All browser makers should take a page from Google's Chrome and isolate untrusted data from the rest of the operating system, a noted security researcher said.
Dino Dai Zovi, a security researcher and co-author of The Mac Hacker's Handbook, believes that the future of security relies on “sandboxing,” the practice of separating application processes from other applications, the operating system and user data.
In a Wednesday entry on Kaspersky Labs' ThreatPost blog, Dai Zovi described sandboxing, as well as the lesser security technique of “privilege reduction,” as “[moving] the bull (untrusted data) from the china shop (your data) to the outside where it belongs (a sandbox).”
The idea behind sandboxing is to make it harder for attackers to get their malicious software onto machines. Even if an attacker was able to exploit a browser vulnerability and execute malware, he would still have to exploit another vulnerability in the sandbox technology to break into the operating system and, thus, get to the user's data.
“Sandboxing raises the bar significantly enough that attackers will have to turn to other [types of attacks], like rogue anti-virus software,” Dai Zovi said today in a telephone interview.
The pervasiveness of Web-based attacks calls for browser sandboxing, Dai Zovi argued. “It's crucially important because, in my opinion, the browser will become the OS,” he said. “Google is the first to realize that the browser is the operating system, and Chrome is a huge leap forward with its ground-up rewrite.”
Chrome has included sandboxing since its September 2008 debut. And while Dai Zovi considers it easily the leader in security because of that, other browser have, or will, make their own stabs at reducing users' risks.
For example, Microsoft's Internet Explorer 7 (IE7) and IE8 on Vista and Windows 7 include a feature dubbed “Protected Mode,” which reduces the privileges of the application so that it's difficult for attackers to write, alter or destroy data on the machine, or to install malware. But it's not a true sandbox as far as Dai Zovi is concerned.
Currently, Mozilla's Firefox, Apple's Safari and Opera Software's Opera lack any sandboxing or privilege reduction features. “Apple, for example, has implemented some sandboxing in Snow Leopard, but [although] security researchers were hoping to see some of that technology used in Safari, that hasn't happened,” Dai Zovi said.
Mozilla is working on Chrome-like sandboxing for Firefox — the project's dubbed “Electrolysis” — but the feature probably won't make it into the browser until Firefox 4.0, which is now slated to ship in late 2010 or early 2011.
Dai Zovi sees browser sandboxing as an answer to the flood of exploits that have overwhelmed users in the past year. “This isn't perfect, but it's the direction we should be heading in,” he said. “The idea of fixing every vulnerability is clearly not working. We can't always win the race to patch.”
But sandboxing, or at the least, reducing the browser's ability to affect the rest of the OS, may be the way to block most attacks. “It adds more defense-in-depth and impedes attackers,” Dai Zovi said.