Hello,

After having read various articles and forums, I couldn't find the information I was looking at about Google Chrome 2 security details, and how it stands against IE Protected Mode. I finally found the following article :

http://www.infoworld.com/t/applications/test-center-how-secure-google-chrome-443

-{ Quote: "
The security model Chrome follows is excellent. Chrome separates the main browser program, called the browser kernel, from the rendering processes, which are based upon the open source WebKit engine, also used by Apple's Safari. The browser kernel starts with all privileges removed, the null SID (a security identifier in Windows Vista that denotes the user as untrusted), and multiple "restrict" and "deny" SIDs enabled. On Windows Vista, Chrome runs as a medium-integrity process versus Internet Explorer's low integrity.
" }-

-{ Quote: "
On Windows Vista, Chrome's rendering processes run with low integrity, much like Internet Explorer in Protected Mode. But Chrome actually uses Vista's mandatory integrity controls more securely than Microsoft does. For one, Google attempts to prevent low-integrity browser processes from reading high-integrity resources, which is not normally prevented. (By default, Vista prevents lower to higher modifications, but not reads.)

Both the browser kernel and rendering processes run with DEP (Data Execution Prevention) and ASLR (Address Space Layout Representation) enabled, and with virtualization disabled
" }-

To sume it up, Google Chrome :
- starts with an "untrusted" SID
- rendering processes run with a low-integrity level on Vista
- runs with DEP enabled
- runs with ASLR enabled on Vista
- cannot "access/read" higher integrity processes on Vista

Google Chromes runs in a better "Protected Mode" than IE, has DEP and ASLR enabled. These points are rarely pointed out.

However there is also drawbacks that have been discussed so many times : privacy concerns, poor password management (no master password), forced updates, no "NoScript" like options, basic cookie management, etc... To add a quick note, Firefox 3.5 also runs with DEP and ASLR enabled, but not with a low-integrity level (no protected mode).

In the end I'm not for, or against this browser, I just find these details interesting. Sorry if it has been posted and that I missed it.

Regards,
gkweb.

-{ Quote: "To add a quick note, Firefox 3.5 also runs with DEP and ASLR enabled, but not with a low-integrity level (no protected mode)." }-
AFAIK Firefox has never supported ASLR. Since when did this change?

Yes, A research of Stanford university (PDF is not accessible anymore, they must have protected their servers :-) showed that this dual layer policy management approach even prevented against known exploits of the software components used by Chrome (f.i.Webkit).

GkWeb thanks for the extract, :thumb:

Use Iron in stead of Chrome, see http://www.wilderssecurity.com/showthread.php?t=250518

-{ Quote: "AFAIK Firefox has never supported ASLR. Since when did this change?" }-

I don't know since when, just a current observation (see attachement).
I doubt process explorer would return erroneous results.

@Kees
I've read about Iron, but didn't bother yet to try it, but I'm going to right now ;)

Regards,
gkweb.

I only wish Chrome/Iron had NoScript and better cookie management options.

-{ Quote: "I only wish Chrome/Iron had NoScript and better cookie management options." }-
Chrome has no need for NoScript, it's sandboxed.......

-{ Quote: "Chrome has no need for NoScript, it's sandboxed......." }-
I like blocking google analytics.

-{ Quote: "I like blocking google analytics." }-

I surf with Iron incognito all the time (just ad -incognito after the iron executable in the link) Drag this JV script (Google Anon) to the favaourites bookmarklet bar in Iron. Done http://www.imilly.com/google-cookie.htm more here http://www.imilly.com/google-cookie.htm#googleanon (show cookie, zap cookie)

Cheers Kees

So Iron uses the beta 3 version of Chrome? Do you have to go to their website to get an updated version?

-{ Quote: "Chrome has no need for NoScript, it's sandboxed......." }- ??? Please elaborate how a sandbox would protect against, e.g., XSS.

