Google Chrome (Chromium) OS Security First Look

Google recently released the source code to Chromium OS, the community version of what will eventually be released as Chrome OS.  Compiled virtual machines are available from gdgt and over bittorrent.

Several resources are available from Google to learn more about the current and future of security in Chromium/Chrome OS.  These include a security overview page, and security video.

It is important to note that this "new" OS is really a new Linux distribution that uses Ubuntu 9.10 "Karmic Koala" as it's upstream release.  It appears that Canonical, the company behind Ubuntu Linux, may be partnered with Google to produce Chrome OS.

Below I've included a beginning look at security in the new Google Chromium OS.

Getting Root

This is not really hacking root as this is a development build with the source available.  Rather, gaining root is a useful tool to poke around using the available pre-built virtual machines.

1. Log into Chromium OS using your Google Account.  If you are using a build from a third-party, I'd suggest using a throw-away account just in case.  Alternatively, you can use the built in user chronos - no password required.
2. Press Ctrl+Alt+T to bring up a terminal window
3. Use sudo -s to get a root shell using the password 'chronos'

Under the Hood

As mentioned previously, Chromium OS is based on a minimal install of Ubuntu 9.10.  There is an additional Pluggable Authentication Module (PAM) for authenticating users to their Google Account.  It also appears to include Maximus, an application that automatically maximize application windows.

Once a user has logged in, their shell launches a "kiosk" mode full screen Chromium browser instance.  On the surface, this appears to be a pretty standard Chromium browser (currently version 4.0.253.0 build 325|16), with multiple tab start pages.  Interestingly, Adobe Flash player is also installed, and it currently the latest version (10.0.32.18).

It is obvious that most of the planned security precautions have not yet been implemented in Chromium OS.  For example, the Chromium browser is not installed chroot, and can see the entire root filesystem (within filesystem permission limits).  You can browse the filesystem typing file:/// into the URL address bar.

Future Plans

Google appears to be taking security seriously with Chrome OS.  While only a few protections are in place on the current build, they have detailed a full set of considerations and use cases to protect systems running Chrome OS.  These include:

• Verified Boot - Using custom firmware, verify that the bootloader and subsequent components have not been tampered
• OS hardening - including read-only root partition, noexec user mount, minimization of root's discretionary filesystem access, and many more
• Sandboxing - Google is developing a C++ library and userspace binary called minijail that applies a number of protective mechanisms to a process.
• Encrypted user home directories
• Secure updates - OS updates will be signed and cannot go backward (a nice touch!)
• Kernel and userspace application toolchain hardening

There are many more facets of security discussed in Google's Chromium documentation.

Conclusions

In my opinion it is still too early to pass any judgment on Chrome OS based on what is available in the first builds of Chromium.  That said, this is obviously an exciting area for many people, and I expect a lot of discussion going forward.

Personally, I believe the use of Ubuntu's distribution provides an illustration as to the power of Linux as a foundation that companies can use to build upon.  Writing an OS from scratch is a daunting proposition, but repurposing an open source OS is much more feasible.

Also, it is important to remember that many of the tools and techniques for securing the future Chrome OS are available to Linux users today.  Personally, I plan to continue to look at the information available on Chrome/Chromium to see where good ideas for Linux security surface that can be reused generally.