Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC...
Transcript of Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC...
![Page 1: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/1.jpg)
Presented by Alex Nicolaou
![Page 2: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/2.jpg)
The world wide Application Server
![Page 3: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/3.jpg)
![Page 4: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/4.jpg)
![Page 5: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/5.jpg)
![Page 6: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/6.jpg)
![Page 7: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/7.jpg)
![Page 8: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/8.jpg)
![Page 9: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/9.jpg)
![Page 10: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/10.jpg)
![Page 11: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/11.jpg)
![Page 12: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/12.jpg)
![Page 13: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/13.jpg)
![Page 14: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/14.jpg)
![Page 15: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/15.jpg)
More about Security: Design Principles
Do not re-invent the wheel
Principle of least privilege
Sandboxed code is malicious code
Be lightweight
Emulation doesn’t guarantee security
![Page 16: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/16.jpg)
Testing
![Page 17: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/17.jpg)
Webkit
![Page 18: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/18.jpg)
![Page 19: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/19.jpg)
V8 Javascript VM
![Page 20: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/20.jpg)
![Page 21: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/21.jpg)
![Page 22: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/22.jpg)
![Page 23: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/23.jpg)
![Page 24: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/24.jpg)
![Page 25: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/25.jpg)
![Page 26: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/26.jpg)
![Page 27: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/27.jpg)
![Page 28: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/28.jpg)
![Page 29: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/29.jpg)
![Page 30: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/30.jpg)
Q&AThanks!
![Page 31: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/31.jpg)
Chrome Tip: Memory
Memory usage falls into three categories: shared, shareable, and private
Windows’ Task Manager reports different numbers in different versions
The best way to figure out what Chrome is using is to look at about:memory or use Chrome’s own task manager (Shift-Esc)
Multiple processes means more memory in minimal configurations but less in the long run
![Page 32: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/32.jpg)
Chrome Tip: DNS Prefetch
DNS lookups are a surprising source of potential latency, with lookups that are 250ms or more being commonplace
Chrome caches DNS lookups and populates the cache from links in the pages displayed to save you time
about:histograms displays a lot of fun statistics about the workings of the browser, like DNS.PrefetchFoundName for prefetch stats
![Page 33: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/33.jpg)
Chrome Tip: We really aren’t evil!
Enabling chrome to share statistics with Google is a powerful way for Chrome users to work together to gather info
Crash reports and usage statistics drive development that’s good for everyone
Incognito mode can always be used for specially secure browsing
We hope you enjoy using and contributing to Chrome!
![Page 34: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/34.jpg)
Multi-Process Architecture
![Page 35: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/35.jpg)
Multi-Process Architecture
A single browser process is the master
Each web site is rendered by a single render process
Communication between the two is via Chromium’s IPC mechanism (named pipes)
The master process is called a ‘broker’ and the slave processes are called ‘sandboxes’
![Page 36: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/36.jpg)
Anatomy of a Render Process
The RenderProcess talks to the corresponding RenderHost in the browser. There is exactly one instance per process and it handles all communication to the browser
The RenderView communicates with the corresponding RenderViewHost via the RenderProcess
![Page 37: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/37.jpg)
Anatomy of the Browser Process
The Browser object corresponds to a top-level windowEach RenderProcessHost corresponds to each IPC connection to a render sandboxThe RenderViewHost encapsulates rendering specific to a frame/DOM in the RenderProcess and handles painting and events
![Page 38: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/38.jpg)
Life of a mouse clickThe Windows message is received on the UI thread of the browser by RenderWidgetHostHWND::OnMouseEvent
ForwardMouseEventToRenderer packages the input event into a cross-platform WebMouseEvent and sends it to the RenderWidgetHost
RenderWidgetHost::ForwardInputEvent creates an IPC
Then the renderer takes control:
RenderView::OnMessageReceived gets the message and in turn forwards it to RenderWidget::OnHandleInputEvent.
The event goes to WebWidgetImpl::HandleInputEvent where it is converted to a WebKit PlatformMouseEvent class and passed to the WebCore::Widget class inside WebKit.
![Page 39: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/39.jpg)
Specific naming and isolation for security
![Page 40: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/40.jpg)
The Broker’s responsibilities
Specify the policy for each target process
Spawn the target processes
Host the sandbox policy engine service
Host the sandbox interception manager
Host the sandbox IPC service (to the target processes)
Perform the policy-allowed actions on behalf of the target process
![Page 41: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/41.jpg)
The Sandbox’s limits
Sandbox is given a restricted token
Sandbox is in a Windows job object
Sandbox is confined to its own Windows desktop object
Windows Vista+: sandbox is at the lowest integrity level
![Page 42: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/42.jpg)
The Sandbox’s Restricted Token
The restricted token means no access to secured objects
Does a good job on properly configured(?) Windows systems
Does not handle access to sockets on XP or access to legacy filesystems (FAT32 on USB Keys for example)
![Page 43: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/43.jpg)
The Sandbox’s Job
The Job abstraction allows limiting access to system resources that are otherwise unsecured
Forbids the creation or switch of desktops, modifying screen resolution, clipboard access, event broadcast, etc.
Crucial for keeping the sandbox process inside its jail away from other windows
![Page 44: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/44.jpg)
The Sandbox’s Desktop
All windows on the same desktop are vulnerable to each other
Screen scraping is one threat
Synthesized events is another
Keylogging is a third
Isolating the sandboxes to their own desktop carries a small memory penalty but is otherwise effective
![Page 45: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/45.jpg)
Isolation of Resource Loading
![Page 46: Presented by Alex Nicolaou - University of Torontoexec/connections2010/... · Chromium’s IPC mechanism (named pipes) The master process is called a ‘broker’ and the ... Host](https://reader033.fdocuments.in/reader033/viewer/2022050423/5f9290446d5fff4ed504af5b/html5/thumbnails/46.jpg)
Resource Loading Caveats
It is assumed that cross-domain restrictions are handled by the renderer
Handling cross domain rules outside the renderer would introduce a lot of complexity – consider pages that legitimately load resources from many sites versus javascript to do the same
It is a non-goal of chromium to protect the user from XSS website attacks