Introduction

This is a list of current and planned Chrome OS security features. Each feature is listed together with its rationale and status. This should serve as a checklist and status update on Chrome OS security.

Details

General Linux features

FeatureStatusRationaleTestsBugMore thoughts or work needed?
No Open PortsimplementedReduce attack surface of listening services.security_NetworkListenersRuntime test has to whitelist test-system-only “noise” like sshd. See Issue 22412 (on Google Code) and ensure_* for offsetting tests ensuring these aren't on Release builds.
Password HashingWhen there is no TPM, scrypt is used.Frustrate brute force attempts at recovering passwords.
SYN cookiesneeds functional testIn unlikely event of SYN flood, act sanely.kernel_ConfigVerify
Filesystem Capabilitiesruntime use onlyallow root privilege segmentationsecurity_Minijail0
Firewallneeds functional testBlock unexpected network listeners to frustrate remote access.Issue 23089 (on Google Code)
PR_SET_SECCOMPneeds functional testAvailable for extremely restricted sandboxing.kernel_ConfigVerifyIssue 23090 (on Google Code)
AppArmornot used
SELinuxnot used
SMACKnot used
Encrypted LVMnot used
eCryptFSimplementedKeep per-user data private.login_Cryptohome*
glibc Stack Protectorneeds functional testBlock string-buffer-on-stack-overflow attacks from rewriting saved IP.Issue 23101 (on Google Code)-fstack-protector-strong is used for almost all packages
glibc Heap Protectorneeds functional testBlock heap unlink/double-free/etc corruption attacks.Issue 23101 (on Google Code)
glibc Pointer Obfuscationneeds functional testFrustrate heap corruption attacks using saved libc func ptrs.Issue 23101 (on Google Code)includes FILE pointer managling
Stack ASLRneeds functional testFrustrate stack memory attacks that need known locations.
Libs/mmap ASLRneeds functional testFrustrate return-to-library and ROP attacks.
Exec ASLRneeds functional testNeeds PIE, used to frustrate ROP attacks.
brk ASLRneeds functional testFrustrate brk-memory attacks that need known locations.kernel_ConfigVerify
VDSO ASLRneeds functional testFrustrate return-to-VDSO attacks.kernel_ConfigVerify
Built PIEneeds functional testTake advantage of exec ASLR.platform_ToolchainOptions
Built FORTIFY_SOURCEneeds functional testCatch overflows and other detectable security problems.
Built RELROneeds functional testReduce available locations to gain execution control.platform_ToolchainOptions
Built BIND_NOWneeds functional testWith RELRO, really reduce available locations.platform_ToolchainOptions
Non-exec memoryneeds functional testBlock execution of malicious data regions.kernel_ConfigVerify
/proc/PID/maps protectionneeds functional testBlock access to ASLR locations of other processes.
Symlink restrictionsimplementedBlock /tmp race attacks.security_SymlinkRestrictions.pyIssue 22137 (on Google Code)
Hardlink restrictionsimplementedBlock hardlink attacks.security_HardlinkRestrictions.pyIssue 22137 (on Google Code)
ptrace scopingimplementedBlock access to in-process credentials.security_ptraceRestrictions.pyIssue 22137 (on Google Code)
0-address protectionneeds functional testBlock kernel NULL-deref attacks.kernel_ConfigVerify
/dev/mem protectionneeds functional testBlock kernel root kits and privacy loss.kernel_ConfigVerifyIssue 21553 (on Google Code)crash_reporter uses ramoops via /dev/mem
/dev/kmem protectionneeds functional testBlock kernel root kits and privacy loss.kernel_ConfigVerify
disable kernel module loadinghow about module signing instead?Block kernel root kits and privacy loss.
read-only kernel data sectionsneeds functional testBlock malicious manipulation of kernel data structures.kernel_ConfigVerify
kernel stack protectorneeds functional testCatch character buffer overflow attacks.kernel_ConfigVerify
kernel module RO/NXneeds functional testBlock malicious manipulation of kernel data structures.kernel_ConfigVerify
kernel address display restrictionneeds config and functional testFrustrate kernel exploits that need memory locations.Was disabled by default in 3.x kernels.
disable debug interfaces for non-root usersneeds config and functional testFrustrate kernel exploits that depend on debugfsIssue 23758 (on Google Code)
disable ACPI custom_methodneeds config and functional testFrustrate kernel exploits that depend on root access to physical memoryIssue 23759 (on Google Code)
unreadable kernel filesneeds config and functional testFrustrate automated kernel exploits that depend access to various kernel resourcesIssue 23761 (on Google Code)
blacklist rare network modulesneeds functional testReduce attack surface of available kernel interfaces.
syscall filteringneeds functional testingReduce attack surface of available kernel interfaces.Issue 23150 (on Google Code)
vsyscall ASLRmedium priorityReduce ROP target surface.
Limited use of suid binariesimplementedPotentially dangerous, so minimize use.security_SuidBinaries

