Wednesday, July 4, 2012

Chrome 20 on Linux and Flash sandboxing

[Very behind on blog posts so time to crank some out]

A week or so ago, Chrome 20 was released to the stable channel. There was little fanfare and even the official Chrome blog didn't have much to declare apart from bugfixes.

There were some things going on under the hood for the Linux platform, though. Security things, and some of them I implemented and am quite excited by.

The biggest item is an improvement to Flash security. Traditionally, Linux -- across all browsers -- hasn't had great Flash security, due to lack of sandboxing options. That just changed: so-called Pepper Flash shipped to the stable channel on Linux with Chrome 20 (other platforms to follow real soon). I went into a little detail about the technical sandbox measures in Pepper Flash for Linux in an older blog post.

As mentioned in the previous blog post, native 64-bit Flash also gives a useful security boost on 64-bit Linux platforms.

There's more. Perhaps you're running 64-bit Ubuntu 12.04? Courtesy of Kees Cook, this release sneaked in Will Drewry's seccomp filter patches, which I blogged about earlier this year in the context of vsftpd-3.0.0's usage of seccomp filter sandboxing.

So why have just one Flash sandbox if you can have two? A bit of double-bagging if you like. Assuming you're running 64-bit Ubuntu 12.04 and Chrome 20 or newer, you'll also have a seccomp filter policy slapped on Flash -- in additional to the chroot() and PID namespace. This may impede attackers trying to perform a local privilege escalation, who can no longer call crazy brand-new syscalls or use socket() to load crazy protocol modules, etc.

No sandbox or combination of sandboxes will ever be perfect, but "some" is better than "none". For people who want to run Flash, Chrome 20 on 64-bit Ubuntu 12.04 is one of the more locked-down ways to do it.


Anonymous said...

Are these Linux specific features or do they work on other unixes (such as the BSDs)?

Anonymous said...

the input fields at break (become unresponsive) on older hardware with the new pepper flash enabled

Steve said...

This is great, do you know which directory the chroot is set and what system calls that are blocked? Does it only allow read(), write(), exit() and sigreturn() or does the seccomp allow other system calls? Any ideas on what memory mapped areas the flash player has with other processes?

Anonymous said...

They are mostly Linux-specific.

FreeBSD has Capsicum for sandboxing their Chromium port. See for more information.

Linux pretty much has the competition beat now though. FreeBSD lacks support for loads of proactive security, even in terms of supported compile-time options.

Xistnt said...

I'm a novice. I wanted to install Ubuntu on my laptop because I understand Linux is superior to Windows regarding customization & security, but when I couldn't find a wiki as easy as "Install Ubuntu for Dummies" I aborted my quest... any recommendations where I can find simple install & troubleshooting info to get it installed? Then, I'll be able to learn faster by following your advice...thanks!