chromium sandbox
TRANSCRIPT
Chromium Sandbox
Chromium Multi-process ArchitectureChromium Browser Process (Single)
Download Network Databases
Disk CacheWindow Management
Chromium Renderer Process (1…n)
JavaScript engine
HTML-CSS / SVG / XML-XSLT parsing
Document Object ModelLayout
Image decoding
Chromium Plug-in Process (1…n)PDF
Chromium Extension Process (1…n)
Chromium GPU Process (Single)
IPC
Chromium Sandbox
Based on 2 mechanismsWindows Integrity LevelsChromium Sandbox interception
Windows Integrity LevelsThe Windows integrity mechanism is a core component of the Windows security architecture that restricts the access permissions of applications that are running under the same user account and that are less trustworthy.
System High Medium(Default)
Low
Services Administrators
IE Protected Mode
-Chromium Sandbox
Mode
Untrusted
Standard Users
Installer
Installer
Anonymous-
Chromium Sandbox
Windows Integrity Levels
Untrusted – processes that are logged on anonymously are automatically designated as UntrustedLow – The Low integrity level is the level used by default for interaction with the Internet. As long as Internet Explorer is run in its default state, Protected Mode, all files and processes associated with it are assigned the Low integrity level. Some folders, such as the Temporary Internet Folder, are also assigned the Low integrity level by default.Medium – Medium is the context that most objects will run in. Standard users receive the Medium integrity level, and any object not explicitly designated with a lower or higher integrity level is Medium by default.High – Administrators are granted the High integrity level. This ensures that Administrators are capable of interacting with and modifying objects assigned Medium or Low integrity levels, but can also act on other objects with a High integrity level, which standard users can not do.System – As the name implies, the System integrity level is reserved for the system. The Windows kernel and core services are granted the System integrity level. Being even higher than the High integrity level of Administrators protects these core functions from being affected or compromised even by Administrators.Installer – The Installer integrity level is a special case and is the highest of all integrity levels. By virtue of being equal to or higher than all other WIC integrity levels, objects assigned the Installer integrity level are also able to uninstall all other objects.
Chromium Windows Integrity Model
Medium integrity level
Low integrity level
Chromium Browser Process (Single)
Download Network Databases
Disk CacheWindow Management
Chromium Renderer Process (1…n)
JavaScript engine
HTML-CSS / SVG / XML-XSLT parsing
Document Object ModelLayout
Image decoding
Chromium Plug-in Process (1…n)PDF
Chromium Extension Process (1…n)
Chromium GPU Process (Single)
IPC
Chromium Sanbox interception
Add a “security” tag to the executableRedirect all Windows APILink statically with runtime dlls
Chromium Renderer Process
Chromium Sandbox Binary Checking
Chromium Master Process
To support the tagging, the Chromium process must be hosted in a dedicated executable, EikonSandBox.exe
Load and Suspend executable Resume executableCheck sandbox tagging Redirect Windows API
Chromium Hosting
EikonBox.exe- load dynamic of the dll
Without Sandbox
EikonViewer.dll
With Sandbox
EikonSandBox.exe- integrate Chromium SandBox library- Initialize the sandbox- load dynamic of the dll
EikonViewer.dll
Chromium Sandbox API checkingChromium Renderer Process
V8 engine
Windows API
Windows API
Integrity boundary
Machine resources
Managed by Chromium
Rules
Managed by Windows Access
ControlManagement
Interception boundary
Features Window Integrity Chromium Sandbox
File Read access Most files None (Rule)
File Write access %USER PROFILE%\AppData\LocalLow None (Rule)
Registry Read access Most of the registry None (Rule)
Registry Write access HKEY_CURRENT_USER\Software\AppDataLow None (Rule)
Clipboard Certain formats None (Rule)
Remote Procedure Call (RPC) Yes ?
TCP/IP Sockets Yes ?
Window messages via ChangeWindowMessageFilter No (No message loop)
Shared memory via LI (low integrity) labels None (Rule)
COM interfaces with LI (low integrity) launch activation rights No (No COM)
Named pipes via LI (low integrity) labels None (Rule)
Sandbox integration in EikonNo more
application logsNo more JET
Copy/Paste
No more Shared Memory
No more Eikon Pipe
No moreCOM
No more IKobra
Interfaces
No more MSXML
No more Dump
Generation
Solved
Moved+
JSONSolved
LimitedMoved
No more Protocols
(Race Link)Solved
PerformanceAs usual security has a cost
Process / Page Homepage
Sandbox ~700ms
No Sandbox ~500ms
Affinity News(1st instance)
News(2nd instance)
Sandbox ~1500 ms ~500 ms
No Sandbox ~1000 ms ~500 ms