Chrome sets browser security standard, says expert
Dino Dai Zovi urges browser makers to follow Google's lead
Computerworld - All browser makers should take a page from Google's Chrome and isolate untrusted data from the rest of the operating system, a noted security researcher said today.
Dino Dai Zovi, a security researcher and co-author of The Mac Hacker's Handbook, believes that the future of security relies on "sandboxing," the practice of separating application processes from other applications, the operating system and user data.
In a Wednesday entry on Kaspersky Labs' ThreatPost blog, Dai Zovi described sandboxing, as well as the lesser security technique of "privilege reduction," as "[moving] the bull (untrusted data) from the china shop (your data) to the outside where it belongs (a sandbox)."
The idea behind sandboxing is to make it harder for attackers to get their malicious software onto machines. Even if an attacker was able to exploit a browser vulnerability and execute malware, he would still have to exploit another vulnerability in the sandbox technology to break into the operating system and, thus, get to the user's data.
"Sandboxing raises the bar significantly enough that attackers will have to turn to other [types of attacks], like rogue anti-virus software," Dai Zovi said today in a telephone interview.
The pervasiveness of Web-based attacks calls for browser sandboxing, Dai Zovi argued. "It's crucially important because, in my opinion, the browser will become the OS," he said. "Google is the first to realize that the browser is the operating system, and Chrome is a huge leap forward with its ground-up rewrite."
Chrome has included sandboxing since its September 2008 debut. And while Dai Zovi considers it easily the leader in security because of that, other browser have, or will, make their own stabs at reducing users' risks.
For example, Microsoft's Internet Explorer 7 (IE7) and IE8 on Vista and Windows 7 include a feature dubbed "Protected Mode," which reduces the privileges of the application so that it's difficult for attackers to write, alter or destroy data on the machine, or to install malware. But it's not a true sandbox as far as Dai Zovi is concerned.
Currently, Mozilla's Firefox, Apple's Safari and Opera Software's Opera lack any sandboxing or privilege reduction features. "Apple, for example, has implemented some sandboxing in Snow Leopard, but [although] security researchers were hoping to see some of that technology used in Safari, that hasn't happened," Dai Zovi said.
Mozilla is working on Chrome-like sandboxing for Firefox -- the project's dubbed "Electrolysis" -- but the feature probably won't make it into the browser until Firefox 4.0, which is now slated to ship in late 2010 or early 2011.
Dai Zovi sees browser sandboxing as an answer to the flood of exploits that have overwhelmed users in the past year. "This isn't perfect, but it's the direction we should be heading in," he said. "The idea of fixing every vulnerability is clearly not working. We can't always win the race to patch."
But sandboxing, or at the least, reducing the browser's ability to affect the rest of the OS, may be the way to block most attacks. "It adds more defense-in-depth and impedes attackers," Dai Zovi said.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, send e-mail to firstname.lastname@example.org or subscribe to Gregg's RSS feed .
- Google reverses field, promises to restore Chrome's scrollbar arrows
- Update: Google ships Chrome 33, patches 28 bugs
- Mozilla's top exec defends in-Firefox ads, revenue search
- Mozilla taps in-Firefox ads as it searches for more revenue
- Mozilla ships Metro Firefox beta for Windows 8
- Mozilla defers Firefox's new 'Australis' UI to April
- Mozilla resets Metro Firefox ship date to mid-March
- Mozilla ships Firefox 26 with opening click-to-play move
- Mozilla banked $274M in '12 from Google-Firefox search deal
- Google trumpets Chrome's SPDY gains
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts