Chrome security in limelight with Google OS plan

Google's approach to security in its Chrome Web browser will likely serve as a guide for its upcoming Chrome operating system.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
7 min read

The techniques Google uses to protect Chrome users from browser-based attacks have taken on new importance with the company's plan to make the software the centerpiece of a Netbook operating system.

Two weeks ago, Google announced plans for the open-source Chrome OS designed for people who spend most of their time on the Web. The Google Chrome operating system is a "natural extension" of the Chrome browser, Sundar Pichai, vice president of product management, and Linus Upson, engineering director, said in a blog post, with the browser running atop a Linux foundation.

Like the Chrome browser, the Chrome operating system will be built from the ground up with development focused on three key areas: speed, stability, and security. "We are going back to the basics and completely redesigning the underlying security architecture of the OS so that users don't have to deal with viruses, malware, and security updates," the post said.

Google representatives declined to elaborate on plans for the operating system, but it's highly likely it will align closely with what they have done with the browser, particularly given the fact that attacks on the browser now outnumber those targeting the underlying operating system. The number of new browser vulnerabilities has increased rapidly every year since 2003, and the number discovered in Web browser plug-ins has more than quadrupled, according to the National Vulnerability Database.

It's also notable that Google put features in its browser that are typically associated with operating systems.

"Google Chrome from day 1 had its own task manager, just like Windows did, showing memory consumption and CPU utilization. I said that's what an operating system has. It's a fairly clean translation," said Billy Hoffman, manager of Web Security Research Group at HP Software and Solutions.

Chrome OS, whose source code is due to be released publicly later this year as Google tries to enlist open-source programming allies, is likely to change the operating system landscape just like Chrome the browser did, prompting rivals to try to match or beat its features.

"The innovation (coming out) of the browser wars is bringing more and better security," Hoffman said. "The Chrome browser itself is fairly hardened, and we hope they move into more user protections like IE 8 and Firefox."

Chrome has several design features that optimize security: sandboxing, which restricts privileges of key parts of the browser so it's harder to coopt them for mounting an attack, and multiprocess architecture, which stores Web sites and Web applications in separate areas of browser memory areas and isolates them from the rest of the computer.

Overall, security experts say Chrome shows that Google takes security seriously and its developers are willing to try new approaches to achieve it.

"Google has done a lot of innovation in terms of security in Chrome," said Matt Wood, a senior researcher in Hoffman's department at Hewlett-Packard.

Google added a Task Manager to its Chrome browser, spotlighting a design decision that parallels operating systems. Screenshot by Stephen Shankland/CNET

Starting from scratch
Being new to the browser game helped.

"By starting fresh, we had the option to do very innovative things we wouldn't have been able to do otherwise," said Ian Fette, the Chrome product manager specializing in security features.

What set Chrome apart when it launched in beta last September was that it splits the browser up into multiple parts. The browser kernel interacts with the operating system and handles only trusted code, storing things like bookmarks and cookies on the computer. Other main components, the rendering and JavaScript engines that figure out how to display Web pages and execute Web-based JavaScript programs, run with restricted privileges in a sandbox that limits access to the underlying system.

Chrome's initial line of defense is to check a site being visited against several anti-malware and anti-phishing blacklists that comprise Google's Safe Browsing service.

If some malware evades the safe browsing screen it's likely to be blocked by Chrome's sandboxing technology. The sandbox runs an application in a restricted environment, isolating HTML rendering and JavaScript execution to prevent them from writing to the hard drive or registry or accessing files.

"The goal is to make it impossible for malware to install itself and access your data on your local computer," Fette said.

Chrome also restricts each the browser tab to its own computing process. That further prevents malware from being downloaded or interacting with other Web pages that are open in other tabs.

Automatic updates
Another aspect of Chrome that security experts praise is the so-called "silent" auto update feature. New versions of the browser are automatically updated on computers in the background without the user taking any action.

Chrome checks for updates every five hours using the open-sourced Google Update software code-named Omaha that polls for updates even when the browser is not running. When a new update is available on the Google server, the client automatically downloads and installs it in the background without prompting the user. The new version of the software gets applied when the browser is restarted.

Given that more than 45 percent of Internet users don't use the latest Web browser version, according to Google research, it would seem that there is a huge need for this.

"Our philosophy is users shouldn't have to care," Fette said. "Everything should keep working for them."

When Chrome first launched in September it had two vulnerabilities that were exploitable. Google released patches for them within 24 hours, he said.

"End users don't know whether to refuse or accept software updates. Chrome just forces them on people," Hoffman said. "It's a good example of not letting users make poor security choices."

Nevertheless, some want the choice. For IT administrators who want to control software updates themselves, Google recently added options to let enterprises customize when and how they get Chrome updates, Fette said.

Chrome, which released its latest security patch this week, had 14 exploits last year based on statistics on the Milmw0rm site, Wood said. However, any comparisons to the number of exploits or patches on Chrome compared to Internet Explorer or Firefox are difficult because Chrome has far fewer users and thus is less targeted by attackers, he said.

Tricking the user
Chrome does a great job of protecting against exploits of vulnerabilities in which attackers sneak code through a hole in the browser to install malware or run code on the computer, experts said. However, it's not so good when it comes to protecting them against Web-based attacks like cross-site scripting, cross-site forgery, SQL injections, and phishing, in which an attacker tricks users into doing something they didn't intend via the browser, they said.

"One thing Google needs to work on where they haven't really focused is on stuff like user security," said Wood.

Chrome lacks the plug-in support Firefox has to protect against malicious scripts hiding on Web sites. For instance, there is no Chrome equivalent to the NoScript Firefox plug-in that lets users choose which scripts on a site they want to run or block. But that is likely to change.

"We are in the middle of building out our own browser extension system so that something like NoScript could be done," Fette said. "For many people it's a noisy option. It asks a lot of questions and if you're not focused on security it could be hard to make it work."

Internet Explorer 8 offers a cross-site scripting defense mechanism that protects users against those type of attacks, Wood said.

Google is evaluating cross-site scripting protections, but, Fette said, "You have to make sure it's based on standards and won't break sites."

IE also lets users turn off JavaScript. Chrome doesn't, but it does sandbox JavaScript.

"If you turn off JavaScript you may turn off navigation on a bank site" or otherwise render a site unusable, Fette said. "It's not an option we feel is viable, so we don't offer it."

Two other popular exploit targets, Adobe Flash and Adobe Reader, are not sandboxed in Chrome because doing so caused problems with auto update or other features, he said. "Sandbox is not a panacea," Fette said.

The two-browser prescription
Jeremiah Grossman, chief technology officer and co-founder of Whitehat Security, suggests that people use two different browsers for the safest experience: Chrome for "promiscuous Web surfing" and Firefox with the NoScript plug-in for important activities such as checking e-mail or online banking.

Asked to comment on that suggestion, Fette said that because each Chrome tab is a separate process the system has the same protection as using two different browsers.

Finally, Chrome should do a better job at password management, according to Wood. None of the other browsers does better, but Google should raise the bar, he said.

"There is no real security with password management. You can open it up and see all the passwords in clear text," he said. "A browser needs a good password manager. People can't remember all the passwords for all the sites on the Internet."

In response, Fette said someone with access to the computer already can do plenty of damage--for example installing a key logger to monitor what the user types.

"Chrome came out and lit a fire under Firefox and IE. It's driven a lot of innovation and a lot of that has been in security and general usability," said Wood. "We're moving toward a more secure browser. A lot of that has to do with getting people to understand about the threats that exist on the Web."