November 24, 2009, 2:33 PM — Google's Chrome OS has many virtues. Based on a solid foundation of Ubuntu Linux, it uses the Chrome Web browser as its interface to any and all applications. Chrome OS is also not so much a Windows replacement, as it's an attempt to get rid of the entire traditional idea of a PC desktop. If Google is successful with this, one big reason will be its vastly improved security.
Before I go into why Chrome OS will be much more secure than Windows, I have to point out that Google has one big, honking huge security problem to fix first: it's reliance on the fatally flawed login/password model. If they can beat that problem, then Chrome is likely to be most secure 'desktop' operating system we'll have ever seen. Here's why.
First, Google accepts that it's impossible to make an absolutely secure operating system. They use a phrase to describe this design philosophy that I think every developer should have tattooed on their hands: "The perfect is the enemy of the good." In other words, Google won't waste its time on trying to find some perfect system that only exists in fantasy. Instead, Google is spending time on making the best practical security system. This is how it plays out.
1. Harden the operating system
Chrome developers are using a variety of Linux security techniques to minimize how much system access any given program will have and to reduce the number of exposed attack surfaces. In addition, Chrome OS is adopting a defense in depth (PDF Link) approach. The core idea here is that you use multiple layers of security so even if someone breaks in at one point, they're faced with yet another security barrier.
Google is using multiple methods to harden Chrome, but I'm going to glance at just two here. One, namespaces (PDF Link) is rather old. The other, cgroups (Control Groups), is quite new, but the pair have similar goals. In each, the idea is to isolate a hierarchical collection of tasks, cgroups, or a set of processes, and process trees, namespaces, from unlimited access to the system.
So, using both techniques, when an application runs on Chrome its processes gets only as much access to the operating system as it needs to do its job. If the program doesn't need say to use the local file system, then it won't be able to read or write to files. You get the idea, by strictly limiting, what any given application can do to the over-all system that makes it that much harder for even a successful attack on a program to do much harm to the computer, the operating system, or other programs.
2. Sandboxing the operating system
All of the above makes it easier for Google to create an operating system where as many processes and operations as possible are 'sandboxed' from each other. Sandboxing is a common security technique and you often see it used in Web applets and the like. With Chrome, Google takes sandboxing to a new level.
For example, in future versions of Chrome OS say you have two Web pages up. One is a secured Web page that uses SSL (secure socket layer) to secure its Internet connection and the other is an ordinary Web page. On other operating systems you use the same TCP/IP network stack to access both of them. Not on Chrome OS you won't. Instead, each gets its own separate stack. So, even if a successful attack is made on the plain-Jane network stack, nothing happens to the secured link.
This is in stark contrast with Windows where application and process interoperability trumps security every time. Chrome OS will have program interoperability. Instead of doing it as Windows does at a low level, Chrome OS relies on mid-level IPC (interprocess communication) mechanisms), such as D-Bus and ICCCM (Inter-Client Communication Conventions Manual) and on higher, application level mechanisms such as those provided by HTML 5 for safer application and process interoperability.
3. Locking down the file systems
OpenBSD is generally regarded as the most secure general purpose operating system out of the box. Chrome OS will give it a run for its money though when it comes to file systems. In Chrome OS, everything that can be locked down in the file system is locked down.
Like what? For starters, the root partition, where software lives on Linux systems, is read-only. You can't add a program to it even if you tried. Oh, and your home directory? Where you keep your files and settings? You can't put executable files or device drivers there either. When Google said that all Chrome OS applications would be Web applications, they weren't kidding.
Oh, and if something is wrong with the data from a Web application? The plan is to minimize the damage from poisoned data by restricting data from each Web domain to its own local storage and then controlling access to that data at a process level. Here again we see the idea of sandboxing to prevent attacks from spreading making its appearance.
4. Secured, automatic updates
An eternal problem with most operating systems is that if a user doesn't choose to update the system, they're vulnerable to the very next attack to come down the road. Or, even more annoying, you can be stuck patching and patching again until the vendor gets it right.
With Chrome OS that's not a problem. You turn on your computer and it gets the newest patches. Something goes wrong with your computer? The entire operating system is replaced with the latest patches included. A new zero-day exploit comes out? Chrome OS auto-updates to fix it as soon as possible rather than waiting for the next monthly Patch Tuesday.
5. Verified boot
Do you know if your computer is secure when you boot it up? Probably not. But, you will with Chrome OS. Every time you start a Chrome OS based device, it will check first its firmware and then start checking its core programs for unauthorized changes as you start using the system. If it finds any, it will tell you about a potential security problem and how to restore the system to a new, good version of the operating system.
No fuss, no muss, and from what I can see of the design it looks like it will also put a real road-block even in the way of a cracker who had stolen your device and is trying to break into it.
All-in-all, Google Chrome OS security is outstanding... once you get pass that login/password problem. If Google can come up with a fix for that, then we may well be looking at the more secure desktop operating system that's ever showed up.
