Will Drewry, Security Engineer for Chrome OS, explains in this video how security enhancements of Chrome OS are achieved. It is the second of four videos released along with the source code of Chrome OS.
This is what is said in the video:
- All apps are web apps.
- The sandbox is used to protect the system from malicious web apps.
- Everything runs isolated from each other (system, browser, services, apps).
- There are two system partitions and an encrypted user data partition (I already checked that with my linux machine. It’s not possible to mount the encrypted partition properly. The other ones hold the usual linux stuff. There are no passwords given for any of the 10+ users preconfigured in the machine.)
- Updates are loaded on one of the system partitions, checked for authenticity and then copied to the “active” partition.
- The system cannot be changed as the kernel checks the system’s hash values during boot time.
- The kernel is protected by special firmware (I’m not sure if this implies that special hardware must be used).
- If the system is compromised during runtime, a reboot will recover a safe state.
Please leave comments below (no registration required).