-{ Quote: "??? Please elaborate how a sandbox would protect against, e.g., XSS." }-
I have no idea, I just assumed a sandboxed browser was safe from most exploits touching critical parts of the system....

-{ Quote: "I have no idea, I just assumed a sandboxed browser was safe from most exploits touching critical parts of the system...." }-
Threats like XSS (http://en.wikipedia.org/wiki/Cross-site_scripting) have nothing to do with "touching critical parts of the system" ;)

-{ Quote: "Threats like XSS (http://en.wikipedia.org/wiki/Cross-site_scripting) have nothing to do with "touching critical parts of the system" ;)" }-
Yep, I see, thanks. I guess the main threat would be phishing and things of that nature then....

Google probably has something of their own to guard against scripting exploits (although someone has mentioned to me that NoScript is being released as an add-on for Chrome, so who knows). I would imagine they could well create some scripting control themselves and cut out the third party ability to hinder Googles own advert service.

XSS exploits are rampant right now so I can't see them leaving this security hole open for too long.

-{ Quote: "Hackers are posting cross-site scripting (XSS) flaws found in a number of prominent websites to a hacking site, according to a leading security researcher.

Jeremiah Grossman, WhiteHat Security CTO, told SCMagazine.com on Thursday that links for PCWorld.Com, HP.com, MySpace.com, PhotoBucket.com and Dell.com are posted as having XSS flaws on sla[dot]ckers.org.

Grossman said XSS flaws are now the No. 1 flaw on Mitre's Common Vulnerabilities and Exposures (CVE) site - a considerable growth from 12 months ago.

"XSS is now No.1. It literally took one year and probably less to reach No. 1," he said. "It actually pushed buffer overflow down to No. 4."

XSS flaws range from hacker's harmless pranks to financially motivated hackings, Grossman said.

"It's pretty stark, it pretty much depends on the type of exploit," he said. "It could be nothing. It could be a simple defacement, or in the case of several weeks ago when PayPal was used for XSS attacks."

Chris Wysopal, CTO of Veracode, said this week that XSS flaws are easy to for hackers to find, and are especially rampant because of the popularity of social networking sites.

The number of XSS flaws may be blown out of proportion "because there are so many small web applications that are vulnerable," he said.

"This is important to realize because XSS is now ranked by CVE as the most prevalent vulnerability, even more prevalent than buffer overflows," he said. " }-

source (http://www.scmagazineuk.com/XSS-flaws-jump-to-top-of-CVE-rankings-but-is-the-threat-overblown/article/107020/)

-{ Quote: "


XSS exploits are rampant right now so I can't see them leaving this security hole open for too long.
" }-
I just use Chrome and nothing else in Win, frankly, in 15 years online, I've never encountered any issues or problems with any browser. In Linux I use Firefox, but of course that's a different situation altogether.

-{ Quote: "??? Please elaborate how a sandbox would protect against, e.g., XSS." }-

Well, not the sandbox but Chrome's bulld-in translation of Javascript to native machine language. The reason for changing high level un assembled interpretation code into native machine language only provides little performance advantage (since code still has to be intepretated into binaries), but it has the following advantage

1. The interpretation can be boxed in the overall architecture, therefore providing stronger control on the communication with the JavaScript interpretator to the functional controller and the sandbox.

2. Having your own interpretator means that you own the conversion to executable code. This means that Chrome can imply limitations (only a subset of script commands) or choose alternative (more secure) implementations of the script conversion. (is comparable effect of the active-X trick bits filter of f.i. Spybot S&D).

3) The sandbox contains the webpages so client side XSS attacks to allow remote code execution on the clients PC will be paralysed by the Sandbox.

Not surprisingly the reported XSS vulnabilities of Chrome are therefore reported on execption handling (return error) or interfacing with other web services like PDF/FLASH, or when started from f.i. Internet Explorer. All in all it does a great job in regard to XSS exploits.

