[cap-talk] Google Chrome - web browser with sandboxed rendering

[David-Sarah Hopwood]

David-Sarah Hopwood wrote:
> It seems as though sandboxed processes must share a user account for
> efficiency reasons, though, since creating a user account for each
> browser tab [2] clearly isn't practical. If so, then this imposes some
> limits to how far sandboxed processes can be isolated from each other.
> (I am happy to see, however, that each process is run on a different
> Windows "Desktop".

Actually it is only one additional Desktop shared between sandboxed
processes. Since the sandboxed processes do not have any visible UI
(although they can still receive window messages), that may be defensible;
I'll have to think about it.

(I hadn't realized that each Desktop requires at least 4 MB. Ouch.)

> That is the kind of design detail that gives me some
> confidence that the developers have thought about potential attacks
> and basically know what they are doing. It is not clear whether they
> are also run in different "Job"s.)

Yes, they are run in different Jobs:
<http://dev.chromium.org/developers/design-documents/sandbox>.
Someone has been paying attention.

A significant remaining weakness seems to be the inability to restrict
access to FAT[32] volumes (note that USB keys are often FAT32, even if
there are no FAT[32]-formatted hard disks in the system). That's arguably
a Windows bug, although Microsoft probably don't think of it as such.

-- 
David-Sarah Hopwood