This is a list of current and planned Chrome OS security features. Each feature is listed together with its rationale and status. This should serve as a checklist and status update on Chrome OS security.
Feature | Status | Rationale | Tests | Bug | More thoughts or work needed? |
---|---|---|---|---|---|
No Open Ports | implemented | Reduce attack surface of listening services. | security_NetworkListeners | Runtime test has to whitelist test-system-only "noise" like sshd. See Issue 22412 (on Google Code) and ensure_* for offsetting tests ensuring these aren't on Release builds. | |
Password Hashing | When there is no TPM, scrypt is used. | Frustrate brute force attempts at recovering passwords. | |||
SYN cookies | needs functional test | In unlikely event of SYN flood, act sanely. | kernel_ConfigVerify | ||
Filesystem Capabilities | runtime use only | allow root privilege segmentation | security_Minijail0 | ||
Firewall | needs functional test | Block unexpected network listeners to frustrate remote access. | Issue 23089 (on Google Code) | ||
PR_SET_SECCOMP | needs functional test | Available for extremely restricted sandboxing. | kernel_ConfigVerify | Issue 23090 (on Google Code) | |
AppArmor | not used | ||||
SELinux | not used | ||||
SMACK | not used | ||||
Encrypted LVM | not used | ||||
eCryptFS | implemented | Keep per-user data private. | login_Cryptohome* | ||
glibc Stack Protector | needs functional test | Block string-buffer-on-stack-overflow attacks from rewriting saved IP. | Issue 23101 (on Google Code) | -fstack-protector-strong is used for almost all packages | |
glibc Heap Protector | needs functional test | Block heap unlink/double-free/etc corruption attacks. | Issue 23101 (on Google Code) | ||
glibc Pointer Obfuscation | needs functional test | Frustrate heap corruption attacks using saved libc func ptrs. | Issue 23101 (on Google Code) | includes FILE pointer managling | |
Stack ASLR | needs functional test | Frustrate stack memory attacks that need known locations. | |||
Libs/mmap ASLR | needs functional test | Frustrate return-to-library and ROP attacks. | |||
Exec ASLR | needs functional test | Needs PIE, used to frustrate ROP attacks. | |||
brk ASLR | needs functional test | Frustrate brk-memory attacks that need known locations. | kernel_ConfigVerify | ||
VDSO ASLR | needs functional test | Frustrate return-to-VDSO attacks. | kernel_ConfigVerify | ||
Built PIE | needs functional test | Take advantage of exec ASLR. | platform_ToolchainOptions | ||
Built FORTIFY_SOURCE | needs functional test | Catch overflows and other detectable security problems. | |||
Built RELRO | needs functional test | Reduce available locations to gain execution control. | platform_ToolchainOptions | ||
Built BIND_NOW | needs functional test | With RELRO, really reduce available locations. | platform_ToolchainOptions | ||
Non-exec memory | needs functional test | Block execution of malicious data regions. | kernel_ConfigVerify | ||
/proc/PID/maps protection | needs functional test | Block access to ASLR locations of other processes. | |||
Symlink restrictions | implemented | Block /tmp race attacks. | security_SymlinkRestrictions.py | Issue 22137 (on Google Code) | |
Hardlink restrictions | implemented | Block hardlink attacks. | security_HardlinkRestrictions.py | Issue 22137 (on Google Code) | |
ptrace scoping | implemented | Block access to in-process credentials. | security_ptraceRestrictions.py | Issue 22137 (on Google Code) | |
0-address protection | needs functional test | Block kernel NULL-deref attacks. | kernel_ConfigVerify | ||
/dev/mem protection | needs functional test | Block kernel root kits and privacy loss. | kernel_ConfigVerify | Issue 21553 (on Google Code) | crash_reporter uses ramoops via /dev/mem |
/dev/kmem protection | needs functional test | Block kernel root kits and privacy loss. | kernel_ConfigVerify | ||
disable kernel module loading | how about module signing instead? | Block kernel root kits and privacy loss. | |||
read-only kernel data sections | needs functional test | Block malicious manipulation of kernel data structures. | kernel_ConfigVerify | ||
kernel stack protector | needs functional test | Catch character buffer overflow attacks. | kernel_ConfigVerify | ||
kernel module RO/NX | needs functional test | Block malicious manipulation of kernel data structures. | kernel_ConfigVerify | ||
kernel address display restriction | needs config and functional test | Frustrate kernel exploits that need memory locations. | Was disabled by default in 3.x kernels. | ||
disable debug interfaces for non-root users | needs config and functional test | Frustrate kernel exploits that depend on debugfs | Issue 23758 (on Google Code) | ||
