info on Chromium browser needed

A little example.

Yesterday, I've "installed" Chromium to a relative, and applied... well... pretty much all of my security tweaks. LOL

NO!! My relative loves it!!!! Seriously!!!

Anyway, leaving that detail aside, I've applied an explicit low integrity level to it. All downloaded executables (not only *.exe, rather executables; dangerous file types) are forbiddem from executing.

The explicit low IL, on its own, already provides a pretty decent security. Add to that the fact that no dangerous file types can automatically run.

That Chromium for sure bugs (which app doesn't, right?), but the explicit low integrity level pretty much kills any chance of breaking out of Chromium's sandbox. There's no how to break out. It's impossible.

There are a few more layers.

I'm not saying that I won't be telling my relative to update Chromium, at least two in two weeks (I think it's enough for my relative.). But, even if my relative wouldn't update like for 3 months... I don't predict any problems.

The only problem would a mistake done by my relative, like downloading manually downloading files.

 

This sounds like project material. A Chromium updater ?

Sul.

 

another reason why i don't let any of my software auto-updates is it is easier for me to spot if something is 'out of whack' whit my computer when it is streamlined.

if i feel a slowdown or a 'hiccup' when using my computer i want to make sure it's not because an app is busy 'behind the scene'.

 

There's one already. -https://sites.google.com/site/chromeupdater/

-edit-

There seem to be quite a few, actually. I still haven't checked any of them. -http://www.ghacks.net/2011/01/10/chromium-updater-overview/

P.S: The only advantage I see would be to create one that would fit our specific needs, like extract where we have our Chromium folder, and how many "installs" we'd like to have.

 

at m00nbl00d:

i also use Chromium with a Low I.L.

do you take any extra step to secure the Adobe Flash Player as well?

 

I don't really think it would make any difference, considering the explicit Low IL would force Flash do run with a low integrity level as well, but I guess it wouldn't hurt to run Chromium with the flag --safe-plugins.

 

tnx m00nbl00d.

i feel pretty secure with this kind of protection and the impact on convenience is very minimal.

 

I seen those. Most of them just download the stuff.

I already whipped up a demo version that extracts the .zip file, deletes a chromium_old directory, renames the current chromium directory to chromium_old, then puts the newly extracted version in place. Still using Chromium Nightly Updater extension to see what versions etc and download it, I just made a little demo to see how easy/fast it would be to put it in place once the .zip is downloaded.

At least it lets me update how/when I want without much effort. It was just something I wanted to see how easy it would be, and it is pretty easy. Without a native unzip feature in the OS, you either have to use an alternate method that cmd/batch, or you have to have a 3rd party app/dll in place to do it. I chose an alternate language rather than 3rd party tool, although I have them installed.

Sul.

 

Is there some extension or add on that allows these low level tweaks to be done automatically? Also, if there is no such extension, do all the tweaks have to be repeated every time a new version of Chrome is installed?

 

You can work with integrity levels (Windows Vista and Windows 7) by using a tool by Microsoft named icacls. It's part of both Vista and 7.

There's also a more powerful tool named chml. Place it in C:\Windows\System32 and then you can simply type chml in Windows cmd line. -http://www.minasi.com/apps/

Now, if you delete the object (process, folder...) to which you have applied an integrity level (be it untrusted, low, medium, high, system), when you create the same process (example: you delete chrome.exe and then place it back), the integrity level will be lost.

You have thre ways to work with that issue:

* You don't delete, but rather replace, hence retaining the IL.
* You reapply the IL.
* Use a tool by Didier Stevens named runasil, which will retain the IL. It has been mentioned in the forum. I don't know how it would play with ILs, if we already have applied them with either icacls or chml. I actually asked about that in a thread in this forum, but got no answer. I actually never bothered to test it on my own.

There are other ways, but they would require certain knowledge (time to learn it). It wouldn't as quick as using a tool capable of doing already.

 

I'm studying PowerShell whenever I can. I already know a few things... Not much, though. But, once I know it, it will prove useful!

I can say I already know how to verify the existence of a folder and then delete it, etc.

 

Not sure if I should lol @ a wilders member saying that updating programs is a useless mitigation technique. Here where users like to triple encrypt and sandbox everything... but don't like to update their most used internet facing application?

 

Cool. I haven't messed with powershell.