Chrome OS specific features

  • We use minijail for sandboxing:
  • Current sandboxing status:

| | | | | Exposure | | | | | Privileges | | Sandbox | |:-|:-|:-|:-|:-------------|:-|:-|:-|:-|:---------------|:-|:------------| | Service/daemon | Overall status | Usage | Comments | Network traffic | User input | DBus | Hardware (udev) | FS (config files, etc.) | Runs as | Privileges needed? | uid | gid | Namespaces | Caps | seccomp_filters | | udevd | Low pri | Listens to udev events via netfilter socket | | No | No | No | Yes | No | root | Probably | No | No | No | No | No | | session-manager | P2| | Launched from /sbin/session_manager_setup.sh | No | No | Yes | No | No | root | Probably | No | No | No | No | No | | rsyslogd | Low pri | Logging | | No | No | No | No | Yes | root | Probably | No | | No | No | No | | dbus-daemon | Low pri | IPC | Listens on Unix domain socket | Unix domain socket | | Yes | | | messagebus | Yes | Yes | Yes | No | No | No | | powerm | P2| Suspend to RAM and system shutdown. Handles input events for hall effect sensor (lid) and power button. | | No | No | Yes | Yes | Yes | root | Probably | No | No | No | No | No | | wpa_supplicant | Low pri | WPA auth | | Yes | Via flimflam | Yes | No | Yes, exposes management API through FS | wpa | Yes | Yes | Yes | No | Yes | No | | shill | P0| Connection manager | | Yes | Yes | Yes | Yes | Yes | root | Probably | No | No | No | No | No | | X | P1| | | No (-nolisten tcp) | Yes | No | GPU | Yes | root | x86: no, ARM: yes | No | No | No | No | No | | htpdate | Low pri | Setting date and time | | Yes | No | No | No | No | ntp | Yes | Yes | Yes | No | No | No | | cashewd | Low pri | Network usage tracking | | No | No | Yes | No | No | cashew | Yes | Yes | Yes | No | No | No | | chapsd | Low pri | PKCS#11 implementation | | No | No | Yes | No | No | chaps | Yes | Yes | Yes | No | No | No | | cryptohomed | P1| Encrypted user storage | | No | Yes | Yes | No | No | root | Probably | No | No | No | No | No | | powerd | Low pri | Idle or video activity detection. Dimming the backlight or turning off the screen, adjusting backlight intensity. Monitors plug state (on ac or on battery) and battery state-of-charge. | | No | Yes | Yes | Yes | Yes | powerd | Probably | Yes | No | No | No | No | | modem-manager | P1| Manages 3G modems | | Indirectly | Yes | Yes | Yes | No | root | Probably not | No | No | No | No | No | | gavd | P2| Audio/video events and routing | | No | Yes | Yes | Yes | No | gavd | Yes | Yes | Yes | No | No | No | | dhcpcd | Low pri | DHCP client | | Yes | Indirectly | No | No | No | dhcp | Yes | Yes | Yes | No | Yes | No | | metrics_daemon | P2| Metrics collection and uploading | | Yes, but shouldn't listen | No | Yes | No | No | root | Probably not | No | No | No | No | No | | cros-disks/disks | P1| Removable media handling | | No | Yes | Yes | Yes | No | root | Launches minijail | No | No | No | No | No | | avfsd | Low pri | Compressed file handling | Launched from cros-disks, uses minijail | Not in Chrome OS | Yes | No | No | Yes | avfs | Yes | Yes | | No | Yes | Yes | | update_engine | P0| System updates | | Yes | No | Yes | No | No | root | Probably | No | No | No | No | No | | cromo | Low pri | Supports Gobi 3G modems | | Indirectly | Yes | Yes | Yes | Probably | cromo | Yes | Yes | Yes | No | No | No | | bluetoothd | Low pri | | | Yes | Yes | Yes | Yes | Yes | bluetooth | Yes | Yes | Yes | No | Yes | No | | unclutter | Low pri | Hides cursor while typing | | | Yes | | | | chronos | Yes | Yes (via sudo) | No | No | No | No | | cras | P2| Audio server | | No | Yes | Yes | Yes | No | cras | Yes | Yes | Yes | No | No | No | | tcsd | P2| Portal to the TPM device driver | | No | Yes | Yes | Yes | Yes | tss | Yes | Yes | Yes | No | No | No | | keyboard_touchpad_helper | P1| Disables touchpad when typing | | | Yes | | | | root | Probably not | No | No | No | No | No | | logger | Low pri | Redirects stderr for several daemons to syslog | | Indirectly | Indirectly | No | No | No | syslog | Yes | Yes | Yes | No | No | No | | login | P2| Helps organize Upstart events | | No | Indirectly | Yes | No | Yes | root | Probably | No | No | No | No | No | | wimax-manager | P1| | Includes third-party library | Yes | Indirectly | Yes | Yes | Yes | root | Probably not | No | No | No | No | No | | mtpd | P2| Manages MTP devices | Includes third-party library | No | Yes | Yes | Yes | No | mtp | Yes | Yes | Yes | No | Not needed | Yes | | Service/daemon | Overall status | Usage | Comments | Network traffic | User input | DBus | Hardware (udev) | FS (config files, etc.) | Runs as | Privileges needed? | uid | gid | Namespaces | Caps | seccomp_filters | | | | | | Exposure | | | | | Privileges | | Sandbox |

Enforced by security_SandboxedServices

References