Saturday, December 4, 2010

Chrome's Flash sandbox

On Dec 1, 2010, Google developers Justin Schuh and Carlos Pizano announced the release of the first iteration of the security sandbox for the Adobe Flash plugin in Google Chrome (for Windows). It's currently on the dev-channel of Chrome, which is an unstable build targeted at users who like to browse on the edge.

How the security sandbox works

One of the basic concepts that the operating system provides is that of a process. A process has its own piece of memory, and is a concept quite familiar even to end users. On Windows, hitting Ctrl-Alt-Delete lists (some of) the running processes of the system at any time, and lets you "kill" a process that you think is misbehaving. Bugs and crashes in one process do not (usually) affect other processes.

Chrome uses multiple process: One for the browser (networking, cache, cookies, bookmarks, sync, among others), one per website renderer (HTML, JS, CSS parsing, javascript execution, actual rendering of the page in the screen), and one per plug-in such as Java and Flash.

Multiple processes in Chrome. 1 for the browser, 1 for Flash, and 1 per tab.

The immediate impact is that a crash or a slowdown in the renderer does not slow down the other renderers, or the main browser. In addition, one can use this to enhance a browser's security by asking the operating systems to restrict a process' access to the machine's resources.

For example, the tab renderer processes are not allowed to read or write to the disk or network of the computer. They may only talk to the browser process to request resources (images, html etc).

Traditionally, browser plugins were not restricted to what they can access on a computer. In fact, the reason plugins were adopted is because they provide access to resources the browser does not typically provide, such as video rendering or access to the webcam or raw network access.  So, most plugins need to access the filesystem and the network, which makes them a security concern. Many plugins come with many security vulnerabilities, and taking over a plugin that has unrestricted access to the disk and network means one can easily force it to download and store malware on the machine.

This is exactly what the plugin sandbox tries to stop. I'm looking forward to the release of the Flash sandbox in the stable version, in all operating systems, and in other browsers such as Firefox.

Update: Google released a nice video that explains the sandbox as well as the importance of updating the plugins: