google chrome sandbox
TRANSCRIPT
![Page 1: Google chrome sandbox](https://reader033.vdocuments.mx/reader033/viewer/2022061609/55658b16d8b42a2b6d8b4c45/html5/thumbnails/1.jpg)
Google Chrome Security
d0c_s4vage
![Page 2: Google chrome sandbox](https://reader033.vdocuments.mx/reader033/viewer/2022061609/55658b16d8b42a2b6d8b4c45/html5/thumbnails/2.jpg)
Sandbox
-user-mode sandbox
-has at least two parts:a privileged controller or brokerOne or more sandboxed processes (targets)
![Page 3: Google chrome sandbox](https://reader033.vdocuments.mx/reader033/viewer/2022061609/55658b16d8b42a2b6d8b4c45/html5/thumbnails/3.jpg)
broker
- The broker is always the browser process
- responsibilitiesSpecify policy for each processSpawn target processesHost sandbox policy engine serviceHost sandbox interception managerHost sandbox IPC servicePerform policy-allowed actions on behalf of the target
![Page 4: Google chrome sandbox](https://reader033.vdocuments.mx/reader033/viewer/2022061609/55658b16d8b42a2b6d8b4c45/html5/thumbnails/4.jpg)
Broker
![Page 5: Google chrome sandbox](https://reader033.vdocuments.mx/reader033/viewer/2022061609/55658b16d8b42a2b6d8b4c45/html5/thumbnails/5.jpg)
broker
- The IPC service is used to “forward certain windows API calls from the target to the broker”
- Calls are evaluated against the policy
- If all is good, calls are then executed by the broker, and results are returned over the same IPC
- The interception manager should patch windows API calls that should be forwarded from the IPC to the broker
![Page 6: Google chrome sandbox](https://reader033.vdocuments.mx/reader033/viewer/2022061609/55658b16d8b42a2b6d8b4c45/html5/thumbnails/6.jpg)
target
- Renderers are always target processes
![Page 7: Google chrome sandbox](https://reader033.vdocuments.mx/reader033/viewer/2022061609/55658b16d8b42a2b6d8b4c45/html5/thumbnails/7.jpg)
target
![Page 8: Google chrome sandbox](https://reader033.vdocuments.mx/reader033/viewer/2022061609/55658b16d8b42a2b6d8b4c45/html5/thumbnails/8.jpg)
target
- interceptions == hooks, how windows API calls are forwarded to the broker via IPC
- broker chooses to run the calls or fail them
- **NOTE**“The interception + IPC mechanism does not
provide security; it is designed to provide compatibility when code inside the sandbox cannot be modified to cope with sandbox restrictions.”
![Page 9: Google chrome sandbox](https://reader033.vdocuments.mx/reader033/viewer/2022061609/55658b16d8b42a2b6d8b4c45/html5/thumbnails/9.jpg)
![Page 10: Google chrome sandbox](https://reader033.vdocuments.mx/reader033/viewer/2022061609/55658b16d8b42a2b6d8b4c45/html5/thumbnails/10.jpg)
Sandbox Security
- restricted token
- windows job object
- windows desktop object
- integrity levels (Vista only [ and Windows 7?])
![Page 11: Google chrome sandbox](https://reader033.vdocuments.mx/reader033/viewer/2022061609/55658b16d8b42a2b6d8b4c45/html5/thumbnails/11.jpg)
Sandbox Security - token- The renderer runs with this token:
Regular GroupsLogon SID : mandatoryAll other SIDs : deny only, mandatory
Restricted GroupsS-1-0-0 : mandatory
PrivilegesNone
- Nearly all resources the renderer uses were acquired by the broker/browser and duplicated into the renderer process
![Page 12: Google chrome sandbox](https://reader033.vdocuments.mx/reader033/viewer/2022061609/55658b16d8b42a2b6d8b4c45/html5/thumbnails/12.jpg)
Sandbox Security – token
- Mounted FAT or FAT32 volumes“The security descriptor on them is effectively null. Malware running in the target can read and write to these volumes as long it can guess or deduce their paths.”
- TCP/IP“The security of TCP/IP sockets in Windows 2000 and Windows XP (but not in Vista) is effectively null. It might be possible for malicious code in the target to send and receive network packets to any host.”
