New Sandbox Framework For Chromium Released

Trailrunner7 writes "As applications have become more and more complex in recent years and Web browsers have evolved into operating systems unto themselves, the task of securing desktop environments has become increasingly difficult. And while there's been quite a bit of innovation on Windows security, advances in Unix security have been less common of late. But now, a group of researchers from Google and the University of Cambridge in England have developed a new sandboxing framework called Capsicum, designed specifically to provide better security capabilities on Unix and Unix-derived systems (PDF). Capsicum is the work of four researchers at Cambridge and the framework extends the POSIX API and introduces a number of new Unix primitives that are meant to isolate applications and users and handle rights delegation in a better way. The research, done by Robert N.M. Watson, Ben Laurie, Kris Kennaway and Jonathan Anderson, was supported by Google, and the researchers have added some of the new Capsicum features to a version of Google's Chromium browser in order to demonstrate the functionality."

Kinda of misleading.

[stanlyb]

It looks like user-space extension which you have to use, if you wanna your application to be sandboxed. But what about the malicious applications which don't wanna to be sandboxed???

Re:Chromium Browser?

[xMilkmanDanx]

The browser. TFA states somewhat incoherently that it isolates javascript execution and if google is using javascript in their OS, their not google.

Re:for fuck's sake

[Ungrounded Lightning]

"Web browsers have evolved into operating systems"

No, they haven't, calm down.

I think he means that they have become application environments, giving access to all the fundamental services of the underlying operating systems, through their own API and security models, with their own set of bugs.

Re:Browsers Interact Directly with Hardware?

[fluffy99]

Web browsers have evolved into operating systems unto themselves

Really? I am unaware of a (common) browser that is able to do much more than work with data...

Let's try to leave the the analogies used to educated luddites out of summaries intended for people that *KNOW* the difference between an OS and an application.

There are certainly many companies out there that want your OS to be nothing more than a web browser. That way they can sell software as a service. For things like Google Gmail, Google Calendar , Google Docs, etc. Microsoft is slowly moving in that direction as well. Its much more profitable to sell based on usage or per month, rather than selling you a perpetual license. Many businesses are moving towards the desktop being little more than a terminal with the applications actually running on a centrally manager Terminal/Application/Web server.

Re:Security innovation

[Anonymous Coward]

Which is... umm... pretty much exactly what Windows Vista, Windows 7, and Windows Server 2008 can do.

How? I've never got anything else except the choice to run an application or not run an application. Which is a choice I've usually already made before I run it.

Re:Academic Foolishness

[Anonymous Coward]

These are major and invasive changes to POSIX

No, they're not. They are additions to the current security model.

An OS that has this functionality looks and acts exactly like a POSIX OS. It's up to the application program to call the appropriate APIs as necessary to properly sandbox things (and some parts of each app will potentially be sandboxed differently than other parts).

One of the researchers involved is Robert Watson who has heavily been involved in FreeBSD for many, many years. Knowing that he's doing this reassures me that this is well thought out and designed.

It's better to work with the system than to just arbitrarily decide Unix is wrong and rewrite it.

You're right, which is why this project didn't rewrite Unix--they added some APIs and libraries to the ones already there.

Adding ten lines of code to tcpdump, and having it not be exploitable anymore? Adding only 100 codes to a web browser, and not having to worry about zero-days from now on? Hardly foolishness.

Re:Chromium Browser?

[SanityInAnarchy]

Microsoft's evil tends to revolve around vendor lock-in and unfairly stomping on their competitors. Google's evil revolves around Big Brother type information gathering.

Microsoft's evil also involves outright lies, and the concept of "FUD" was pretty much invented, I suspect, to describe Microsoft.

Google, by contrast... "Big Brother"? Have you read 1984? Google likes to gather information, yes -- and like Facebook and everyone else, they only gather information from people who willingly donate said information, or from information already in public spaces.

Unlike Facebook and everyone else, they have a track record of, in the very worst example I'm aware of (wireless snooping), gathering more information than people think they should -- by accident. By contrast, Facebook employees have been known to casually browse people's private information, and otherwise abuse user data.

What are you proposing? To do a binary diff between the compiled open source version and Google version? Followed by disassembling and analyzing the diff, probably without debugging symbols?

Actually, I was proposing to wait and see, or to observe the behavior of the browser itself, and then disassemble and otherwise reverse engineer the parts that look suspicious.

Firefox seems to manage.

By having, say, youtube.com/html5 not work at all. Yeah -- they "manage" by not supporting, either directly or through any sort of extension framework, the most popular video site on the planet. Surprisingly, Safari seems to be the only browser taking a sane approach -- they delegate to QuickTime, which is essentially the OS X media framework, and support any codecs they find, so there's nothing stopping users from installing theora codecs if they like.

Of course, one of the results of this is that YouTube has further incentive to continue to use Flash, because Flash works in Firefox, but HTML5 with h.264 doesn't. Which do you think is the lesser of two evils?

Perhaps Google could help by using non-patented formats on YouTube.

There are several problems with this.

First, most video is, unfortunately, shot in h.264. Since I don't particularly care about obeying software patents covering codecs and file formats, I prefer to keep media in as close to the target format as I can, and only re-encode when I have to. You can do that with YouTube -- you can upload the video that your camera encoded to h.264 (in hardware!) and it's quite possible YouTube won't re-encode it for the high quality version.

So, this not only applies to their entire library that they'd have to re-encode, it also applies to pretty much all new video.

Second, only Theora might be open. Google does have WebM, and they have (hopefully) released it, but it's too close to h.264, and still manages to be inferior in many ways. You just get worse quality for the same amount of bandwidth, and that likely means millions of dollars of bandwidth for YouTube to maintain the same quality.

I'm not saying I have a solution to this, and I certainly don't like it. But refusing to play is not a solution.

Besides, I'd prefer people actually be informed of the patent bullshit they're paying for, in one way or another.

I'd prefer people be informed, but "This doesn't work, let's go back to IE and Flash" isn't the way to inform people. Realistically, it seems like this goes only a few ways:

• HTML5 Video never takes off, partly because of Firefox.
• HTML5 Video is a hit, but Firefox users can't view it. Users switch to other browsers.
• HTML5 Video is a hit, and someone forks Firefox.

Sadly, Safari has had the way out the entire time -- delegate this stuff to the OS. Windows has DirectShow, OS X has QuickTime, Linux has GStreamer. Use those, and you get both licensing and hardware acceleration for free.

In fact, I've