Getting The Most Out Of Sandboxing

Privilege separation and reduction ("sandboxing") has significantly improved software security, and in many applications is a baseline requirement for safe design. (In fact, there are still many applications that can and should adopt sandboxing.)

Although necessary, sandboxing is not sufficient by itself. The designs and implementations of real-world operating systems put a ceiling on the effectiveness and applicability of sandboxing. From years of experience shipping Chromium, we have learned that (1) Chromium is at or near the limit of how much safety it can practically provide with privilege separation and reduction; and (2) we still need to provide greater resilience.

Therefore, we must find and develop additional security mechanisms. Our primary approach is now working toward increased memory safety. Where sandboxing limits the value attackers gain from exploiting vulnerabilities, memory-safe(r) code can eliminate vulnerabilities altogether or make it infeasible to use them in an exploit chain.

This talk is about lessons learned in the real world. I'll discuss the nature and particulars of the OS limitations we face, what security gap they leave us with, and what we are doing to make Chromium's large codebase less memory-unsafe. I'll highlight some lessons we've learned that security engineers working on other projects can hopefully make use of.


Chris Palmer

Software Security Engineer on Chrome @Google
I work at Google as a software security engineer on Chrome, where I work on hardening Chrome’s underpinnings and securing the web platform runtime. (I was previously on the Secure UX sub-team, and before that I did Web PKI... things.) I used to be on the Android team at Google.... Read more

Wednesday May 19 / 11:10AM EDT (40 minutes)

TRACK Modern CS in the Real World TOPICS Applied Computer Science ADD TO CALENDAR Calendar IconAdd to calendar