The Chromium Chronicle #5: Coding Outside the Sandbox
Episode 5: by Ade in Mountain View, CA (August, 2019)
Chrome is split into processes. Some of them are sandboxed, which means that they have reduced access to the system and to users' accounts. In a sandboxed process, bugs that allow malicious code to run are much less severe.
The browser process has no sandbox, so a bug could give malicious code full access to the whole device. What should you do differently? And what's the situation with other processes?
All code has bugs. In the browser process, those bugs allow malicious code to install a program, steal user data, adjust computer settings, access content of all browser tabs, login data, etc.
In other processes, OS access is limited via platform-specific restrictions. For more information, see Chrome's sandbox implementation guide.
Make sure to avoid the following common mistakes:
- Don't parse or interpret untrustworthy data using C++ in the browser process.
- Don't trust the origin a renderer claims to represent. The browser's RenderFrameHost can be used to get the current origin securely.
Instead, use the following best practices:
- Be extra paranoid if your code is in the browser process.
- Validate all IPC from other processes. Assume all other processes are already compromised and out to trick you.
For years, we ran network stacks (e.g. HTTP, DNS, QUIC) in the browser process, which led to some critical vulnerabilities. On some platforms, networking now has its own process, with a sandbox coming.