OLD | NEW |
(Empty) | |
| 1 # Introduction |
| 2 |
| 3 This is a list of current and planned Chrome OS security features. Each feature
is listed together with its rationale and status. This should serve as a checkli
st and status update on Chrome OS security. |
| 4 |
| 5 |
| 6 |
| 7 # Details |
| 8 |
| 9 ## General Linux features |
| 10 |
| 11 | **Feature** | **Status** | **Rationale** | **Tests** | **Bug** | **More though
ts or work needed?** | |
| 12 |:------------|:-----------|:--------------|:----------|:--------|:-------------
---------------------| |
| 13 | No Open Ports | implemented | Reduce attack surface of listening services. | [
security\_NetworkListeners](http://git.chromium.org/gitweb/?p=chromiumos/third_p
arty/autotest.git;a=tree;f=client/site_tests/security_NetworkListeners) |
| Runtime test has to whitelist test-system-only "noise" like sshd. See Issue
22412 (on Google Code) and [ensure\_\*](http://git.chromium.org/gitweb/?p=chromi
umos/platform/vboot_reference.git;a=tree;f=scripts/image_signing) for offsetting
tests ensuring these aren't on Release builds. | |
| 14 | Password Hashing | When there is no TPM, scrypt is used. | Frustrate brute for
ce attempts at recovering passwords. | |
| 15 | SYN cookies | needs functional test | In unlikely event of SYN flood, act sane
ly. | [kernel\_ConfigVerify](http://git.chromium.org/gitweb/?p=chromiumos/third_
party/autotest.git;a=tree;f=client/site_tests/kernel_ConfigVerify) | |
| 16 | Filesystem Capabilities | runtime use only | allow root privilege segmentation
| [security\_Minijail0](http://git.chromium.org/gitweb/?p=chromiumos/third_part
y/autotest.git;a=tree;f=client/site_tests/security_Minijail0) | |
| 17 | Firewall | needs functional test | Block unexpected network listeners to fr
ustrate remote access. | | Issue 23089 (on Google Code) | |
| 18 | PR\_SET\_SECCOMP | needs functional test | Available for extremely restricted
sandboxing. | [kernel\_ConfigVerify](http://git.chromium.org/gitweb/?p=chromiumo
s/third_party/autotest.git;a=tree;f=client/site_tests/kernel_ConfigVerify) | Iss
ue 23090 (on Google Code) | |
| 19 | AppArmor | not used | |
| 20 | SELinux | not used | |
| 21 | SMACK | not used | |
| 22 | Encrypted LVM | not used | |
| 23 | eCryptFS | implemented | Keep per-user data private. | [login\_Cryptohome\*
](http://git.chromium.org/gitweb/?p=chromiumos/third_party/autotest.git;a=tree;f
=client/site_tests) | |
| 24 | glibc Stack Protector | needs functional test | Block string-buffer-on-stack-o
verflow attacks from rewriting saved IP. | | Issue 23101 (on Google Co
de) | -fstack-protector-strong is used for almost all packages | |
| 25 | glibc Heap Protector | needs functional test | Block heap unlink/double-free/e
tc corruption attacks. | | Issue 23101 (on Google Code) | |
| 26 | glibc Pointer Obfuscation | needs functional test | Frustrate heap corruption
attacks using saved libc func ptrs. | | Issue 23101 (on Google Code) |
includes FILE pointer managling | |
| 27 | Stack ASLR | needs functional test | Frustrate stack memory attacks that need
known locations. | | | |
| 28 | Libs/mmap ASLR | needs functional test | Frustrate return-to-library and ROP a
ttacks. | | | |
| 29 | Exec ASLR | needs functional test | Needs PIE, used to frustrate ROP attacks
. | | | |
| 30 | brk ASLR | needs functional test | Frustrate brk-memory attacks that need k
nown locations. | [kernel\_ConfigVerify](http://git.chromium.org/gitweb/?p=chrom
iumos/third_party/autotest.git;a=tree;f=client/site_tests/kernel_ConfigVerify) |
