chrome OS team is working on, and the document itself contains links to more detailed documents about security in Google’s operating system. Quite the interesting read.