In their recent blog post, Google’s Sundar Pichai, VP Product Management and Linus Upson, Engineering Director announced Google’s new operating system – Google Chrome OS.
http://googleblog.blogspot.com/2009/07/introducing-google-chrome-os.html
In this announcement, Google identified security as a key goal and design component for Chrome OS. Details are sparse, but here are the key security-related quotes from the announcement, along with some thoughts on their approach.
“And as we did for the Google Chrome browser, we are going back to the basics and completely redesigning the underlying security architecture of the OS so that users don’t have to deal with viruses, malware and security updates.”
Although the Chrome browser has progressed in leaps and bounds from a security standpoint, when first released, it was riddled with security problems. Chrome OS will probably suffer the same fate, significant security issues for Beta and 1.0. However, Chrome security seems to have stabilized (comparatively.) Many Chrome proponents claim this is due to the advanced security architecture implemented in Chrome (Exercise: compare Chrome updates to the long parade of Patch Tuesday critical security updates for IE – a product that has had over a decade to get it right, and still hasn’t.) I believe there is a good chance that the simplicity of Chrome OS + Chrome browser, with Google’s clean-sheet security design approach, will enable it to immediately surpass the comparative security levels of Windows + IE 8.
“The software architecture is simple — Google Chrome running within a new windowing system on top of a Linux kernel. For application developers, the Web is the platform. All Web-based applications will automatically work and new applications can be written using your favorite Web technologies.”
There are a couple of security ramifications from this quote. “Linux kernel” – a strong place to start form a security standpoint. The Linux kernel has been pounded on for years now and has stood up well. This bodes well for Chrome OS. “Web-based Applications” – Ouch! It was all sounding so good to this point. It’s obvious that the blackhat community is expanding their sights to include the Web server and apps. There has been a growing wave of SQL-injection and cross-site-scripting exploits in the past year. Also, there are more and more Java Script vulnerabilities – a staple of Web-based applications. Will Google Chrome OS just shift the vulnerability landscape from the client to Web apps and servers? That’s my bet.
“We have a lot of work to do, and we’re definitely going to need a lot of help from the open source community to accomplish this vision.”
Chrome’s reliance on WebKit and the reuse of the Linux kernel by Chrome OS underscore the importance of open source security to Google’s plans. As we all know, the main constants in life are: taxes, death, and arguments over the security of open source software. From my standpoint, it is hard to argue against the recent security performance of the Linux Kernel. Pretty solid track record of late. Conversely, a look at the barrage of vulnerabilities plugged in the recent Safari 4 update show that WebKit has a long way to go. Time to get serious about security WebKit team!
All in all, I’m excited that we may soon have a new-generation Web solution stack that is designed with security as a key component. There will be some expected shake out in the beginning, but I expect Chrome OS, over time, to significantly reduce the number of client-focused exploits. Web app developers prepare! You are next on the target list.
Another exciting point is that fact that Microsoft will not take this lying down. It will be fun to track security upgrades in Windows 7, IE, Live, and Azure as this “arms race” with Chrome OS progresses. Competition is a wonderful thing!
