[cap-talk] Google Chrome Interview
Collin Jackson
cap-talk at collinjackson.com
Sun Apr 19 10:32:44 EDT 2009
File upload is described in a little more detail in our 2008 technical
report: <http://crypto.stanford.edu/websec/chromium/>
"Users can upload files to web sites using the file upload control. When
the user clicks the form control, the browser displays a file picker
dialog that lets the user select a file to upload. If the browser
kernel did not restrict which files the rendering engine could upload,
an attacker who compromised the rendering engine could read an
arbitrary file on the user’s file system by uploading the file to
attacker.com. Instead of confirming each file upload with a dialog box,
Chromium uses a design similar to the DarpaBrowser’s “powerbox”
pattern [27], treating the user’s selection of a file with a file picker
dialog as an authorization to upload the file to an arbitrary web site.
The browser kernel is responsible for displaying the file picker dialog
and records which files the user has authorized for which instances of
the rendering engine. Similarly, dragging and dropping a file onto the
browser’s content area grants the active rendering engine the
permission to upload that file. These authorizations last for the
lifetime of the rendering engine, which is often shorter than the
lifetime of the entire browser because new instances of the rendering
engine are created as the user opens and closes tabs."
On Sun, Apr 19, 2009 at 4:00 AM, Toby Murray
<toby.murray at comlab.ox.ac.uk> wrote:
> There's an interesting interview with some of the guys familiar with the
> Google Chrome security architecture at:
> http://www.tomshardware.com/reviews/google-chrome-security,2271.html
>
> In it, they make specific reference to capability-security ideas that
> were borrowed in the Chrome sandbox design.
>
> Quoting from that interview:
>
>> To secure file uploads, we borrowed a trick from the capability
>> literature. The browser kernel displays the file picker dialog and
>> keeps track of which files the user has picked. Later, when the
>> rendering engine asks to upload a file, the browser kernel checks to
>> make sure the user actually picked that file for upload. Without this
>> check, a compromised rendering engine would be able to read arbitrary
>> files by uploading them to attacker.com.
>
>
>
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
>
More information about the cap-talk
mailing list