What I did thus far:
(after chrome-win32.zip is downloaded)
extract to chromeWWW
delete Chromium_old in programfiles
rename Chromium to Chromium_old in program files
move and rename chrome directory from unzipped contents to program files as Chromium
delete chromeWWW directory
rename chrome-win32.zip to chrome-old.zip, overwriting if needed

Seems to work fine, but I don't have any checks in place yet. Easy enough to do, thats for sure.

Sul.

 

ok thanks for the info

 

Thanks for the link! You may want to check out JChromiumUpdater it does exactly what you are looking for but it uses Java.

@moontan
Is there a tutorial for how you changed the Integrity level of chromium?

 

the tutorial would make a nice youtube video too, if that were a consideration.

 

Is not really hard.

Actually, Sully and I already exemplified it to moontan, and he/she managed to get it done just fine.

Check it here https://www.wilderssecurity.com/showthread.php?&t=299316

 

"He", actually.

but yeah, if a noob like me can learn this so can anybody else that wants to.

you got to read the whole thread though.
it took 2 pages of the whole thread to make this work with the help of Sully and m00nbl00d.

it looks more complicated than it really is.

you can also have a look at this thread for how to set it up for your specific browser, including Chromium:
https://www.wilderssecurity.com/showthread.php?t=283375

 

@moonblood, moontan
It is very simple. Thank you for the guidance!

 

Just a hint for those running Adobe Reader X*, which has a sandbox of its own.

If you apply a low integrity level to your web browser, and if you download a PDF file and open it from within the web browser, the PDF file will fail to open because Adobe Reader X will also fail to initiate, due to inheriting the web browser's explicit low integrity level.

I still haven't bothered delving much into it, and see what I'd need to change in Adobe Reader X to open from within the web browser.

But anyway, now this is the hint: If you have Sandboxie (paid version), if you force Adobe Reader X to a sandbox, even though you don't have the web browser sandboxed (in Sandboxie), Sandboxie will act as a link between the web browser and Adobe Reader X, making it possible to open PDF files from within the web browser.

The same may work for other apps as well, which would otherwise fail, like perhaps other PDF readers that may also have their own sandboxes.

Again, only if you'd like to open PDF files from within the web browser, once you finish downloading them. You'd also need Sandboxie paid version, of course. Bummer.

Not sure if Sandboxie-"similar" apps would also act fine as "middle man"?

-edit-

* I mentioned Reader X, but I believe prior versions would also fail, because I think they need to access areas off limits to low integrity level objects.

 

You'll find me to be one of those that really doesn't give crap what people think of me, so "lol" away Many users here triple encrypt and sandbox everything because they're either A. Security professionals. B. Security hobbyists. C. Paranoid. And, perhaps you should read a bit more into my last post. I said security has changed, and it has. Drive-by downloads have all but been replaced by fake security programs, social engineering tricks, malicious apps and so on. Your updated browser won't do jack against those, it just will not. And I never said updating programs in general was a useless mitigation technique, I said browsers.

 

I'm not sure that is entirely true. Didn't we just see a posted security flaw the other day for Chrome that allowed an automatic drive by and execution I think this exploit was fixed, but there was potential there for it to be used in between the update.

If you go through the trouble of using icalcs to change integrity levels, you will probably be ok.. but most people don't go through that trouble.

I'm not saying its "wrong" per say, but it seems like an unnecessary risk..

 

A flaw that allows a drive-by to happen doesn't mean a drive-by will happen. You're perfectly safe with that flaw if you don't run into a website that is infected and used for such an attack.

 

you don't seem too confident in icalcs protecting the browser against exploits.
would you care to elaborate?

 

I said the opposite of that actually. I said you'll probably be ok (unless the code exploits some windows flaw as well)...

I just stated the obvious that most people won't ever perform this procedure. For many, it is too difficult.. and for others there are problems with third party apps being launched from the browser (since they are start in low IL as well).

I'm also not entirely sold that the typical procedure for lowering IL is a good one. In a lot of cases, you end up lowering the IL of several other folders just to make the program run. If you do this for a single program folder, you will be ok... but if you also do it for Adobe Reader, media players, etc... then you've actually lowered your protection.

If you change too many folders to be writable from processes with low IL, you've defeated the purpose of low IL. Now your low IL firefox process can potentially overwrite adobe settings, or even the Adobe program folder (depending on how many folders you've modified).