Introduction

This is a list of current and planned Chrome OS security features. Each feature is listed together with its rationale and status. This should serve as a checklist and status update on Chrome OS security.

Details

General Linux features

FeatureStatusRationaleTestsBugMore thoughts or work needed?
No Open PortsimplementedReduce attack surface of listening services.security_NetworkListenersRuntime test has to whitelist test-system-only “noise” like sshd. See Issue 22412 (on Google Code) and ensure_* for offsetting tests ensuring these aren't on Release builds.
Password HashingWhen there is no TPM, scrypt is used.Frustrate brute force attempts at recovering passwords.
SYN cookiesneeds functional testIn unlikely event of SYN flood, act sanely.kernel_ConfigVerify
Filesystem Capabilitiesruntime use onlyallow root privilege segmentationsecurity_Minijail0
Firewallneeds functional testBlock unexpected network listeners to frustrate remote access.Issue 23089 (on Google Code)
PR_SET_SECCOMPneeds functional testAvailable for extremely restricted sandboxing.kernel_ConfigVerifyIssue 23090 (on Google Code)
AppArmornot used
SELinuxnot used
SMACKnot used
Encrypted LVMnot used
eCryptFSimplementedKeep per-user data private.login_Cryptohome*
glibc Stack Protectorneeds functional testBlock string-buffer-on-stack-overflow attacks from rewriting saved IP.Issue 23101 (on Google Code)-fstack-protector-strong is used for almost all packages
glibc Heap Protectorneeds functional testBlock heap unlink/double-free/etc corruption attacks.Issue 23101 (on Google Code)
glibc Pointer Obfuscationneeds functional testFrustrate heap corruption attacks using saved libc func ptrs.Issue 23101 (on Google Code)includes FILE pointer managling
Stack ASLRneeds functional testFrustrate stack memory attacks that need known locations.
Libs/mmap ASLRneeds functional testFrustrate return-to-library and ROP attacks.
Exec ASLRneeds functional testNeeds PIE, used to frustrate ROP attacks.
brk ASLRneeds functional testFrustrate brk-memory attacks that need known locations.kernel_ConfigVerify
VDSO ASLRneeds functional testFrustrate return-to-VDSO attacks.kernel_ConfigVerify
Built PIEneeds functional testTake advantage of exec ASLR.platform_ToolchainOptions
Built FORTIFY_SOURCEneeds functional testCatch overflows and other detectable security problems.
Built RELROneeds functional testReduce available locations to gain execution control.platform_ToolchainOptions
Built BIND_NOWneeds functional testWith RELRO, really reduce available locations.platform_ToolchainOptions
Non-exec memoryneeds functional testBlock execution of malicious data regions.kernel_ConfigVerify
/proc/PID/maps protectionneeds functional testBlock access to ASLR locations of other processes.
Symlink restrictionsimplementedBlock /tmp race attacks.security_SymlinkRestrictions.pyIssue 22137 (on Google Code)
Hardlink restrictionsimplementedBlock hardlink attacks.security_HardlinkRestrictions.pyIssue 22137 (on Google Code)
ptrace scopingimplementedBlock access to in-process credentials.security_ptraceRestrictions.pyIssue 22137 (on Google Code)
0-address protectionneeds functional testBlock kernel NULL-deref attacks.kernel_ConfigVerify
/dev/mem protectionneeds functional testBlock kernel root kits and privacy loss.kernel_ConfigVerifyIssue 21553 (on Google Code)crash_reporter uses ramoops via /dev/mem
/dev/kmem protectionneeds functional testBlock kernel root kits and privacy loss.kernel_ConfigVerify
disable kernel module loadinghow about module signing instead?Block kernel root kits and privacy loss.
read-only kernel data sectionsneeds functional testBlock malicious manipulation of kernel data structures.kernel_ConfigVerify
kernel stack protectorneeds functional testCatch character buffer overflow attacks.kernel_ConfigVerify
kernel module RO/NXneeds functional testBlock malicious manipulation of kernel data structures.kernel_ConfigVerify
kernel address display restrictionneeds config and functional testFrustrate kernel exploits that need memory locations.Was disabled by default in 3.x kernels.
disable debug interfaces for non-root usersneeds config and functional testFrustrate kernel exploits that depend on debugfsIssue 23758 (on Google Code)
disable ACPI custom_methodneeds config and functional testFrustrate kernel exploits that depend on root access to physical memoryIssue 23759 (on Google Code)
unreadable kernel filesneeds config and functional testFrustrate automated kernel exploits that depend access to various kernel resourcesIssue 23761 (on Google Code)
blacklist rare network modulesneeds functional testReduce attack surface of available kernel interfaces.
syscall filteringneeds functional testingReduce attack surface of available kernel interfaces.Issue 23150 (on Google Code)
vsyscall ASLRmedium priorityReduce ROP target surface.
Limited use of suid binariesimplementedPotentially dangerous, so minimize use.security_SuidBinaries