| |
| 31 | VDSO ASLR | needs functional test | Frustrate return-to-VDSO attacks. | [ker
nel\_ConfigVerify](http://git.chromium.org/gitweb/?p=chromiumos/third_party/auto
test.git;a=tree;f=client/site_tests/kernel_ConfigVerify) | | |
| 32 | Built PIE | needs functional test | Take advantage of exec ASLR. | [platform
\_ToolchainOptions](http://git.chromium.org/gitweb/?p=chromiumos/third_party/aut
otest.git;a=tree;f=client/site_tests/platform_ToolchainOptions) | | |
| 33 | Built _FORTIFY\_SOURCE_| needs functional test | Catch overflows and other det
ectable security problems. | | | |
| 34 | Built RELRO | needs functional test | Reduce available locations to gain execu
tion control. | [platform\_ToolchainOptions](http://git.chromium.org/gitweb/?p=c
hromiumos/third_party/autotest.git;a=tree;f=client/site_tests/platform_Toolchain
Options) | | |
| 35 | Built BIND\_NOW | needs functional test | With RELRO, really reduce available
locations. | [platform\_ToolchainOptions](http://git.chromium.org/gitweb/?p=chro
miumos/third_party/autotest.git;a=tree;f=client/site_tests/platform_ToolchainOpt
ions) | | |
| 36 | Non-exec memory | needs functional test | Block execution of malicious data re
gions. | [kernel\_ConfigVerify](http://git.chromium.org/gitweb/?p=chromiumos/thi
rd_party/autotest.git;a=tree;f=client/site_tests/kernel_ConfigVerify) | |
| 37 | /proc/PID/maps protection | needs functional test | Block access to ASLR locat
ions of other processes. | |
| 38 | Symlink restrictions | implemented | Block /tmp race attacks. | [security\_Sym
linkRestrictions.py](http://git.chromium.org/gitweb/?p=chromiumos/third_party/au
totest.git;a=blob;f=client/site_tests/security_SymlinkRestrictions/security_Syml
inkRestrictions.py) | Issue 22137 (on Google Code) | |
| 39 | Hardlink restrictions | implemented | Block hardlink attacks. | [security\_Har
dlinkRestrictions.py](http://git.chromium.org/gitweb/?p=chromiumos/third_party/a
utotest.git;a=blob;f=client/site_tests/security_HardlinkRestrictions/security_Ha
rdlinkRestrictions.py) | Issue 22137 (on Google Code) | |
| 40 | ptrace scoping | implemented | Block access to in-process credentials. | [secu
rity\_ptraceRestrictions.py](http://git.chromium.org/gitweb/?p=chromiumos/third_
party/autotest.git;a=blob;f=client/site_tests/security_ptraceRestrictions/securi
ty_ptraceRestrictions.py) | Issue 22137 (on Google Code) | |
| 41 | 0-address protection | needs functional test | Block kernel NULL-deref attacks
. | [kernel\_ConfigVerify](http://git.chromium.org/gitweb/?p=chromiumos/third_pa
rty/autotest.git;a=tree;f=client/site_tests/kernel_ConfigVerify) | |
| 42 | /dev/mem protection | needs functional test | Block kernel root kits and priva
cy loss. | [kernel\_ConfigVerify](http://git.chromium.org/gitweb/?p=chromiumos/t
hird_party/autotest.git;a=tree;f=client/site_tests/kernel_ConfigVerify) | Issue
21553 (on Google Code) | crash\_reporter uses ramoops via /dev/mem | |
| 43 | /dev/kmem protection | needs functional test | Block kernel root kits and priv
acy loss. | [kernel\_ConfigVerify](http://git.chromium.org/gitweb/?p=chromiumos/
third_party/autotest.git;a=tree;f=client/site_tests/kernel_ConfigVerify) | |
| 44 | disable kernel module loading | how about module signing instead? | Block kern
el root kits and privacy loss. | |
| 45 | read-only kernel data sections | needs functional test | Block malicious manip
ulation of kernel data structures. | [kernel\_ConfigVerify](http://git.chromium.
