Let's take an example of Chrome's browser. The GUI, HTML renderer, V8 JavaScript engine, browser extensions—all these parts of Chrome individually are heaping behemoths of code. So, all these components are separated and live in different operating system processes, and can only speak to each other via an IPC mechanism.This way, a rogue website isn't able to access your home directory, since only the GUI part of Chrome has access. The GUI (officially called the Browser process), is the only part that has access to your home directory. So, the Renderer is "Sandboxed".
Sandboxing is a very logical next step to make systems more secure. If you can't possible check all code and what it does, then running that code in a place were at least it can't do much damage is the next best thing.
MacOS, OpenBSD, and even Windows have all made serious progress in sandboxing.
Here, we find every other desktop Linux distribution. Debian, Fedora, Ubuntu, Arch, Gentoo, have zero meaningful system level sandboxing.
So there we have it. Linux is very insecure because out-of-the-box it doesn't do any kind of sandboxing.
ChromeOS (not the browser, mind you, but the linux distro) does it better:
A modern "Linux distribution" that actually does sandboxing incredibly well is ChromeOS. There are a whole bible of strategies that ChromeOS implements to keep Chrome in it's own little world. Among the strategies involve cgroups, namespacing, seccomp, etc… This technologies basically do what Docker does (corrected). Chrome cannot see your files unless you give it explicit permission to do so, nor can it execute other programs, or wipe your hard drive.Not only is Chrome sandboxed—every important system process is sandboxed in ChromeOS. The system logger, the display server, the wifi daemon… A lot of architecting has gone into minimizing the attack surface of these various services by giving them the least amount of privilege possible to do their job. This is the principle of least privilege.
Conclusion? The newer a system is, the better the sandboxing capabilities are (probably). That is why I would trust iOS over macOS, for example. Because it's newer.
No comments:
Post a Comment