chromium rolling-out-sandbox-for-adobe-flash

Discussion in 'other software & services' started by vtol, Dec 2, 2010.

Thread Status:
Not open for further replies.
  1. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    the chromium blog

    if posted already please delete
     
  2. wat0114

    wat0114 Guest

    Thank you for the info, vtol. This looks to be a nice security improvement. I'm really liking Chrome, too.
     
  3. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    Nice change, good to see, hopefully on portableapps soon.

    Is this talking about IE's protected mode on 7/Vista?
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I'm not sure how it could be related to that, because IE's Protected Mode is nothing but a low integrity level, and integrity levels were only introduced with Windows Vista, and now Windows 7.

    Maybe another sandbox implementation of some sort. o_O
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Chrome's sandbox


    I can't explain any better than this
    a) reduced rights (to LOW) of the sandboxed tabs (in which java script runs)
    b) assignes a restricted SID to the tab.
    c) assigns a job id, which prevents access to user handles outside the job, it also says that it is only allowed to access restricted token objects, is not allowed to debug, log off, etc and die's on exceptions (so for people complaining that Chrome is unstable when looking at movies at porn sites, be happy Chrome did protect you).
    d) switches to an alternate desktop which prevents windows messaging stuff etc.

    As an example Tzuk told that SBIE on x64 could not prevent messaging to services (d). So Chrome's realises total isolation (also on x64 systems)

    see http://dev.chromium.org/developers/design-documents/
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, correct.

    I just thought/wondered if they were introducing some new additional sandbox of some sort to what it already is to increase the protection for Windows XP, considering they mention

    According to what they're saying here, they could be introducing something new to protect the plugin/what malware could possibly do through the plugin?
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    There will be the first instance running with medium rights, plug-ins with low rights and asigned job-id (for better user space protection, limiting control on other processes), next the tabs with restricted token and alternative desktop, compiled & assembled javascript (to filter out some data and access overflow exceptions used by malware) running inside of a tab with hidden object classes (instead of shared libraries) for further isolation.

    IE was the first to use protected mode, but Chrome improved this substantionally. Firefox has just managed out of process feature, sandbox is not scheduled for 2011, taken the time it needs to develop I would say second/third quarter of 2012 the earliest.
     
Loading...
Thread Status:
Not open for further replies.