Chromium OS. Operating Systems WS 2009/2010 Jun.-Prof. Dr. André Brinkmann Simon Oberthür

Transcription

1 Chromium OS Operating Systems WS 2009/2010 Jun.-Prof. Dr. André Brinkmann Simon Oberthür Source/More Information:

2 What is Google Chrome OS?

3 Chromium OS & Open Source

4 Software Architecture Chromium OS consists of three major components The Chromium-based browser and the window manager System-level software and user-land services: the kernel, drivers, connection manager, and so on Firmware

5 Firmware Functionality System recovery Recovery firmware can re-install Chromium OS in the event that the system has become corrupt or compromised Verified boot Each time the system boots, Chromium OS verifies that the firmware, kernel, and system image have not been tampered with or become corrupt. This process starts in the firmware Fast boot Improved boot performance by removing a lot of complexity that is normally found in PC firmware

6 System-level and User-land Software D-Bus Interaction: Browser with the rest of the system. Example: battery meter and network picker Connection Manager Provides a common API for interacting with the network devices, provides a DNS proxy, and manages network services for 3G, wireless, and ethernet WPA Supplicant Used to connect to wireless networks Autoupdate Autoupdate daemon silently installs new system images Power Management (ACPI on Intel) Handles power management events like closing the lid or pushing the power button Xscreensaver Handles screen locking when the machine is idle Standard Linux services NTP, syslog, and cron

7 Chromium and the Window Manager Responsibility Handling user's interaction with multiple client windows

8 Chromium OS - Security

9 Security Security as a design principle Chromium OS has been designed from the ground up with security in mind Security is not a one-time effort but rather an iterative process that must be focused on for the life of the operating system Recovery If operating system or user detect that the system has been compromised, an update can be initiated, and after a reboot the system will have been returned to a known good state Security architecture Chromium OS security strives to protect against an opportunistic adversary through a combination of system hardening, process isolation, continued web security improvements in Chromium, secure autoupdate, verified boot, encryption, and intuitive account management

10 Security: Guiding pronciples (I) The perfect is the enemy of the good No security solution is ever perfect Mistakes will be made, there will be unforeseen interactions between multiple complex systems that create security holes, and there will be vulnerabilities that aren't caught by pre-release testing No search for mythical perfect system Continue shipping something that is still very good and update Deploy defenses in depth Deploy a variety of defenses to act as a series of stumbling blocks for the attacker. Make it hard to get into the system, but assume that the attacker will Put another layer of defenses in place to make it difficult to turn a user account compromise into root or a kernel exploit Make it difficult for an attacker to persist his presence on the system by preventing him from adding an account, installing services, or recompromising the system after reboot

11 Security: Guiding pronciples (II) Make it secure by default Being safe is not an advanced or optional feature Until now, the security community has had to deploy solutions that cope with arbitrary software running on users' machines; as a result, these solutions have often cost the user in terms of system performance or ease-of-use Chromium OS has the advantage of knowing which software should be running on the device at all times, Chromium OS should be better able to deploy solutions that leave the user's machine humming along nicely Don't scapegoat the users In real life, people assess their risk all the time The Web is really a huge set of intertwined, semi-compatible implementations of overlapping standards. Unsurprisingly, it is difficult to make accurate judgments about one's level of risk in the face of such complexity, and that is not the users' fault. Chromium OS is working to figure out the right signals to send to the users, so that Chromium OS can keep them informed, ask fewer questions, require them to make decisions only about things they comprehend, and be sure that Chromium OS fail-safe if they don't understand a choice and just want to click and make it go away.

12 OS Hardening Process sandboxing Mandatory access control implementation that limits resource, process, and kernel interactions Control group device filtering and resource abuse constraint Chrooting and process namespacing for reducing resource and cross-process attack surfaces Media device interposition to reduce direct kernel interface access from Chromium browser and plugin processes Toolchain hardening to limit exploit reliability and success NX, ASLR, stack cookies, etc Kernel hardening and configuration paring Additional file system restrictions Read-only root partition tmpfs-based /tmp User home directories that can't have executables, privileged executables, or device nodes

13 Secure Auto Update Attacks against the auto update process are likely to be executed by a dedicated adversary subvert networking infrastructure to inject a fake autoupdate with malicious code inside it Countermeasures Signed updates are downloaded over SSL Version numbers of updates can't go backwards The integrity of each update is verified on subsequent boot, using our Verified Boot process, described below

14 Chromium Autoupdate Boot Process

15 Chromium OS Fast Boot