Chrome Throws Flash Into the Sandbox

wiredmikey writes "Google announced today that it will be extending Chrome's sandboxing technology to include the Flash Player plug-in. 'Sandboxing' technology is a method of isolating an application from the rest of the operating system and tightly controlling its resources. According to Google, the new sandboxing feature adds an additional layer of protection and will help protect users against malicious pages that attempt to hijack systems or steal information from the system."

Re:

[Geoffrey.landis]

that Flash was 'as good as dead"?

Re:

[Crudely_Indecent]

Flash, ChromeOS, COBOL....

This is Slashdot - where unless it's tomorrow, it's yesterday.

Re:

[krazytekn0]

I'm assuming they are talking about Chrome the browser not ChromeOS

Re:

[Tubal-Cain]

Probably both.

Re:

[tehcyder]

that Chome was "as good as dead"?

That was ChromeBSD.

Does Netcraft confirm this?

Re:

[account_deleted]

Comment removed based on user account deletion

Flex apps?

[KublaiKhan]

That'll be helpful if it supports Flex-framework apps (which it should, given that they run in the flash player).

I've been developing a flex app for the Blackberry Playbook that's coming out in February; the ability to port it to the chrome store without much extra work would be handy.

Re:

[Eponymous Coward]

Maybe you can explain this to me: what's the Chrome store other than a bunch of bookmarks?

Re:

[KublaiKhan]

Some of the applications are glorified bookmarks; others--the 'plugins'--extend functionality of the browser itself.

For instance, there's a plugin that allows interface to the system's ping, ping6, traceroute, traceroute6, whois, and a couple of other net-centric functions. It includes some friendly interfacing, and it's smart enough to grab the current tab's URL as the target when invoked.

If the 'plugin' functionality could invoke a flash app, that would work well for more complex programs, and would be h

Re:

[DragonWriter]

Maybe you can explain this to me: what's the Chrome store other than a bunch of bookmarks?

Its a curated, annotated list of bookmarks (for installable hosted web apps) and download links (for packaged apps [google.com]).

Plus, of course, it has functions associated with purchase for non-free apps, and some other features beyond just being a list.

Apple has the ultimate Flash sandbox

[wjousts]

You have to run it on a completely different machine. Can't get much more secure than that.

Re:

[zero.kalvin]

Or don't run it at all.

Re:

[MobileTatsu-NJG]

Apple has the ultimate Flash sandbox. You have to run it on a completely different machine.

Why?

Re:

[chispito]

Because he is comparing Chrome, a browser that runs on PCs, to IOS devices. I'm not sure why.

Re:

[ocdscouter]

Because odds are it'll get rated +5 Insightful?

Re:

[icebike]

Because he is comparing Chrome, a browser that runs on PCs, to IOS devices.

I'm not sure why.

No, he's comparing running Flash on any other platform vs not running flash at all on IOS.

But I suspect you knew that and were just trolling.

Re:

[Neil Boekend]

Well, the flashcookies and flash virusses are no problem if you can't run flash, so it's secure. About as secure as a box that's not connected to the internet is. But also as usefull.

Re:

[MobileTatsu-NJG]

That wasn't the confusing bit. It was the random reference iOS that threw me. He could have mentioned his Casio watch and it'd have been just as funny.

Re:

[Neil Boekend]

That a casio watch can't run flash isn't a high profile problem. That iOS can't is.
If you are comparing the functionality of an iPad to a watch than that is funny in and of itself.

Re:

[MobileTatsu-NJG]

It's a sensationalized problem. Funny is trying to hypocritically justify it.

Re:

[Neil Boekend]

Well they do have a point. My Linux and M$ systems have their highest processor load when running flash video and the shit pushed towards you (as in virusses and cookies) isn't funny anymore.
The problem is sensationalised. True. But for many people it seemed like a big deal, until Youtube fixed it. It may even be a good thing for HTML5 and Intel Atom systems.

LOL

[Captain Splendid]

As an admitted fan of the iOS line, that was comedy gold. Here's hoping the butthurt fanbois don't have mod points today.

Re:

[Lloyd_Bryant]

This is most likely in response to their poor score in the NSS Labs report. Maybe their score will improve from 3%?

Er, no. That report evaluated performance against "socially engineered malware" only. In short, it tested how well the browser handled protecting the user from being careless or gullible.

Chrome's sandboxing is intended to limit the damage if an attack is encountered, not to keep the attack from happening by warning you that a given site hosts malware.

Re:

[Trailrunner7]

No. This was actually announced 2 weeks ago by Google and Adobe, not today. http://blog.chromium.org/2010/12/rolling-out-sandbox-for-adobe-flash.html [chromium.org]

Re:

[Enderandrew]

The day they announced the Chrome browser they said they would work with Adobe toward this goal.