org/gitweb/?p=chromiumos/third_party/autotest.git;a=tree;f=client/site_tests/ker
nel_ConfigVerify) | |
| 46 | kernel stack protector | needs functional test | Catch character buffer overfl
ow attacks. | [kernel\_ConfigVerify](http://git.chromium.org/gitweb/?p=chromiumo
s/third_party/autotest.git;a=tree;f=client/site_tests/kernel_ConfigVerify) | |
| 47 | kernel module RO/NX | needs functional test | Block malicious manipulation of
kernel data structures. | [kernel\_ConfigVerify](http://git.chromium.org/gitweb/
?p=chromiumos/third_party/autotest.git;a=tree;f=client/site_tests/kernel_ConfigV
erify) | |
| 48 | kernel address display restriction | needs config and functional test | Frustr
ate kernel exploits that need memory locations. | | | Was disa
bled by default in 3.x kernels. | |
| 49 | disable debug interfaces for non-root users | needs config and functional test
| Frustrate kernel exploits that depend on debugfs | | Issue 23758 (o
n Google Code) | |
| 50 | disable ACPI custom\_method | needs config and functional test | Frustrate ker
nel exploits that depend on root access to physical memory | | Issue 2
3759 (on Google Code) | |
| 51 | unreadable kernel files | needs config and functional test | Frustrate automat
ed kernel exploits that depend access to various kernel resources | |
Issue 23761 (on Google Code) | |
| 52 | blacklist rare network modules | needs functional test | Reduce attack surface
of available kernel interfaces. | |
| 53 | syscall filtering | needs functional testing | Reduce attack surface of availa
ble kernel interfaces. | | Issue 23150 (on Google Code) | |
| 54 | vsyscall ASLR | medium priority | Reduce ROP target surface. | |
| 55 | Limited use of suid binaries | implemented | Potentially dangerous, so minimiz
e use. | [security\_SuidBinaries](http://git.chromium.org/gitweb/?p=chromiumos/t
hird_party/autotest.git;a=tree;f=client/site_tests/security_SuidBinaries) | |
| 56 |
| 57 ## Chrome OS specific features |
| 58 |
| 59 * We use `minijail` for sandboxing: |
| 60 * [Design doc](http://www.chromium.org/chromium-os/chromiumos-design-docs/sy
stem-hardening#Detailed_Design_73859539098644_6227793370126997) |
| 61 * Issue 380 (on Google Code) |
| 62 * Current sandboxing status: |
| 63 |
| 64 | | | | | **Exposure** | | | | | **Privileges** | | **Sandbox** | |
| 65 |:-|:-|:-|:-|:-------------|:-|:-|:-|:-|:---------------|:-|:------------| |
| 66 | **Service/daemon** | **Overall status** | **Usage** | **Comments** | **Network
traffic** | **User input** | **DBus** | **Hardware (udev)** | **FS (config file
s, etc.)** | **Runs as** | **Privileges needed?** | **uid** | **gid**
| **Namespaces** | **Caps** | **seccomp\_filters** | |
| 67 | udevd | Low pri | Listens to udev events via netfilter socket | | No
| No | No | Yes | No | root | Probably | No | No |
No | No | No | |
| 68 | session-manager | <font color='yellow'>P2</font>| | Launched from /sbin/sessi
on\_manager\_setup.sh | No | No | Yes | No | No | root | Pro
bably | No | No | No | No | No | |
| 69 | rsyslogd | Low pri | Logging | | No | No | No | No | Yes | root
| Probably | No | | No | No | No
| |
| 70 | dbus-daemon | Low pri | IPC | Listens on Unix domain socket | Unix domain sock
et | | Yes | | | messagebus | Yes | Yes | Yes | No
| No | No | |
| 71 | powerm | <font color='yellow'>P2</font>| Suspend to RAM and system shutdown. H
andles input events for hall effect sensor (lid) and power button. | | No
| No | Yes | Yes | Yes | root | Probably | No | No
| No | No | No | |
| 72 | wpa\_supplicant | Low pri | WPA auth | | Yes | Via flimflam | Yes |
No | Yes, exposes management API through FS | wpa | Yes | Yes
| Yes | No | Yes | No | |
| 73 | shill | <font color='red'>P0</font>| Connection manager | | Yes | Ye
s | Yes | Yes | Yes | root | Probably | No | No | No
| No | No | |
| 74 | X | <font color='orange'>P1</font>| | | No (-nolisten tcp) | Yes | No | GPU
| Yes | root | x86: no, ARM: yes | No | No | No
| No | No | |
| 75 | htpdate | Low pri | Setting date and time | | Yes | No | No | No | N
o | ntp | Yes | Yes | Yes | No | No
| No | |