![Page 13: Google chrome sandbox](https://reader033.vdocuments.mx/reader033/viewer/2022061609/55658b16d8b42a2b6d8b4c45/html5/thumbnails/13.jpg)
Sandbox Security – Job object
- Forbid using SystemParametersInfo()- Forbid the creation or switch of Desktops- Forbid changes to the per-user display configuration- No read or write to the clipboard- Forbid Windows message broadcasts- Forbid using SetWindowsHookEx()- Forbid access to the global atoms table- Forbid access to USER handles created outside the Job
object- One active process limit (disallows creating child processes)
![Page 14: Google chrome sandbox](https://reader033.vdocuments.mx/reader033/viewer/2022061609/55658b16d8b42a2b6d8b4c45/html5/thumbnails/14.jpg)
Sandbox Security - desktop
- processes with the same token and same job object are effectively in the same security context
- BUT, programs that have windows in the same desktop are also in the same security context
- WHY? Sending + receiving windows messages in the same desktop is not subject to security checks
![Page 15: Google chrome sandbox](https://reader033.vdocuments.mx/reader033/viewer/2022061609/55658b16d8b42a2b6d8b4c45/html5/thumbnails/15.jpg)
Sandbox - desktop
- Default windows XP has 2 desktops: logon screen and regular desktop
- Sandbox creates another desktop for all of the target processes, so they can't snoop on what the user is doing elsewhere
![Page 16: Google chrome sandbox](https://reader033.vdocuments.mx/reader033/viewer/2022061609/55658b16d8b42a2b6d8b4c45/html5/thumbnails/16.jpg)
Chrome Sandbox
![Page 17: Google chrome sandbox](https://reader033.vdocuments.mx/reader033/viewer/2022061609/55658b16d8b42a2b6d8b4c45/html5/thumbnails/17.jpg)
Chrome Sandbox
![Page 18: Google chrome sandbox](https://reader033.vdocuments.mx/reader033/viewer/2022061609/55658b16d8b42a2b6d8b4c45/html5/thumbnails/18.jpg)
Other Attack Surfaces
- All network-related IO functions run on a separate thread in the main browser process (no sandbox)
- recent DoS PoC via malformed ftp responses on exploit-db (http://www.exploit-db.com/exploits/12011)
- Issue where IO thread got hosed, crashed entire browser http://code.google.com/p/chromium/issues/detail?id=42267
![Page 19: Google chrome sandbox](https://reader033.vdocuments.mx/reader033/viewer/2022061609/55658b16d8b42a2b6d8b4c45/html5/thumbnails/19.jpg)
Debugging Google Chrome
Startup Options ---no-sandbox--single-process--wait-for-debugger-children--wait-for-debugger--js-flags=”--trace-exception --heap-stats”--js-flags="--h"--safe-plugins
Chrome has its own symbol server: http://build.chromium.org/buildbot/symsrv
![Page 20: Google chrome sandbox](https://reader033.vdocuments.mx/reader033/viewer/2022061609/55658b16d8b42a2b6d8b4c45/html5/thumbnails/20.jpg)
Google Chrome Security Issues
- Chromium Security Bugs (not always latest)http://www.chromium.org/Home/chromium-security/chromium-security-bugs
- Severity ratings http://sites.google.com/a/chromium.org/dev/developers/severity-guidelines
- Security Issues by Rating- Critical:
http://www.google.com/search?q=SecSeverity-Critical+inurl:chromium+inurl:issues+site:code.google.com
- High:http://www.google.com/search?q=SecSeverity-High+inurl:chromium+inurl:issues+site:code.google.com
- Medium:http://www.google.com/search?q=SecSeverity-Medium+inurl:chromium+inurl:issues+site:code.google.com
- Low:http://www.google.com/search?q=SecSeverity-Low+inurl:chromium+inurl:issues+site:code.google.com
![Page 21: Google chrome sandbox](https://reader033.vdocuments.mx/reader033/viewer/2022061609/55658b16d8b42a2b6d8b4c45/html5/thumbnails/21.jpg)
Ideas
- Under Windows, there is no practical way to prevent code in the sandbox from calling a system service
- Since use of Windows TCP/IP sockets (XP) isn't restricted, download exe, guess USB path (F:\, G:\, H:\, etc. on Windows), save to USB, create autorun.inf on USB
- Find vulnerabilities in valid messages the renderer can pass to the broker (check out this issue: http://code.google.com/p/chromium/issues/detail?id=29828)
![Page 22: Google chrome sandbox](https://reader033.vdocuments.mx/reader033/viewer/2022061609/55658b16d8b42a2b6d8b4c45/html5/thumbnails/22.jpg)
Ideas
- Insert hooks into UI events and snoop on whatever the user does in the same tab, even on different sites?
- Could upload/download files to/from USB
- Could be used as a pivot point (or a proxy) to be able to gain access into a network, since TCP/IP security “is effectively null”
![Page 23: Google chrome sandbox](https://reader033.vdocuments.mx/reader033/viewer/2022061609/55658b16d8b42a2b6d8b4c45/html5/thumbnails/23.jpg)
References
Google Chrome Sandboxhttp://www.chromium.org/developers/design-documents/sandbox
Windows Tokenshttp://msdn.microsoft.com/en-us/library/aa374909(VS.85).aspx
What is a Tokenhttp://alt.pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsAToken.htm
Windows Jobshttp://www.microsoft.com/msj/0399/jobkernelobj/jobkernelobj.aspx