Re:

[adisakp]

...we called this a "virtual machine".

You don't need a full VM though with a Modern OS. You can run a plug-in as a child process with almost no access privileges and then it has to request minimal (and hopefully secure) access API's from the host/parent process. This way the plug-in can't directly access file IO without going through an extra layer where it can be scrubbed and gated. Also, since it's running in a different process, it can not directly access any of the memory through pointers in the host/parent process.

Re:

[perrin]

Unfortunately, Linux in this respect is not a "Modern OS". The ability to sandbox user applications is extremely poorly developed. I have been looking at portable sandboxing lately, and it is a horrible nightmare. The Chrome developers created some fancy hacks for each OS, and they have pulled it off quite nicely, but they remain hacks, not elegant designs. The platform with the best current sandboxing API is, ironically, Windows Vista/7, with their configurable integrity levels. An API dubbed "Seatbelt" is

Re:

[theaceoffire]

I think Linux advancement in virtual machines has been advanced fairly recently.

The Android operating system is a linux based OS that runs java virtual machines, every application in a separate machine with their own database.

You have to manually allow interaction between programs... it is quite stable.

Re:

[jimicus]

The platform with the best current sandboxing API is, ironically, Windows Vista/7, with their configurable integrity levels.

They do say that necessity is the mother of invention.

Re:

[Enderandrew]

As opposed to the Unix world where a process can be associated with a user and a group and have fine-grained permissions based on the user and group, and then even more so with AppArmor, SE Linux, etc?

Re:

[Anonymous Coward]

NT supports that and more [tinypic.com]. It's just that when you stray from the realm of filesystem and registry object ACLs, it becomes horribly nonintuitive, and things like process-based IPC security are up to the application to enforce (which, except for the 0.01% of programs such as Chrome, they never do enforce).

Though I vastly prefer the SELinux/AppArmor approach of using agglomerate text files for defining rules... but that might be because I'm a part-time programmer.

Re:

[drinkypoo]

What is needed is some simple tool for configuring an SElinux profile based on an application's behavior. A very complicated tool exists but that is not so helpful.

This might be very good, or very bad

[Stregano]

It would depend on how much in resources is allocated to sandboxing. If this is a static number, then what if the flash is simply a flash banner ad and has resources allocated to it. Now, if the allocation is fully dynamic, this could be very awesome. They would still run into an inevitable problem of not enough resources on the machine, but then again, that is hard to avoid. I truly hope Google is not going to statically allocate resources since that would be bad. I have seriously made a logo for a pe

Obvious financial motivations there...

[Anonymous Coward]

Google earns money through advertising and wants to serve Flash banners (As doubleclick, which is already owned by Google, does). All new security holes in Flash cause more people to block or at least hate it. By sandboxing Flash in Chrome, Google both encourages people to use its browser and lowers the motivation to block all flash content. A great decision for Google and it happens to benefit the users, too.

(As a freelancer who prefers Chrome as his browser, works mostly in internet advertising and occasi

Re:

[gtomorrow]

I'll buy the eggs.

Re:

[flimflammer]

Lets do this.

By announced "today", you mean December 1st?

[VGPowerlord]

In case you missed it, the Chromium Blog talked about this in their December 1st blog entry [chromium.org].

Re:

[uncanny]

Well duh, because it was just announced today that Chrome is going to die anyways!

Re:

[0x15e]

They it was suggested that Chrome OS is going to die, not Chrome the browser. Even then, it wasn't an announcement. It was a statement made by a former Google employee. Hardly anything official.

Not really important to me

[gman003]

After all, I already run Chrome itself in a sandbox. Firefox, too. Why?

Pretty much every exploit now begins by "the user visits a website". After that, pretty much any technology can be the hole it exploits - Java, Flash, PDF viewing, even JPEG rendering has been exploited. There's an abundance of targets. The modern browser is just too big a platform to secure completely. So, I don't trust any browser more modern than Lynx.

Re:Not really important to me

[carkb]

Even Lynx is too 'modern'. Check this exploit: http://www.vupen.com/english/advisories/2010/2042 [vupen.com]

Re:

[Pollardito]

Even Lynx is too 'modern'. Check this exploit: http://www.vupen.com/english/advisories/2010/2042 [vupen.com]

This is exactly why I manually telnet to each website's port and issue GET requests directly

Re:

[ChunderDownunder]

dude! For online banking, use ssh.

Re:

[Eponymous Coward]

pretty much any technology can be the hole it exploits

So, are you saying your sandbox code (which is probably not bug free) could be the source of some fruitful exploits?

