Okay so Linux security and how web browser sandbox is really work and this I find really interesting and so this is about the Linux security api’s and that have been coming in the later versions of Linux and how they are used inside of chromium to make the sandbox of the of the Linux version of the chromium browser that.
The chromium browser the Chrome browser Opera browser brave browser Vivaldi browser all sorts of browsers that are based on chromium so probably a browser on your computer okay let’s get going this is shorter I.
Promise okay I’ll start slowly done okay by the way this is the dyno from chrome so I remember which presentation it is okay so one of the things the reason why I made this this presentation was because I think that Linux security api’s are really interesting and then I wanted to talk about them but most people don’t find them really interesting so then I was like yeah but people think browsers are cool so.
Talk about them in context of browsers and and also.
The fact that sandbox sounds was also very cool and I had to pitch it to a conference.
Ok they bought it I had people came to my talk to okay so yes this was me from before so we’ll skip it okay so the chromium family of browsers have a very specific type of processor architecture and and that is very.
Important when you’re constructing the sandbox so we’re.
Gonna look at it a little bit here and so basically the first thing that you will see if you look on your machine ad there is only one browser binary you will find oftentimes two binaries in there when it’s called sandbox we won’t look at that at.
All because it’s on it’s only used in certain scenarios and.
So we’re going to be looking at what is used in regular gnu/linux like Ubuntu whatever relatively recent and and in that case the only the actual browser binary is used and so when you start.
Up your browser it will start up to other processes and then do this with an actual exit one it will do a clone x AK and the other one it will.
Clone x x makes what i call so i got in it and and the fork x ik will make the GPU process these are are started for real with like command-line arguments and everything and like for real after that it will only use for can clone for making different kinds of processes this architecture was made by google when they took in the.
WebKit project from Apple which Apple had taken from Kitty which because this is the concept here nobody has made a really new browser since mid-90s all browsers belong to 4 browser families one no longer exists.
Or but it exists but it is decommissioned there was the old opera engine so we are down to three and families we have what I would not call the chromium family but it includes what Safari because of the WebKit heritage and also everything back to conquer and and then you have the the Gecko kind of family where the.
Firefox Mozilla and now live quantum Firefox quantum and then you have Microsoft’s engine which has been ie edge that family so those are unfortunately all the families we have but this is the chromium architecture which was made by Google around the WebKit project and basically with the the the architecture was built mostly as a utilitarian solution that they had when they made the the Chrome browser in.
The beginning is that inside of the renderer here they had the WebKit project which was being dumped by Apple all.
The time they was very unstable it crashed a lot so and they had very little control over it so they stuffed it in his own process and then they made a whole system around it to be able to have what they might to have it crash and not take down the browser and that they marketed this as a browser tab will crash but not the whole browser but it was basically a it was an architecture made to deal with a.
Pro problem they had in shipping a browser with WebKit inside so a renderer here will generally be what you think of as a tab and this part.
Is also very interesting the GPU process does all the composition because here you have lots of of renders that are rendering all of.
Your different tabs but in the end you’re going to being one window right with everything in so somebody has to do the composition of all of these things that all of these different processes are making to one thing and that’s what the GPU process does which is very.
Interesting because this is the only one that has access to the GPU so you have to have serialization of GL commands over to this process it’s a very interesting architecture see I told you I which are interesting ok.
Anyway so so all of these things have different security aspects and.
So when the good thing about this architecture is that when the architecture is made they they could also build platform primitives to make security decisions around these because these processes are now separate and you can treat them as separate entities with different policies and that’s what they did and so if.
This is actually also a little.
Bit untrusted because GPU drivers stuff and they have also had issues with being with stability right so a chromium based browser will survive the GPU process crashing which is kind of weird but it will.
What you will see is that the whole window was black and then you wait a couple of seconds and it comes back that.
Is fancy okay so anyway so this I got here I don’t know how are any of you familiar with Android like inside yeah there are you familiar with this.
I got partner Android yeah there’s there’s a similar architecture in in in in Android when you’re as starting apps they had this side process.
Which which Forks off or clones I don’t remember in the Android case off these things and and so they have the same thing here so this I got.
Here actually clones itself for each.
New render and this so I got here which is the parent is sort of like an init process waiting for all of the child children very very Linux II architecture because this is the Linux solution and and this one is put into two because they have they have.
