Googles Chris Evans on Chrome malware and building a zeroday free browser

first_imgWhile some browsers fell fast at CanSecWest’s hacking competition, Google’s Chrome fared pretty well. In fact, it has yet to have a zero day exploit emerge in the wild during its four years on the market. No doubt this invincibility comes from the efforts Google put in to securing its web browser, a browser Chaouki Bekrar, chief researcher at French cyber security contractor VUPEN, sings the praises of for its security measures.Chris Evans is the Googler in charge of security for Chrome. We had the opportunity to chat with him at CanSecWest in Vancouver about browser Security contractors at this conference have usually ranked Chrome as the most secure browser. Why is this? What’s the key to Chrome’s security?Chris Evans: Chrome was designed from the start with security in mind, including integrated sandboxing and Safe Browsing malware protection. We have a large Chrome security team who engage in proactive hardening measures, fuzzing at scale and fast patching of bugs.And beyond our team we make it a priority to engage with the wider community–one of our core security principles — via our Chromium Vulnerability Rewards Program and Pwnium competitions. Securing a browser takes a lot of effort, but it’s important work as it’s often a user’s first line of defense against bad actors on the web.What’s the process between discovery of a threat in the wild and rolling out a patch?There is an important distinction between controlled and responsible (“white hat”) exploit discovery, and threats “in the wild” or zero days. We proactively seek the former to allow us to better manage in the event we experience the latter.In Chrome’s four years we haven’t had an zero-day situation, but we feel we’re battle ready if the situation arises. Through our three prior Pwnium competitions we’ve demonstrated two 24-hour turnarounds and one 12-hour turnaround. It is important to have a well-practiced incident response process and team.Our process involves convening a war room of engineers, reviewers, and release managers. We’ve also built a fantastic thorough and automated testing infrastructure that gives fast confidence in any proposed patches. The most important part of course is our ability to quickly push updates to our users, which is possible thanks to Chrome’s seamless auto-update feature. The auto-update approach is now used by most other browser makers, validating its effectiveness.Over the last year, what trends in malicious code and exploits have you noticed emerge in the wild?There’s been a continued focus on browser plug-ins. The most interesting thing I’ve seen is some in-the-wild attacks (and escapes) against plug-in sandboxes. As sandboxes are recognized as a best practice they are becoming more prevalent. Still, escaping a sandbox is hard work so this gives an idea of the resources attackers are willing to invest.What’s the biggest threat vector for web browsers? What constantly gives you the most headaches?Plug-ins continue to be a big security issue. They add extra exploit real-estate for online threats and since they’re separate software they require separate updates, which most often requires action on the part of the user. So oftentimes plugins on users’ machines are out-of-date, which compounds their vulnerability.In Chrome we’ve bundled Flash and a PDF reader and placed them inside a separate sandbox that’s as strong as Chrome’s native sandbox to help protect users. Because they’re packaged these plugins are auto-updated with Chrome, which significantly improves the likelihood of users being up-to-date. Chrome also blocks out-of-date plugins from running. Chrome even blocks up-to-date plug-ins from running until the user indicates permission, if that plug-in has a history of zero-day attacks against it.Are there different threats with the mobile edition of Chrome? Or is the malware experience the same?We build Chrome for Android to the same standards of security we have for desktop Chrome. This includes an integrated sandbox, various security hardening features, and fast  regular patches.Firefox seems to fare poorly at events like Pwn2Own. If you could be Mozilla for a day, what would you do?I don’t think this is true, plus it’s important to note that participating in events such as Pwn2Own and being exploited in a responsible way provides an opportunity to learn and grow, and ultimately, keep users safe.[Image courtesy:]last_img

Leave a Reply

Your email address will not be published. Required fields are marked *