The Limits of Sandboxing and Next Steps

Wednesday, February 03, 2021 - 10:20 am10:50 am

Chris Palmer, Google Chrome Security

Abstract: 

Privilege separation and reduction ("sandboxing") has significantly improved software security, and in many applications is a baseline requirement for safe design. (In fact, there are still many applications that can and should adopt sandboxing.)

Although necessary, sandboxing is not sufficient by itself. The designs and implementations of real-world operating systems put a ceiling on the effectiveness and applicability of sandboxing. From years of experience shipping Chromium, we have learned that (1) Chromium is at or near the limit of how much safety it can practically provide with privilege separation and reduction; and (2) we still need to provide greater resilience.

Therefore, we must find and develop additional security mechanisms. Our primary approach is now working toward increased memory safety. Where sandboxing limits the value attackers gain from exploiting vulnerabilities, memory-safe(r) code can eliminate vulnerabilities altogether or make it infeasible to use them in an exploit chain.

This talk is about lessons learned in the real world. I'll discuss the nature and particulars of the OS limitations we face, what security gap they leave us with, and what we are doing to make Chromium's large codebase less memory-unsafe. I'll highlight some lessons we've learned that security engineers working on other projects can hopefully make use of.

Chris Palmer, Google Chrome Security

I work at Google as a software security engineer on Chrome, where I work on hardening Chromium's underpinnings and securing the web platform runtime. (I was previously on the Secure UX sub-team, and before that, I worked on Web PKI.) I used to be on the Android team at Google. Previously, I was the Technology Director at the Electronic Frontier Foundation, a Principal Security Consultant at iSEC Partners (now NCC Group), and a web developer at a couple of small shops.

BibTeX
@conference {264142,
author = {Chris Palmer},
title = {The Limits of Sandboxing and Next Steps},
year = {2021},
address = {Oakland, CA},
publisher = {{USENIX} Association},
month = feb,
}