disable ACPI custom_method | needs config and functional test | Frustrate kernel exploits that depend on root access to physical memory | Issue 23759 (on Google Code) | ||
unreadable kernel files | needs config and functional test | Frustrate automated kernel exploits that depend access to various kernel resources | Issue 23761 (on Google Code) | ||
blacklist rare network modules | needs functional test | Reduce attack surface of available kernel interfaces. | |||
syscall filtering | needs functional testing | Reduce attack surface of available kernel interfaces. | Issue 23150 (on Google Code) | ||
vsyscall ASLR | medium priority | Reduce ROP target surface. | |||
Limited use of suid binaries | implemented | Potentially dangerous, so minimize use. | security_SuidBinaries |
- We use
minijail
for sandboxing:- Design doc
- Issue 380 (on Google Code)
- Current sandboxing status:
Exposure | Privileges | Sandbox | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Service/daemon | Overall status | Usage | Comments | Network traffic | User input | DBus | Hardware (udev) | FS (config files, etc.) | Runs as | Privileges needed? | uid |
udevd | Low pri | Listens to udev events via netfilter socket | No | No | No | Yes | No | root | Probably | No | |
session-manager | P2 | Launched from /sbin/session_manager_setup.sh | No | No | Yes | No | No | root | Probably | No | |
rsyslogd | Low pri | Logging | No | No | No | No | Yes | root | Probably | No | |
dbus-daemon | Low pri | IPC | Listens on Unix domain socket | Unix domain socket | Yes | messagebus | Yes | Yes | |||
powerm | P2 | Suspend to RAM and system shutdown. Handles input events for hall effect sensor (lid) and power button. | No | No | Yes | Yes | Yes | root | Probably | No | |
wpa_supplicant | Low pri | WPA auth | Yes | Via flimflam | Yes | No | Yes, exposes management API through FS | wpa | Yes | Yes | |
shill | P0 | Connection manager | Yes | Yes | Yes | Yes | Yes | root | Probably | No | |
X | P1 | No (-nolisten tcp) | Yes | No | GPU | Yes | root | x86: no, ARM: yes | No | ||
htpdate | Low pri | Setting date and time | Yes | No | No | No | No | ntp | Yes | Yes | |
cashewd | Low pri | Network usage tracking | No | No | Yes | No | No | cashew | Yes | Yes | |
chapsd | Low pri | PKCS#11 implementation | No | No | Yes | No | No | chaps | Yes | Yes | |
cryptohomed | P1 | Encrypted user storage | No | Yes | Yes | No | No | root | Probably | No | |
powerd | Low pri | Idle or video activity detection. Dimming the backlight or turning off the screen, adjusting backlight intensity. Monitors plug state (on ac or on battery) and battery state-of-charge. | No | Yes | Yes | Yes | Yes | powerd | Probably | Yes | |
modem-manager | P1 | Manages 3G modems | Indirectly | Yes | Yes | Yes | No | root | Probably not | No | |
gavd | P2 | Audio/video events and routing | No | Yes | Yes | Yes | No | gavd | Yes | Yes | |
dhcpcd | Low pri | DHCP client | Yes | Indirectly | No | No | No | dhcp | Yes | Yes | |
metrics_daemon | P2 | Metrics collection and uploading | Yes, but shouldn't listen | No | Yes | No | No | root | Probably not | No | |
cros-disks/disks | P1 | Removable media handling | No | Yes | Yes | Yes | No | root | Launches minijail | No | |
avfsd | Low pri | Compressed file handling | Launched from cros-disks, uses minijail | Not in Chrome OS | Yes | No | No | Yes | avfs | Yes | Yes |
update_engine | P0 | System updates | Yes | No | Yes | No | No | root | Probably | No | |
cromo | Low pri | Supports Gobi 3G modems | Indirectly | Yes | Yes | Yes | Probably | cromo | Yes | Yes | |
bluetoothd | Low pri | Yes | Yes | Yes | Yes | Yes | bluetooth | Yes | Yes | ||
unclutter | Low pri | Hides cursor while typing | Yes | chronos | Yes | Yes (via sudo) | |||||
cras | P2 | Audio server | No | Yes | Yes | Yes | No | cras | Yes | Yes | |
tcsd | P2 | Portal to the TPM device driver | No | Yes | Yes | Yes | Yes | tss | Yes | Yes | |
keyboard_touchpad_helper | P1 | Disables touchpad when typing | Yes | root | Probably not | No | |||||
logger | Low pri | Redirects stderr for several daemons to syslog | Indirectly | Indirectly | No | No | No | syslog | Yes | Yes | |
login | P2 | Helps organize Upstart events | No | Indirectly | Yes | No | Yes | root | Probably | No | |
wimax-manager | P1 | Includes third-party library | Yes | Indirectly | Yes | Yes | Yes | root | Probably not | No | |
mtpd | P2 | Manages MTP devices | Includes third-party library | No | Yes | Yes | Yes | No | mtp | Yes | Yes |
Service/daemon | Overall status | Usage | Comments | Network traffic | User input | DBus | Hardware (udev) | FS (config files, etc.) | Runs as | Privileges needed? | uid |
Exposure | Privileges | Sandbox |
Enforced by security_SandboxedServices