July 29th, 2011
In the past, we’ve written a good deal about the Chrome sandbox and other security features that we built into the Chrome browser. These features demonstrate the Chrome team’s overall focus on providing usable security even as we continue our rapid development work on the project.
Chromebooks take Chrome and its core values (simplicity, speed and security) and apply them to our own operating system infrastructure. The result is a multi-layered set of defenses which boosts the security of Chromebooks against malicious software that could compromise and linger on the system. While no software is perfect or completely secure, we believe we’re taking an important step forward.
Let’s take a quick look at some of the Chromebook security features that, when paired with good web hygiene, make it easier to browse the web safely. (We’re already handling updates and malware resistance on the Chromebook automatically!)
Baked in, seriously
Our security model is rooted in two pieces of hardware that ship with every Chromebook: a custom firmware chip and a Trusted Platform Module (TPM). The custom firmware chip consists of two parts: a read-only firmware and a read-write firmware that can be updated. When you press the power button, our read-only firmware starts a process we call Verified Boot. It uses an embedded 8192-bit RSA public key to verify the cryptographic signature on the read-write firmware.
After the read-only firmware verifies and runs the read-write firmware, the latter performs a similar verification operation on the operating system kernel before running it. The operating system kernel will then continue the verification process as it loads all of the system software, like Chrome.
The goal of Verified Boot is to provide cryptographic assurances that the system code hasn’t been modified by an attacker on the Chromebook. Additionally, we use lockable, non-volatile memory (NVRAM) in the TPM to ensure that outdated signatures won’t be accepted. To put this into perspective, the system does all this in about 8 seconds.
If you don’t want to boot Google-verified software — let’s say you built your own version of Chromium OS — no problem. You can flip the developer switch on your device and use the Chromebook however you’d like. It’s yours, after all!
Since no software offers perfect security (and we all want new features too), Chromebooks include an automated update system that is modeled on Chrome’s popular auto-updater. The updater checks with the server securely and downloads updates when they become available. It keeps the system updated against emerging threats and allows for new features to be rolled out seamlessly. Since every Chromebook keeps two copies of the operating system, it’s easy to update and then switch to the new version without interrupting your normal flow. In addition, it allows for the Chromebook to revert to the known working version if there are any problems during the update.
Signing in, with confidence
Signing in to the Chromebook is as simple as using your Google Account. The first user of a Chromebook can determine who else is allowed to sign in or choose to keep her machine open for anyone to sign in. In addition, every user has a private, encrypted store which means that, if you share your Chromebook, other users won’t be given access to your data. The encrypted store is implemented using the Linux kernel’s eCryptfs with keys that are protected by the TPM.
Or don’t sign in at all
Chromebooks also offer the ability to browse without signing in. We call this function Guest Mode. When Guest Mode is used, Chrome runs with the usual privacy measures of incognito mode, but none of the browsing data, including downloads, will stick around. When you exit Guest Mode or reboot your Chromebook, the browsing data is deleted.
A helping hand, even when things go wrong
While we’re dedicated to pushing the envelope with Chromebook security, we want to also be prepared in case something unexpected happens. That’s why the read-only firmware included in every Chromebook also provides a recovery mode. Recovery mode lets you install a fresh, up-to-date version of the operating system from a recovery device plugged into the USB port. That means that if an attacker manages to install malicious software, you can use recovery mode to help remove it and return your Chromebook back to the way it was.
Getting better over time
Experiencing the web securely, on any platform and with any browser, is a combined matter of the underlying infrastructure, browser design, and user action. How is data stored? Who and what can access that data? How does the user participate in these decisions?
With Chromebooks and Chrome, we’ve made advances in the security infrastructure of the operating system and the browser that should allow you to browse the web more comfortably. Beyond what we’ve discussed here so far, we continue to improve features like our Safe Browsing API and our extensions model that help protect users from malicious web content.
As a savvy web user, you’ll still want to think carefully before you enter your username and password into a suspicious website, or before you grant broad data access to an unfamiliar extension. Remember, it never hurts to follow these tips for staying safe on the web.
Security is an ongoing effort, and we aren’t stopping here! Keep your eyes open for more usability and security advances from Chrome and Chromebooks.
Posted by Will Drewry and Sumit Gwalani, Chromebook Security Team