Two parts here that have different security policies okay so basically the most important thing from this slide is that everything is one binary there’s only one binaries just being forced and cloned yes yes yes there are there are there are pipes everywhere there so they have a whole IPC mechanism and the reason.
Is because they have done this unboxing like for example there is no network access here here or here this is a browser none of this can access the network only this process is allowed to access the network so all network.
Traffic has to be piped to the relevant things there are there’s like a whole massive system of IPC to handle this ich know all right I don’t know that much about windows but yes they do split up into all in all platforms they split up into different processes and all platforms to have the IPC’s and so the generic architecture is the same but exactly how.
You implement the different kinds of security policies is different from platform to platform so this is only from the next what.
I’m going to do in this presentation but they will do these kinds of splits but using platform primitives ok um yes ok so we’re going to make we’re going.
To start and this is the initial sandbox so the first the first sandbox thing is done when you are splitting off the socket in a process and the GPU process now there are lots of things here I went.
Through a lot more in my my original presentation is this a little bit shorter but basically here when you when you clone now ok that’s the first question actually does anybody know that system called clone no ok good because it’s.
Very interesting ok clone is is generally used as an implementation detail for implementing fork how many are familiar with fork excellent ok.
Super fork you can do anything you want it has all million options that you can pass in and actually one of the things that you can do is with the right flags to clone you make a thread and the right-footed.
System this is Linux oh you got to love.
It see the right flags to clone to make a thread is among other things share virtual address space like I’m going to make a thing and it can.
Share my other spaces alright we’re friends it’s fabulous okay anyway and but the cool thing about clone is you can pass a lots of facts and in this case and.
Some of the facts that you can pass is what are called linux namespace flags now who knows.
Has heard of linux namespaces excellent so if you want to create a child and you want to put this child process into a namespace you have to use clone generally and then you pass in which types of namespaces you want to put this processing by flags to clone and that will do it.
So in this case that the browser.
Clone so i got in it in user name space pinning space and a net name space this means that it when it becomes.
And this user name space is.
Kind of special because in newer.
Versions of Linux in most distributions you can make a user name space as an unprivileged user so you don’t have to be root and this so and what that means is that when the process that you have cloned into a username space.
It will think that it’s user is root it’s not root outside not root now this is something that you have probably seen if you have used docker containers Ducker yes yes docker containers uses these are api’s a lot and actually.
Container business have driven a lot of these developments of these api’s and linux so so when you create a.
User name space inside of the name space the initial user is root so your roots excellent and then you can create other things like a pin and an ethnic namespace which you have to be ready to do see that’s the trick you start on being good making a username.
Space now pin namespace is basically now you’re saying that.
I can only see me so now I’m Pig one of course outside of the namespace you’re not pit one at all you are paid something something something and you are not root you are something something but inside.
To you to that process it will look like your Pig one and use this route and if you make a net namespace you have no access to network.
So here it’s like none of these have access to network anymore so that’s the first part so.
The first snipping happens here so now we have have a process here that thinks it’s route things is Pig one and it has no access to network on.
The other side we’re just doing a regular fork x”k so we’re not doing this fancy stuff so this one still has full access to the platform and that’s because GPU drivers are weird and they do all sorts of weird stuff and they.
Sorts of weird things and some of them call home yes anyway and okay so what we’re looking for here as we’re building the.
But because what do you realize is all of these different things get different kinds of sandbox policies is that you.
Have to kind of create a moment in time where you’re allowed to restrict some things you are only allowed to restrict on a clone like making namespaces well there is something called unshare but.
We’re not gonna get into that.
Okay okay so these are the namespaces were using so for many new distributions you don’t need any privilege to create a.
In one we can create a pip namespace without global privilege because you usually need that and then you make a pin namespace and there you will see there you will have and you can you can actually see this on your machine but I’m.
Not going to go into it that there will be two different pins if you look inside of the process and it will look like a different one than outside and then here you are isolating it from the network and this happens to the zygotes and to the.
Render like I said before yeah and this is um okay this is done in code this is about how they implemented in the code it’s kind of weird because one of the weird things about clone is if you if you’ve.
Used fork okay fork is weird but bear with me so if you you.
Are a process and you have forked now you have two processes who are both in exactly the same location they.
Are returning from fork and the first thing you.
Always do after a fork is to try to figure out which one you are okay clone is not like that clone is like you pass in the function that.
You want yeah okay so it doesn’t have this thing that it returns to the same place that he returns yeah it’s different so to deal with that they kind.