Matt Johansen and Kyle Osborn had a well delivered talk at Blackhat on hacking Google ChromeOS. For those not familiar with ChromeOS it is essentially an OS made up only of the Chome web browser – Google asserts that this creates a malware free operating environment which is not quite accurate as the talk showed. Since ChromeOS lacks any other native app Google has introduced extensions that are what amounts to little weblets with API access to Chrome (Javascript that doesn’t just control the DOM but also the, uh, the chrome/shell of the browser) to provide an app concept that sits between the notion of a native app and a website. The crucial (for this talk) consideration is that these extensions are not sandboxed in the same way that a normal website is – they can create and interact with other tabs, regardless of the domain origins of that tab. Showing what could be done because of this, Matt and Kyle demonstrated that by either subverting a vulnerable plugin (including a google authored scratchpad that has since been fixed) or by putting out a malicious plugin in the extensions market they could essentially compromise any website the user visits (or had visited and still has an active session for). Extensions allow you to inject code into an open tab (and to open tabs and navigate them to a particular page), which means the integrity of any website can be compromised on the client.

What this really means is that malware won’t be barred from ChromeOS – it will simply need to evolve. You will still have trojans, just in the form of malicious extensions hosted in the Chrome Extension market rather than hosted on random websites (and hey, we already seeing closed markets hosting trojans – just see Google’s Android market). It’s still going to have exploitation of installed vulnerable software, just in the form of vulnerable extensions rather than vulnerable apps. That isn’t to say that everything is the direct mirror of the desktop world, but rather simply an illustration that the more permissive you allow running third party code the more malicious actions it can perform (which should be self evident). By being fairly permissive with extensions ChromeOS allows for several exploitation scenarios – they could lock down what extensions do (cutting off API access to tabs for example) but in doing so they also cut down what legitimate extensions are capable of. What the talk really illustrated for Google are lessons that MS is plagued with – no matter how awesome your own security you are still impacted by the permissions you give the third party code a user wants to run, and the security of said third party code.

~ Joshbw