| 76 | cashewd | Low pri | Network usage tracking | | No | No | Yes | No |
No | cashew | Yes | Yes | Yes | No | No
| No | |
| 77 | chapsd | Low pri | PKCS#11 implementation | | No | No | Yes | No |
No | chaps | Yes | Yes | Yes | No | No
| No | |
| 78 | cryptohomed | <font color='orange'>P1</font>| Encrypted user storage | | No
| Yes | Yes | No | No | root | Probably | No | No
| No | No | No | |
| 79 | powerd | Low pri | Idle or video activity detection. Dimming the backlight or
turning off the screen, adjusting backlight intensity. Monitors plug state (on a
c or on battery) and battery state-of-charge. | | No | Yes | Yes | Ye
s | Yes | powerd | Probably | Yes | No | No |
No | No | |
| 80 | modem-manager | <font color='orange'>P1</font>| Manages 3G modems | | Indirec
tly | Yes | Yes | Yes | No | root | Probably not | No | No
| No | No | No | |
| 81 | gavd | <font color='yellow'>P2</font>| Audio/video events and routing | | No
| Yes | Yes | Yes | No | gavd | Yes | Yes | Yes
| No | No | No | |
| 82 | dhcpcd | Low pri | DHCP client | | Yes | Indirectly | No | No | No |
dhcp | Yes | Yes | Yes | No | Yes |
No | |
| 83 | metrics\_daemon | <font color='yellow'>P2</font>| Metrics collection and uploa
ding | | Yes, but shouldn't listen | No | Yes | No | No | root | Prob
ably not | No | No | No | No | No | |
| 84 | cros-disks/disks | <font color='orange'>P1</font>| Removable media handling |
| No | Yes | Yes | Yes | No | root | Launches minijail | No
| No | No | No | No | |
| 85 | avfsd | Low pri | Compressed file handling | Launched from cros-disks, uses mi
nijail | Not in Chrome OS | Yes | No | No | Yes | avfs | Yes | Yes
| | No | Yes | Yes | |
| 86 | update\_engine | <font color='red'>P0</font>| System updates | | Yes
| No | Yes | No | No | root | Probably | No | No |
No | No | No | |
| 87 | cromo | Low pri | Supports Gobi 3G modems | | Indirectly | Yes | Yes | Yes
| Probably | cromo | Yes | Yes | Yes | No | No
| No | |
| 88 | bluetoothd | Low pri | | | Yes | Yes | Yes | Yes | Yes | bluetooth
| Yes | Yes | Yes | No | Yes | No
| |
| 89 | unclutter | Low pri | Hides cursor while typing | | | Yes | |
| | chronos | Yes | Yes (via sudo) | No | No | No
| No | |
| 90 | cras | <font color='yellow'>P2</font>| Audio server | | No | Yes |
Yes | Yes | No | cras | Yes | Yes | Yes | No
| No | No | |
| 91 | tcsd | <font color='yellow'>P2</font>| Portal to the TPM device driver | | No
| Yes | Yes | Yes | Yes | tss | Yes | Yes | Yes
| No | No | No | |
| 92 | keyboard\_touchpad\_helper | <font color='orange'>P1</font>| Disables touchpad
when typing | | | Yes | | | | root | Probably not |
No | No | No | No | No | |
| 93 | logger | Low pri | Redirects stderr for several daemons to syslog | | Indirec
tly | Indirectly | No | No | No | syslog | Yes | Yes | Yes
| No | No | No | |
| 94 | login | <font color='yellow'>P2</font>| Helps organize Upstart events | | No
| Indirectly | Yes | No | Yes | root | Probably | No
| No | No | No | No | |
| 95 | wimax-manager | <font color='orange'>P1</font>| | Includes third-party librar
y | Yes | Indirectly | Yes | Yes | Yes | root | Probably not
| No | No | No | No | No | |
| 96 | mtpd | <font color='yellow'>P2</font>| Manages MTP devices | Includes third-pa
rty library | No | Yes | Yes | Yes | No | mtp | Yes | Yes
| Yes | No | Not needed | Yes | |
| 97 | **Service/daemon** | **Overall status** | **Usage** | **Comments** | **Network
traffic** | **User input** | **DBus** | **Hardware (udev)** | **FS (config file
s, etc.)** | **Runs as** | **Privileges needed?** | **uid** | **gid**
| **Namespaces** | **Caps** | **seccomp\_filters** | |
| 98 | | | | | **Exposure** | | | | | **Privileges** | | **Sandbox** | |
| 99 |
| 100 Enforced by [security\_SandboxedServices](http://git.chromium.org/gitweb/?p=chro
miumos/third_party/autotest.git;a=tree;f=client/site_tests/security_SandboxedSer
vices) |
| 101 |
| 102 # References |
| 103 |
| 104 * https://wiki.ubuntu.com/Security/Features |
| 105 * http://wiki.debian.org/Hardening |
| 106 * http://www.gentoo.org/proj/en/hardened/hardened-toolchain.xml |
| 107 * http://www.awe.com/mark/blog/20101130.html |
OLD | NEW |