[cap-talk] Google Chrome, petnames, etc.
Scott Parish
sRp at srparish.net
Tue Sep 2 20:35:15 CDT 2008
On Tue, Sep 02, 2008 at 05:01:59PM -0700, Jed Donnelley wrote:
> > > 4. The discussion of plugins (also starting on page 29 at the bottom)
> > > suggests that dealing with them (running them securely) is an
> > > unsolved problem. The comic says that with some help from plugin
> > > makers they can reduce the trust that plugins need. Might this be
> > > an opportunity for POLA?
> >
> >Obviously many plugins can make extensive use of the native OS interface.
>
> and as obviously if plugins do make use of the native OS interface
> then they run as a user and have access to user (including ambient)
> authority. The opportunity for POLA seems to be in reducing that
> trust as the comic suggests. The begs the question of what technology
> Google (Chrome developers) will apply with the help of plugin
> developers to reduce trust.
I haven't read the security pdf yet, but this paragraph seemed to shed
some light:
In addition to restricting the renderer's access to the filesystem
and network, we can also place limitations on its access to the
user's display and related objects. We run each render process on a
separate Windows "Desktop" which is not visible to the user. This
prevents a compromised renderer from opening new windows or
capturing keystroke.
http://dev.chromium.org/developers/design-documents/multi-process-architecture#Sand_boxing_the_renderer
sRp
More information about the cap-talk
mailing list