Just to add some context, on macOS you can look at the seat-belt policy as a rough analog of for basic sandboxing guarantees, where the fewer exceptions you have the stronger your sandbox is. From that perspective, Chrome's policy has around 1/10th the exceptions of Safari.
And of course, that's before we get into more complex forms of isolation that Chrome implements, such as the sandboxed GPU process, or ongoing work into things like network sandboxing, the macOS bootstrap sandbox, and site isolation (origin-bound renderer sandboxing).
For anyone following, this is Justin Schuh of the Chrome security team (and co-author of TAOSSA, probably still the best book in all of software security).
Another thing Chrome does out of the box that Safari doesn't is U2F.
Still another is Chrome's industry-leading TLS management, including the pioneering of HPKP and the Chrome/Firefox pin list, and the aggressive policing of the WebPKI CAs.
I've been pretty aggressively terse in this thread, because I didn't even realize this was a live argument anymore. Safari is simply not as secure as Chrome, and it's less secure in ways that are meaningful to normal users.
The question is a bit complex than a simple reading of these files. Mac OS sandboxing allows dynamic extension of the sandbox, which would not be reflected in the profile (I'd bet Safari does more of this than Blink though). Also, as you mentioned, it's relevant to look at what's factored into separate processes, and how those processes are sandboxed. Safari's Network process has been networked since 2013, so I don't think you can count Chrome's ongoing work to do so as a Chrome advantage.
If you add these things up, the difference in practical effectiveness is not as wide as one might think.
I don't keep up too much on Safari these days, so congrats on moving the network stack out of the content process. But looking at the current WebProcess seat-belt policy and what gets initialized, it looks like there's still far too much attack surface relative to Chrome. Things like audio/video capture and other permissioned Web APIs appear to be permitted directly inside the sandbox. And the GPU attack surface alone is a giant vector for escape--plus all the other potential escape vectors posed by that very long list of mach services.
So yeah, the seat belt policies alone aren't determinative, which is why I called them "a rough analog". And it's hard to say what gets pulled in through warmup (which is why we'll be eliminating it with our v2 bootstrap sandbox). Accepting that, it's pretty clear that there's just dramatically less attack surface exposed from inside Chrome's sandbox versus Safari's.
The network stack has been out of the content process for a super long time, it is not a new thing. (Ironically, Chrome engineers argued strenuously against doing it when we first started).
You're right that separate GPU process is a huge advantage for Chrome. Kudos on that, and we'll likely have to move in the same direction sooner or later.
Audio/video capture is temporary and not in currently shipping Safari. It was just the simplest path to getting WebRTC up and running. We plan to fix it before we ship. I agree with you that it's risky attack surface.
Also agree with you that we expose more mach services and for lots of them it would be better not to expose them. A tradeoff here is that Chrome (as I understand it) provides most of those facilities via brokers that are often not sandboxed themselves. It used to be many of those things were just done by the application process.
I suspect over time we'll see our respective sandbox models become more similar over time, especially on macOS.
> The network stack has been out of the content process for a super long time, it is not a new thing.
FWIW, Chrome's network stack doesn't live in the content process either. It's not currently sandboxed, but it's in a process that has no scripting runtime or other dynamic content, so it's still pretty high bar for exploit. The exact reasons for the current situation have to do with some legacy Windows support that has since been removed, which is why the sandboxing work is now moving forward. So, I definitely appreciate your situation with adding some sandbox exceptions for WebRTC.
> I suspect over time we'll see our respective sandbox models become more similar over time, especially on macOS.
Fair. But I will say that Chrome being cross-platform tends to naturally push us in the direction of eliminating sandbox attack surface. Our supported platforms just differ so much that it's easiest to lock down the OS as much as possible and implement narrower, origin-bound capability brokers inside Chrome. If I were more tightly bound to a given OS implementation, I expect I'd have a lot more fights about sandboxing, because it's easier for devs to just standardize on what the OS gives you.
It does seem like being cross-platform makes it more natural for Chrome to lock down the content process very tightly, and provides a strong incentive to do so. On the other hand, it may make it more difficult or less natural to lock down some of the other processes.
On our end, it's natural to sandbox every new process we introduce, but also easy to fudge what is allowed in sandbox profiles. Sometimes we have a choice of accessing a service through a separate process, or working to make sure that service itself is more secure (sandboxed itself, offers thinner and properly validated IPC interface, etc). In many cases, the real right choice may be to do both. As well as fuzzing the heck out of every IPC boundary.
So, the thing we call "win32k lockdown" on Chrome is just a term for the various things we had to do to enable ProcessSystemCallDisablePolicy on our sandboxed renderer processes (the processes that handle Web content). ProcessSystemCallDisablePolicy is a very big hammer, because enabling it prior to process launch means the kernel blocks all GDI and NTUser calls, such that the process can't interact with the UI or graphics subsystems. Chrome can do this because our UI and graphics acceleration layer is split into our unsandboxed browser process and the more weakly sandboxed GPU process.
The difference with Edge and IE is that they run their UI and graphics stack in their content processes, which are an analog to Chrome's renderer processes. However, any UI on Windows requires win32k kernel support, so they can't disable it like Chrome does. Instead, Edge uses its win32k filter to limit the attack surface to only the calls that they need. So, where Chrome's architecture allowed us to make an aggressive cut, Microsoft is instead working to iteratively shut off the same attack surface in Edge.