My opinion
==> Opera 9.5+, IE8+ (not in IE7 compatability mode) and Chrome are pretty decent browsers when it comes to XSS protection, FF is from a software architects point of view a mess, but on the other side offers the most granularity of control through plug-ins (to close the holes :-)

==> XSS /Phising/ Cookie info exploits counter measures
a) always check the URL for phising
b) check the webshops reputation
c) use preferably:
- (best) a debit card which uses a secured puplic private encryption key to validate the transaction or
- (second best) to pay through a secured safe banking service when your country's pay/transaction service is based on credit cards,
- NEVER use your credit card directly for web based transactions (it has the same risk as giving your credit card to a restaurant in a shabby neighbourhood, the guy walks away and five minutes later hands over the push print slip to sign, they could have cracked your card with some smart electronics in three minutes time while you phisically handed over the credit card and it was out of your sight)

-{ Quote: "

My opinion
==> Opera 9.5+, IE8+ (not in IE7 compatability mode) and Chrome are pretty decent browsers when it comes to XSS protection, FF is from a software architects point of view a mess," }-

Would you care to provide evidence for this statement?

-{ Quote: "Would you care to provide evidence for this statement?" }-

I got the opinion, just read their release calendar history, plus the way they deal with plug-ins, issues they had following latest OS-hardware developments/features. Call it circumstancial evidence.

Personally I do not like that developers have to be told what the role of CSS, JavaScript, XUL, C++ and XPCOm is, while these the code can be "inter mingled". This lowers the threshold to use or build add-ons for, but I am old school, you should not allow to use JavaScript for tasks which are more suited for C++. bad luck, just become a professional developer or design and plan the application (and assign parts/modules to developers with different skills) before you start scribbling code.

I have no access (not bothered to try really) to the source code/software documentation, neither did I tried to reverse engineer it. so I can not give you black on white evidence. Therefore I wrote the "My Opinion" above this statement in bold, to express that it is not FACTUAL information, but an OPINION.

When I am wrong please tell me

Cheers Kees

At present the plug-ins (Flash, Java…) cannot be “sandboxed” by Chrome; they run with the same privileges of the user. Attached you can see the browser’s processes when launched by an Administrator in XP.

Yes, but Java is something different than JavaScript, JavaScript is executed withing the per tab process as far as I understand it. Again inform me when I am wrong about it.

For those who want to run Iron without JavaScript, just create a shortcur

with this in the target

"C:\Program Files\SRWare Iron\iron.exe" -incognito -disable-javascript

(run incognito and JavaScript disabled)

-{ Quote: "I got the opinion, just read their release calendar history, plus the way they deal with plug-ins, issues they had following latest OS-hardware developments/features. Call it circumstancial evidence.
...

I have no access (not bothered to try really) to the source code/software documentation, neither did I tried to reverse engineer it. so I can not give you black on white evidence. Therefore I wrote the "My Opinion" above this statement in bold, to express that it is not FACTUAL information, but an OPINION.

When I am wrong please tell me" }-
I don't know if you're wrong. I'm just saying that without presenting any evidence - particularly how everything you said is specifically related to XSS protection - your statement is rather bold to put it mildly.

FYI: If you read through http://ha.ckers.org/ you'll find that its author Robert Hansen (aka RSnake), who is one of the most respected authorities if it comes to internet/browser security and one of the authors of XSS Attacks: Cross Site Scripting Exploits and Defense (http://www.amazon.com/XSS-Attacks-Scripting-Exploits-Defense/dp/1597491543/ref=sr_1_1/188-8283650-4145246?ie=UTF8&s=books&qid=1250507666&sr=8-1), uses Firefox as his browser. I'm sure he wouldn't do this if he regarded FF as less safe compared to other browsers.

-{ Quote: "I surf with Iron incognito all the time (just ad -incognito after the iron executable in the link) Drag this JV script (Google Anon) to the favaourites bookmarklet bar in Iron. Done http://www.imilly.com/google-cookie.htm more here http://www.imilly.com/google-cookie.htm#googleanon (show cookie, zap cookie)

Cheers Kees" }-

I assume I will have to change iron status to trusted before making these changes?

