oselimo.blogg.se - Sandboxed web browser

It's ok to have performance penalties for exceptional cases when a sensitive resource needs to be touched once in a controlled manner. In this case the sandbox should impose near-zero performance impact.

Be nimble: Non-malicious code does not try to access resources it cannot obtain.

In practice, it could happen as soon as the first external input is accepted, or right before the main loop is entered.

Assume sandboxed code is malicious code: For threat-modeling purposes, we consider the sandbox compromised (that is, running malicious code) once the execution path reaches past a few early calls in the main() function.

In other words, the sandbox should work even if the user cannot elevate to super-user.

Principle of least privilege: This should be applied both to the sandboxed code and to the code that controls the sandbox.

On the other hand, it is OK to create application-level objects (abstractions) that have a custom security model. Let the operating system apply its security to the objects it controls.

Do not re-invent the wheel: It is tempting to extend the OS kernel with a better security model.

A description of what the sandbox does and doesn’t protect against may also be found in the FAQ.

If you don‘t feel like reading this whole document you can read the Sandbox FAQ instead. The Linux implementation is described here, the OSX implementation here. This document covers the Windows implementation as well as the general design.

The architecture and exact assurances that the sandbox provides are dependent on the operating system. Sandbox leverages the OS-provided security to allow code execution that cannot make persistent changes to the computer or access information that is confidential. The sandbox objective is to provide hard guarantees about what ultimately a piece of code can or cannot do no matter what its inputs are. For a codebase as large and diverse as Chromium, reasoning about the combined behavior of all its parts is nearly impossible. The key to security is understanding: we can only truly secure a system if we fully understand its behaviors with respect to the combination of all possible inputs in all possible states. Security is one of the most important goals for Chromium.