Chrome OS specific features

  • We use minijail for sandboxing:
  • Current sandboxing status:
ExposurePrivilegesSandbox
Service/daemonOverall statusUsageCommentsNetwork trafficUser inputDBusHardware (udev)FS (config files, etc.)Runs asPrivileges needed?uid
udevdLow priListens to udev events via netfilter socketNoNoNoYesNorootProbablyNo
session-managerP2Launched from /sbin/session_manager_setup.shNoNoYesNoNorootProbablyNo
rsyslogdLow priLoggingNoNoNoNoYesrootProbablyNo
dbus-daemonLow priIPCListens on Unix domain socketUnix domain socketYesmessagebusYesYes
powermP2Suspend to RAM and system shutdown. Handles input events for hall effect sensor (lid) and power button.NoNoYesYesYesrootProbablyNo
wpa_supplicantLow priWPA authYesVia flimflamYesNoYes, exposes management API through FSwpaYesYes
shillP0Connection managerYesYesYesYesYesrootProbablyNo
XP1No (-nolisten tcp)YesNoGPUYesrootx86: no, ARM: yesNo
htpdateLow priSetting date and timeYesNoNoNoNontpYesYes
cashewdLow priNetwork usage trackingNoNoYesNoNocashewYesYes
chapsdLow priPKCS#11 implementationNoNoYesNoNochapsYesYes
cryptohomedP1Encrypted user storageNoYesYesNoNorootProbablyNo
powerdLow priIdle or video activity detection. Dimming the backlight or turning off the screen, adjusting backlight intensity. Monitors plug state (on ac or on battery) and battery state-of-charge.NoYesYesYesYespowerdProbablyYes
modem-managerP1Manages 3G modemsIndirectlyYesYesYesNorootProbably notNo
gavdP2Audio/video events and routingNoYesYesYesNogavdYesYes
dhcpcdLow priDHCP clientYesIndirectlyNoNoNodhcpYesYes
metrics_daemonP2Metrics collection and uploadingYes, but shouldn't listenNoYesNoNorootProbably notNo
cros-disks/disksP1Removable media handlingNoYesYesYesNorootLaunches minijailNo
avfsdLow priCompressed file handlingLaunched from cros-disks, uses minijailNot in Chrome OSYesNoNoYesavfsYesYes
update_engineP0System updatesYesNoYesNoNorootProbablyNo
cromoLow priSupports Gobi 3G modemsIndirectlyYesYesYesProbablycromoYesYes
bluetoothdLow priYesYesYesYesYesbluetoothYesYes
unclutterLow priHides cursor while typingYeschronosYesYes (via sudo)
crasP2Audio serverNoYesYesYesNocrasYesYes
tcsdP2Portal to the TPM device driverNoYesYesYesYestssYesYes
keyboard_touchpad_helperP1Disables touchpad when typingYesrootProbably notNo
loggerLow priRedirects stderr for several daemons to syslogIndirectlyIndirectlyNoNoNosyslogYesYes
loginP2Helps organize Upstart eventsNoIndirectlyYesNoYesrootProbablyNo
wimax-managerP1Includes third-party libraryYesIndirectlyYesYesYesrootProbably notNo
mtpdP2Manages MTP devicesIncludes third-party libraryNoYesYesYesNomtpYesYes
Service/daemonOverall statusUsageCommentsNetwork trafficUser inputDBusHardware (udev)FS (config files, etc.)Runs asPrivileges needed?uid
ExposurePrivilegesSandbox

Enforced by security_SandboxedServices

References