Chrome notebooks were designed from the beginning to help protect users from system exploits and software vulnerabilities, while ensuring the operating system is still simple and easy to use. Through a “defense in depth” approach, we utilize the existing web security features in the Chrome browser as well as additional improvements such as secure and seamless automatic operating system updates, verified boot, encryption, intuitive account management, system hardening and process isolation.
While it’s still important to take precautions to protect your data, Chrome notebooks provide a strong security infrastructure that helps mitigate many of the most common security concerns.
One of the most effective ways to protect yourself from malware is to make sure all of the software on your computer is up-to-date and has the latest security fixes. While this can be difficult to manage on traditional operating systems with many software components from various vendors (all with different update mechanisms and user interfaces) Chrome notebooks manage updates for you automatically so you are always running the latest and most secure version of the operating system and browser.
If you’re interested, you can read more about the benefits of silent auto-updates in this report: http://www.techzoom.net/publications/silent-updates/
Chrome users are also better protected from malware because many parts of the browser run in a sandbox-- an additional layer of security that surrounds every tab, page and extension. Similarly, Chrome notebooks ship with a limited set of supported plugins, so additional native plugins with direct access to your computer cannot be installed on your notebook.
The sandbox helps isolate many classes of vulnerabilities from the rest of your computer. For example, much of the complex work in the browser is done by the rendering engine, the part of the browser that lays out the web pages. While the browser process has complete access to the notebook, the rendering engine must go through the browser process, which checks to make sure the request looks legitimate. In a sense, the browser process acts like a supervisor that double-checks that the rendering engine is acting appropriately. If you visit an infected page, the browser process ensures that it can't read or write to your local filesystem, or persist any malware. The threat is contained in the sandbox.
Of course, no sandbox is perfect. If, for some reason, malware attempts to work around the protection, it will also have to bypass other exploit technique defenses that are compiled into the running software on the notebook, such as randomizing the location of running system application in memory and executing code only from certain approved locations. These defenses add another layer of protection.
In the case that there is a bug that manages to overcome the sandbox and the other built-in defenses, your Chrome notebook is still protected. The operating system performs a self-check each time you restart the computer called Verified Boot. If it detects that your operating system has been tampered with or corrupted, it will attempt to repair the problem automatically, or otherwise allow you to do a hardware-assisted reinstall. Your operating system is wiped and reinstalled and your system will be as good as new, as if nothing happened.
Verified Boot provides cryptographic assurances that the entire operating system, including the kernel, partition table and even the firmware are not tampered with when the system starts up. This approach is not what is typically referred to as "trusted boot," since it does not depend on a Trusted Platform Module (TPM) device or other specialized processor features. Instead, a chain of trust is created using custom read-only firmware that performs integrity checking on a writable firmware. In each step of the boot process, the code checks to make sure that the next step is verified and un-modified. Chrome notebooks utilize the locking feature of non-volatile memory of a TPM device to prevent attacks from rolling your version to an older version of the system.
If the Verified Boot check detects a problem, or you just want to start your Chrome Notebook fresh, the notebook itself can help. The chip inside the notebook that starts the verified boot process is read-only and can’t be changed by malware, so you can essentially recover your system and revert to a state in which malware can’t stick around.
When you use web apps on your Chrome notebook, all your documents are stored safely in the cloud. But certain kinds of files, like downloads, cookies, and browser cache files, may still be present on your notebook. To protect cached user data in their home directories, Chrome OS encrypts each user's private local storage. The data encryption is done using eCryptfs, which is an in-kernel encrypting file system that's part of the standard Linux kernel. To further increase the security, the eCryptfs keys are stored using tamper-resistant hardware, making it very difficult for anyone to access those files.
Using security to protect user privacy
In addition to focusing on security, throughout our design and development processes we made it a top priority to provide users with transparency and control over their personal data.
Our security features such as verified boot and data encryption go a long way toward protecting users’ data. In addition, we have a number of privacy features to give you even greater control of your browsing experience and the information that you decide to share online or with your friends.
Users who have signed in to their Google account on their Chrome notebook can browse the web using Incognito mode -- a special “stealth” mode for surfing the Web that helps prevent any information about your browsing session from being saved on the computer. When browsing in incognito mode, Chrome does not remember your browsing and search history, and all cookies and records of downloads are automatically cleared when you close your browser window.
If you are privacy conscious, we feel the Guest mode on your Chrome notebook is the most private web browsing experience you can get in a consumer operating system.
Since many people use Incognito mode on their computers when their friends and family wanted to borrow the computer for a while, we elevated this functionality to the OS level and created Guest mode for Chrome notebooks. In Guest mode, you do not have to sign in and your Chrome notebook does not keep any record of your browsing session once you exit the mode. Browsing in Guest mode also prevents your friend from being able to access your notebook settings or data and vice versa. And since Guest mode operates on a temporary file-system, once you sign off, all browsing data is immediately deleted.
Safe Browsing helps protect you from phishing websites that try to trick you into typing your username and password on a site pretending to be legitimate -- for example, a site pretending to be your bank. It also warns you when you browse to a site that’s trying to install malware on your computer. To further protect your privacy, the feature never sends the exact URL of the web page that you are visiting to the Safe Browsing servers-- only enough to send you a warning. To learn more about how safe browsing works, check out: http://www.youtube.com/watch?v=NR_E_B8k-cI
This is just the beginning!
Security and privacy protection is not a one-time effort, but rather an iterative process that we will continue to improve over the life of your Chrome notebook. For the Pilot program, we’ve focused on getting the foundations right by using a variety of defenses to better protect your computer. Using our defense in depth approach, the security of Chrome notebooks will continue to get stronger as we add more features and enhance the work we’ve already implemented. Welcome to the world of browsing without worrying.