Getting existing code bases such as rendering engines to work fully within this type of sandbox sometimes presents engineering challenges.For example, the rendering engine typically loads font files directly from the system's font directory, but our sandbox does not allow such file access.Mac OS X has an operating system-provided sandbox, and Linux processes can be sandboxed using App Armor and other techniques.For Windows, we chose our current sandbox because it is a mature technology that aims to provide both confidentiality and integrity for the user's resources.As we port Google Chrome to other platforms such as Mac and Linux, we expect to use a number of different sandboxing techniques but keep the same security architecture. Google Chrome also makes vulnerabilities more difficult to exploit by using several barriers recommended for Windows programs.These include DEP (data execution prevention), ASLR (address space layout randomization), Safe SEH (safe exception handlers), heap corruption detection, and stack overrun detection (GS).The browser kernel acts with the user's authority and is responsible for drawing the user interface, storing the cookie and history databases, and providing network access.


In this article, we discuss how our team used these techniques to improve security in Google Chrome.The sandbox aims to prevent the rendering engine from interacting with other processes and the user's operating system, except by exchanging messages with the browser kernel via an IPC channel.