Re:

[gman003]

Yes. It's had quite a few exploits found and fixed. There's definitely more to be found. I would not trust it to contain a known-malicious program. However, it's an effective barrier when combined with a decently-secure browser like Firefox or Chrome - not only does the "hacker" have to find an exploit in the browser, but in the sandbox as well, making it exponentially more difficult.

Re:

[NoSig]

not only does the "hacker" have to find an exploit in the browser, but in the sandbox as well, making it exponentially more difficult.

Huh, I'm pretty sure you don't know what exponential means, but you actually by mistake managed to use it in a way that makes a little sense, even if it takes a little creativity to see it. If the probability of being able to find a hole in a given layer is p, and there are n layers to get through (not just 2), and the probabilities are independent, the chance of finding a hole in all of them is p^n. Absurd assumptions, but it still amuses that someone used "exponentially" in a way that almost made sense in

Re:

[Cryacin]

You don't get out much, do you?

Re:

[NoSig]

Your comment's humor derives from thinking that knowledge = low status.

Re:

[Cryacin]

Actually, I'm finding your hubris humorous.

Re:

[NoSig]

Here's some self-help [merriam-webster.com]. No need to thank me.

Re:

[Cryacin]

Thanks comic book guy! http://en.wikipedia.org/wiki/Comic_Book_Guy [wikipedia.org]

Worscht... link... ever!!!

Re:

[NoSig]

lol

Re:

[gman003]

Actually, people misusing exponential is one of my pet peeves. And yes, that was pretty much exactly what I meant - if there's only one program to exploit, the difficulty is k, if there's two it becomes k^2, and so on.

Re:

[NoSig]

I'm sorry I said you probably didn't in that case.

Re:

[gman003]

It's fine.

Re:

[dwinks616]

People misusing "pet peeves" is one of my peeves. Notice I didn't say "one of my pet peeves" since pet in this sense means "one above all others", thus is not something you can have more than one of.

Re:

[JSlope]

By the way, I already run flash only with Chrome, it has a build in flash player and so I don't have to install adobe flash to all the browsers. I browse with firefox and opera and when I need to see a page with flash (usually it's a video) I copy the url and run it in Chrome.

Dupe

[VGPowerlord]

Original Slashdot story [slashdot.org] from December 3rd.

Re:Dupe

[wiredmikey]

Yes, they mentioned it earlier, today it appears to actually be in action and built into the latest beta of the product.

Flash cookies

[140Mandak262Jamuna]

Can the sandboxing be done in such a way that all the data written by FlashPlayer in local storage can be erased when it goes out of scope? Every invocation of flash player will be on a freshly cleared local storage and one flash run will not be able to retrieve cookies and other persistent data?

Re:

[beakerMeep]

There isnt anything wrong with the concept of persistent local storage, the problem is multiple persistent local storage areas that a user has to jump through hoops to clear. HTML5, Cookies, and Flash Cookies all have this issue.

Re:

[ADRA]

I could see this breaking sites that actually use those cookies for something meaningful across invocations. I'm surprised that Adobe didn't just go down Java's route and use the browser's built-in cookie management system for taking care of their own cookie needs.

Re:

[Joe U]

I could see this breaking sites that actually use those cookies for something meaningful across invocations. I'm surprised that Adobe didn't just go down Java's route and use the browser's built-in cookie management system for taking care of their own cookie needs.

Those are easy to manage. Flash cookies, not as easy.

Well, not unless you understand how to create a RAMdrive and are familiar with MKLINK (in Windows).

I like my RAMdrive, so many things live there, albeit shortly.

Re:

[clone52431]

Flash cookies, not as easy.

Well, not unless you understand how to create a RAMdrive and are familiar with MKLINK (in Windows).

They’re just stored in your application data folder. Firefox has addons that will automatically delete Flash cookies (e.g. BetterPrivacy). Does Chrome? And even if Chrome doesn’t, it’d be easy enough to make a script that would do it on startup or shutdown.

Re:

[Joe U]

Too much trouble.

I just point to a folder on the ramdrive and not only does flash get a little faster (very little), but there are no open files on the HDD.

All my browser temp files live there, that way when I'm browsing the laptop shuts down the HDD.

Re:

[clone52431]

Less trouble to install an extension than set up a RAMdrive, I think. Either way, it’s done and you can forget about it.

Re:

[Joe U]

Less trouble to install an extension than set up a RAMdrive, I think. Either way, it’s done and you can forget about it.

Good point. It's my ramdrve.sys background, they were necessary way back when, so I tend to find a use for them now.