And yes, the win32k whitelist is currently restricted to EdgeHTML processes by the kernel and signature enforcement. I know this because we currently sandbox our GPU process at about the same level as an IE content process, and we wanted to use the win32k whitelist get the same improvements as Edge. Unfortunately, Microsoft is still working on the capability, and is not ready to expose it to third-parties yet (but has given signs they may be willing to do so in the future).
Source: I lead engineering on Chrome security and am the original architect of Chrome's win32k lockdown.
What did I say that was FUD? I'm legitimately curious if he's checked and seen any data being sent to google
*edit: I'd genuinely be surprised if google made it that easy to not send anything back to them. Additionally, I'd be genuinely surprised if FF made it that simple to avoid sending things back to Mozilla.
Please don't spread misinformation. Here are the facts:
1. While the Hotword module was downloaded at startup, the feature was not activated without the user explicitly enabling it via the settings menu. <https://crbug.com/500922#c6>
2. Downloading the module in Chromium was a bug, and it was fixed after being reported. <https://crbug.com/50922#30>
3. The Hotword feature was dropped from Chrome not too long after, because it was an experiment that never really panned out (and was enabled by very few people).
> when riseup.net got an NSL to give access to the email accounts
This is simply not true. An NSL cannot be used to compel access to any communication content—and certainly not control of an account; they're limited solely to metadata (e.g. phone call records, IP addresses, billing metadata, etc.). I'm not a fan of NSLs, and strongly support repealing the section 505 expansion, but it behooves no one to lie about what an NSL is and what it can compel.
No, all we have right now are projections, which put Clinton at ~2% lead in the popular vote. We won't have final vote counts until probably December, because many millions of outstanding votes are still uncounted.
The same thing happens every presidential cycle. Counts come in much slower for populous states with large volumes of absentee, provisional, and mail-in ballots. Clinton is going to win these votes by something like a 2:1 margin.
A non-free pass would mean Beck actually took responsibility for his actions and apologized rather than than attempt to excuse himself with false equivalence.
Let's be clear, he baselessly demonized Obama's presidency while the man was actively trying to reach across the aisle and even brought numerous Republicans into his administration. Beck fed lies and hate to incite an angry mob, and was a key player in the last eight years of the bitterest partisan divide and obstruction that we've experienced in the modern era. And now he's minimizing Trump's vile words and actions -- arguably a direct product of the climate Beck helped create -- because somehow Beck's own insane apocalyptic fantasies about Obama should normalize them? That is the furthest thing from an apology. It's a gross insult to anyone familiar with the facts, a cynical attempt to abdicate his personal responsibility, and attempts to mainstream the worst of Trump's behavior.
No. What Glenn Beck is doing right now is just pandering to his own audience that he was at risk of losing entirely if he didn't eventually fall in line with Trump.
I wonder whether you actually read the article you linked, because here's how he tries to shift the blame and deny his own accountability:
>Now, I’ve got people on the left accusing me of creating Donald Trump. And I’m like, “But I’m against Donald Trump. I warned against a guy like Donald Trump.” Well, you created the conditions that grew Donald Trump. “No, I didn’t. I think it was the government — both parties that weren’t listening to the people, that the people got so frustrated they wanted to burn the whole thing down.”
And here's the only thing he apologizes for -- a bullshit non-apology for tone rather than substance:
> And so I’ve been ringing that bell. And I’ve been telling you, “This is going to end in disaster. It’s going to end in disaster.” No exits left. There’s a cliff coming. That’s what I want to apologize for. I still believe that: there’s a cliff coming. But that is such a hopeless message that I can barely survive. And it’s because I have gazed upon the problems. That which you gaze upon, you become.
I'm not going to waste more time debating this, because there's literally nothing to debate. Beck did tremendous damage to the political discourse, and he's never owned up to to it. And what he's doing now to normalize Trump's dangerous behavior is only making the situation worse.
I realize you don't want to debate, and I don't either (based on what you've written in this thread, I mostly agree with you). But, I've been listening to the guy on the radio for the last 2 years and I feel like I've heard this change/realization slowly happening over these 2 years. I never saw the guy on TV, and didn't even know who he was until South Park parodied him in 2010. He still has work to do (obviously), and I just think it is best to have these discussions with people so that more empathy prevails in our country. We just need less hate.
I think you've mistaken me for someone who disagrees with you. Upthread I said he doesn't get a free pass; any non-free pass this fuckface gets should be extremely expensive.
I actually watch Fox with some regularity and follow various conservative news sources. I may not agree with the views, but I want to understand where people are coming from. And Beck's show was consistently so far beyond the pale.
* Safari SB policy: https://trac.webkit.org/browser/webkit/trunk/Source/WebKit2/...
* Chrome SB policy: https://cs.chromium.org/chromium/src/content/renderer/render...
And of course, that's before we get into more complex forms of isolation that Chrome implements, such as the sandboxed GPU process, or ongoing work into things like network sandboxing, the macOS bootstrap sandbox, and site isolation (origin-bound renderer sandboxing).