Status
Not open for further replies.

Amiga500

Level 12
Verified
As the thread title suggests how strong is this sandbox really.?
I have read conflicting blogs and articles about this sandbox.(they always are conflicting are they not.):rolleyes:
From my limited understanding on this subject it uses operating system access controls and does not actually have its "own" native sandbox,which would imply its weaker on windows than linux.
Any thoughts...?.:)
 

Cch123

Level 7
Verified
Strongest among the browsers. Yes, there are some blogs out there that criticize Chrome's sandbox and some are strongly promoting it, but they almost universally agree that Chrome's sandbox implementation and overall security architecture is the strongest.

You are right to say that it depends on operating system controls, and so it is weaker on Windows that linux, which provides native support for sandboxing at the kernel level. However, Chrome developers are unwilling to go further because anything else would require kernel drivers or could cause a lot of conflicts.
 

Amiga500

Level 12
Verified
Chrome uses windows mechanisms for restrictions (protected mode), low-integrity levels (Designing Applications to Run at a Low Integrity Level), and other complicated stuff i dont recall. Not mentioning its phishing and malware filter.

Compared to other browser (even other chromium-based ones) , Chrome is very solid in term of security.
This is exactly the problem,
Why would windows users use chrome over internet explorer if the same restrictions are in place..?:confused:
Google tout chrome has having its own sandbox but if we look at this statement in detail we realise it is in fact using the restrictive policies already in place by the chosen operating system.So in the face of things we need to be looking at the operating systems involved rather than individual browsers.:)
 
D

Deleted member 178

What is a sandbox (chromium point of view)

What is the sandbox?

The sandbox is a C++ library that allows the creation of sandboxed processes — processes that execute within a very restrictive environment. The only resources sandboxed processes can freely use are CPU cycles and memory. For example, sandboxes processes cannot write to disk or display their own windows. What exactly they can do is controlled by an explicit policy. Chromium renderers are sandboxed processes.
 
Reactions: Sunshine-boy

Cch123

Level 7
Verified
This is exactly the problem,
Why would windows users use chrome over internet explorer if the same restrictions are in place..?:confused:
Google tout chrome has having its own sandbox but if we look at this statement in detail we realise it is in fact using the restrictive policies already in place by the chosen operating system.So in the face of things we need to be looking at the operating systems involved rather than individual browsers.:)
They use far more than low integrity levels. For example, there was a Windows font kernel zeroday that could make a full sandbox bypass on Internet Explorer and many other browsers sometime back, but Chrome was unaffected as they had their own font libraries and used win32k lockdown APIs. I refrained from discussing the specifics here or this thread would be extremely technical. The link Umbra provided would give you more information on the technical specifics if you are interested.
 

XhenEd

Level 27
Content Creator
Trusted
Verified
What exact protection does Chrome sandbox offers? Is it against exploits? Malwares? Specific malwares? All of these? Some of these?
 
Reactions: Sunshine-boy

Cch123

Level 7
Verified
Chrome sandbox is meant to protect against most exploits, and an added advantage is that it creates a more stable chrome where a crash due to a site/extension would not cause the entire browser to crash. There are some classes of exploits that it does not protect against, such as kernel exploits.

Malware blocking is done by the Google's Safebrowsing, not its sandbox.
 

Amiga500

Level 12
Verified
What exact protection does Chrome sandbox offers? Is it against exploits? Malwares? Specific malwares? All of these? Some of these?
If a true sandbox were being employed then it would not matter as they would be all vaporised at restart.:D
 
Reactions: XhenEd

Amiga500

Level 12
Verified
And so would the user's downloads/cat pictures/new extensions...the next thing that would be vaporised would be the sanity of Google's support team.
possibly ,however programs like sandboxie on windows do have the ability to take things out of the sandbox.
This actually raises another point entirely.
On windows for example whether chrome can sandbox or not is a mute point because it can simply be run in sandboxie.
On linux is where i feel chrome may be more useful as it employs more strategies.
 
L

LabZero

About the technical point of view, the topic is far too complex to be explained. So I turn to the average user who simply want to browse the internet safely.

About the Chrome sandbox.

The sanboxing is a technology that allows a process to isolate itself each open tab, each plugin and every extension so that a malicious code remains "locked" inside and cannot spread in the computer. OK, it's a very, very effective in most cases, Chrome generally is harder to hack through hacking but the sandbox is not inviolable: It's a software and as such subject to bugs that can make it ineffective, what is already happened. So what's the point ? Let's say that browsing on malware sites statistically blocks many threats but a web page that contains an exploit to "puncture" the Chrome sandbox can easily inject malicious code on the system.

What I'm trying to say is that the sandbox is just one of the tools that increase the level of security in a browser.
 
Last edited by a moderator:
Status
Not open for further replies.