-{ Quote: "At present the plug-ins (Flash, Java…) cannot be “sandboxed” by Chrome; they run with the same privileges of the user." }-
That's what the --safe-plugins switch is for.

-{ Quote: "That's what the --safe-plugins switch is for." }-
Thanks
It works without any problem
As they say... "Live and Learn" :)

-{ Quote: "
I have no access (not bothered to try really) to the source code/software documentation, neither did I tried to reverse engineer it. so I can not give you black on white evidence. " }-

Why would you need to reverse engineer code that is FLOSS? Essentially, you're saying FF has messy code without having examined the code? Moreover, it appears you don't even know it is FLOSS.

-{ Quote: "Why would you need to reverse engineer code that is FLOSS? Essentially, you're saying FF has messy code without having examined the code?" }-
From personal experience, bugs in the Firefox trunk typically take ages to fix, with the devs constantly requesting narrowing down which checkin in which hourly build caused the bug, and even then debugging takes a damn long while. Especially bugs filed by people who're not savvy enough to provide test cases for the devs.

The longest I've waited for a bugfix in the Chrome trunk to date, by comparison, is 1.5 weeks. I'm not saying that this is sure-fire evidence for messy code in Fx, but it certainly does reinforce my opinion of it.

-{ Quote: "That's what the --safe-plugins switch is for." }-
Does this switch exist in Iron and where is it?

Create a shortcut for Iron and in the Properties tab edit the Target field by appending --safe-plugins to the path.

"C:\Program Files\SRWare Iron\iron.exe" --safe-plugins

Thanks Wrongway!

Question: does Chrome or IE8 regulate inter-process communications?

One rationale for separating tabs into different processes is to provide compartmentalization so as to fortify the integrity and confidentiality of any one tab relative to the other active tabs in the browser. When tabs exist within the same process, only the browser should regulate communications among active tabs, practically speaking (a security app trying to do so would be problematic). With separate tabs, however, what regulates or blocks inter-process communications (my questions/scope is somewhat OS independent, meaning browsers must cope with the facility limitations of XP)?

Bear in mind, this is all theoretical. I do not intend for my question to imply this issue is in the top 10 concerns for browser security TODAY.

Cheers,

Eirik

-{ Quote: "Why would you need to reverse engineer code that is FLOSS? Essentially, you're saying FF has messy code without having examined the code? Moreover, it appears you don't even know it is FLOSS." }-

As said from a software architects point, the first two paragraphs address my issues, a messy architecture is something different than messy code. I admitted to have not done code sampling, so can not say anything about messy code. I am talking about circumstancial evidence (like Eice for instance also does).

I said I did not bother, agree it sounds ignorant when you mention reverse engineering for Free Libre Open Source, still that can be a lazy way to look at it, because some reverse engineering tools have graphic visualisations of the reverse engineered code structure.

-{ Quote: "Create a shortcut for Iron and in the Properties tab edit the Target field by appending --safe-plugins to the path.

"C:\Program Files\SRWare Iron\iron.exe" --safe-plugins" }-
Will this switch really put all plugins into the sandbox? Also the adobe flash player? That would be awesome!

So will the switch for incognito and safe plugin this one:

-{ Quote: ""C:\Program Files\SRWare Iron\iron.exe" --safe-plugins -incognito" }- ?

-{ Quote: "Will this switch really put all plugins into the sandbox? Also the adobe flash player?" }-
yes (see the attachment)
-{ Quote: "So will the switch for incognito and safe plugin this one:" }-
affirmative :thumb:

-{ Quote: "yes (see the attachment)

affirmative :thumb:" }-
WOW! That ist really cool! So i finally found a possibility for running a "sandboxed" browser under Win7 64 bit ?!

That is really good!