crosh_builtin: change handle to a random string

Currently the pid of the crosh process itself is used as a unique
handle internally (in the proxy_map_ for keeping track of active
processes) and in the terminalPrivate JS APIs (as the handle to
communicate with the lower layers).

In reality, the exact nature of this handle is irrelevant -- we
just need a way for a particular JS instance to easily identify
which OS crosh process it wants to communicate with.

In practice, the handle is a monotonically increasing 16-bit signed
integer which other JS code can easily brute force.  By itself, it's
not exactly a problem as only Secure Shell is given access to this
API, and that code is maintained by the Chrome OS team.  But if you
couple it with a larger exploit chain, it might be useful.  Or not.
Lets switch to a random ~137bit handle and stop worrying about the

Bug: 352465
Test: running existing crosh JS with this new code still works
Change-Id: I7fd3fb0cc5ac07accc88cbaaaaa4b1186752e4d3
Commit-Queue: Mike Frysinger <>
Reviewed-by: Toni Baržić <>
Cr-Commit-Position: refs/heads/master@{#633994}
9 files changed