Okay so welcome everybody I’d like to point out this this astronaut is painted on containers see it’s deep okay say I had to point it out it’s it’s my own pun so I need to point it out and so this talk is about Linux security and the chromium sandbox um and it’s basically if you’ve been around Linux security.
API it’s just nice to know a little bit about how they have are used in practice in an application that is not docker my name is Patricia oz I’m a.
For the last three weeks so I work from my own companies called turtle sec aiming to be a C++ programmer maybe doing some specialization in application security up until a few weeks ago I worked on the Vivaldi browser before that I worked at Cisco making telepresence systems with a bunch of people here and before that I was a Java consultant for a little while and before that I worked on the Opera browser so I worked on two browsers.
So far and to read browser as code bases because currently the new Opera browser is also chromium.
Based but the browser that I worked on was not I’m have.
A master in computer science I was taught Java once upon a time but I’ve been working in C++ since I graduated so this is this is a very important aspect to realize about browsers what browsers do is remote code execution we download code from the Internet and we execute it on your machine that is what browsers do.
So so that we can’t have any illusions about what browsers do people kind of forget.
This part and think it’s you know it’s the internet so sandboxing is a concept that has grown more organically in both operating systems and.
In browsers and basically you can think of it as having two types of threats so you have the external threat where you are trying to protect the user’s computer against vulnerabilities in the browser which could expose them to this code that we downloaded over the internet so let’s say that you download some malicious code if it managed to escape the browser in some way it could do damage or retrieve information or.
Do something on the user’s computer and that is the primary and purpose of sandboxing in browsers but you can also have more of a lateral threat where you have in a system internal threat so let’s imagine that you have some malware on your system and your browser contains a lot of your personal.
Information in many different ways both when you’re running but also on disk there’s a lot of personal information and it could be a way to find things out about you mind you for.
Personal information maybe inject something in your browser things like that so you also have system threats but in this case basically you have malware running on your machine and it it makes a whole a whole lot of things difficult to do to fix we’re going to focus mostly on the first part but it’s important to note so this is a.
Linux based talk and this aspect of browsers is very platform specific they use.
Platform primitives for for buildings and boxes there are widely different from platform to platform and so this is for Linux and it is built the.
The browsers the browsers and boxes are built during startup as you make these processes which which chrome in consists of so.