Re:

[HybridST]

The best upgrade to my portable rig with it's slow hard drive that i've made has been to add ram and move swap to ram(on heavily-tweaked xphome) leading to a 1400% (benchmarked!) speed increase for swapped data access! Now the system drive doesn't need to thrash constantly to handle FF with my 20-50 tab sessions, my DAW [wikipedia.org] and games run much more smoothly and i can eke out more work from the workhorse system.

The naysayers will say to upgrade hardware or get a new system or drop in a second drive but for

Re:

[clone52431]

I know exactly what you mean. I’ve debugged slow WinXP machines for people where it turned out they were “slow” because they only had 256MB of RAM. Good grief, people, drop the $40 or $20 it takes to get a gig or a half a gig of RAM (and tell them no, I don’t want to pay $60 for you to unscrew the panel on the case and pop it in for me), your computer will run just fine...

Re:

[ADRA]

"i've made has been to add ram and move swap to ram"
Wow, please just turn off swapping all together and save yourself the trouble. You're just robbing from RAM the very resource that you need, RAM! The entire point for swapping is to save on RAM, and the very act of ram driving is taking away more of that precious resource. Just turn your swap off and kill the RAMDrive. I assure you that unless windows is on some serious drugs, your performance should improve.

It didn’t already?

[clone52431]

Heck, I think Firefox did it already... I think Flash must have released an unstable version recently. I’ve had Firefox lock up on me a couple of times. Killing the “plugin container” process in Task Manager immediately made Firefox start responding again and display an info bar on pages that had been using Flash saying that a plugin had crashed (gee, wonder why?) and suggesting that I reload the page.

Re:

[clone52431]

Firefox is running the flash player in a separate process. That process is not sandboxed.

If an exploit in flash is discovered, and you visit a page with malarious flash content, the flash player process can do anything that the user running firefox can do.

Yeah, I wasn’t thinking about that subtlety. However, that’s still a form of sandboxing; it’s sandboxed away from the rest of the browser, though not sandboxed from the OS.

Re:

[Enderandrew]

Chrome seperated the plugin as a seperate process, which Firefox then copied. But merely having the plugin as a seperate process does not mean the plugin is sandboxed. Flash still has access to install spyware on your computer. By placing the plugin in a sandbox, Flash doesn't have the right to hose your box.

Re:

[clone52431]

Processes should already be running under limited user access, so I was thinking more in terms of stability than security. But you’re right.

A simpler and safer approach

[ThatsNotPudding]

would be to sandbox everything made by Adobe.

Re:

[gstoddart]

would be to sandbox everything made by Adobe.

Or, don't install it if you can live without it.

The overwhelming majority of stuff that I do online doesn't need flash -- I see it in ads more than I do anything useful, and that gets blocked by noscript before it can discover that I don't even have Flash installed.

When I do need flash, I go into a fairly closed down VM image and run it -- and that's pretty rare, like twice/month tops. While I'm sure there are sites that people use that require it, I've always a

Can I Has Flash Player?

[Anne_Nonymous]

Litter box, sandbox; both are full of sand and "Tootsie Rolls".

Does this make it respect Incognito?

[brunes69]

If you browse in incognito mode does it then make all flash storage non-persistent? Because this is how the evercookie works across incognito.

Not safe enough

[SirMasterboy]

I run my sandbox in a sandbox. That ought to be safe enough!

Java did it

[guybrush3pwood]

... a long time ago. I'm not impressed.

Re:

[Neil Boekend]

flash players written in Java.

That is just nasty. We'd need quantum computers to be able to run that!

Re:

[clone52431]

It couldn’t use hardware acceleration before. It can now. They’re releasing a new version that does.

I think you mean, Flash used to suck... and it wasn’t really entirely its fault.

Correlation

[Fujisawa Sensei]

Since a sandbox is a literbox and a litterbox is really just a toilet. That would mean they're throwing flash in the toilet. Perfect!

Re:

[AmazingRuss]

Maybe kitty will come along soon and bury it.

Step Forward...

[theamarand]

I think this is a good step forward. I'd like to see the majority of plugins in a sandbox. I like to use them, but you can't always be 100% sure if you can trust them or not. Sure, there are applications that have been around for ages, are designed by good companies that have decent reputations - but what about that "must have app" that you're not completely sure about? I know on my Blackberry, each application has its own permissions. I can add and remove permissions at will, and even set them to prom

Sandboxing 'protection'

[dugeen]

It's the user who's in the sandbox with Google software. No chance of turning off the fade-in, or the instant search keylogger.

It will not be fully closed.

[Neil Boekend]

Something tells me the "we need monies!" department will trow a wrench in to the machinery.
The tracking cookies will not be blocked and thus there will be a way to "escape" the sandbox. Google is an advertisement company you know.

Disclaimer: I am a Google user. I am simply aware of their revenue stream.