Google Chrome OS and Some Words On Hype

By: Tim Cronin


With the announcement of the upcoming Google Chrome OS, Google is adding some hype to the mix.  Google is boldly stating that they are “going back to the basics and completely redesigning the underlying security architecture of the OS so that users don’t have to deal with viruses, malware and security updates. It should just work.”  That is a very lofty goal and a loaded statement.

In reality, Google is not too off base here.  What it seems they are going to do is make a very small OS.  The OS will really only be responsible for basic input and output and run a browser.  This means that all of the security holes that go along with the “extras” of modern operating systems will not be a factor.  This will have an impact on malware.  It means that there won’t be any holes in code that doesn’t exist.  This will dramatically reduce the security footprint of the operating system.  This is true.

Generally speaking, when you develop something, it will have errors.  The errors can be limited and if there are any vulnerabilities, they can be mitigated.  However, if you develop software that is used to interact with other peoples projects, then the security is only as good as the weakest link.  In Google’s case, they may be developing a light-weight, hardened OS that only runs a browser (for use with Google docs and other web-based applications), but if you use the browser to view a page that is vulnerable then you are still just as insecure.


Here is a prediction.  Google Chrome OS will set out to revolutionize the OS world.  They will be successful overall in producing a shift in concepts, but not in the ways they intend on security.  There will be exploits that take advantage of the basic input and output.  Not only that, but there will be exploits that take advantage of cross-site malware, session hijacking and other browser-only tricks.  For instance, Google intends that for productivity you will be using Google Docs.  What would happen if you browse a site that has a cross-site exploit that steals your Google Docs?  That’s just one thought. 

I also predict that there will be security updates.  Any operating system has the distinct responsibility to be in charge of any input and output of the entire system.  Anything that can subvert this is malware and must be dealt with.  Any OS is vulnerable just by the nature of being an OS.  The advantage to Google’s approach is that any holes will be found quickly as there will be a much smaller footprint.  Also, you will still need to install some third party drivers and such for input and output.  Vulnerabilities can quickly show up here (and although Google can’t be held responsible, neither can Microsoft and we all know how we act when something *seems* to be Microsoft’s bug). 


If Google is fully successful in securing their code and making an OS that depends on software that exists over a network then this means that Internet security will inherently be much more important.  IPS offerings will be in charge of securing your documents rather than client-based AV protection.  Security will shift along with the new thoughts on OS technology and application flow.  This is an announcement that should live up to the hype, either way.


Tags: , , ,

2 Responses to “Google Chrome OS and Some Words On Hype”

  1. Hank Says:

    I do believe this is possible, but so it is to say the same thing of some Linux Based OS. Or even more for those of us that remember 1987 and a good Tandy 2000, the chances of catching a virus, were virtually none. If you dont have a Hard Drive you cant save a Virus, same way that if you don’t have an Internet Connection you wont get any Spywere.

    Its not impossible, but do we really want a computer with such a limited range of possibilities? I might as well just browse on my BlackBerry.

  2. Peter Says:

    Great posting, Tim. Bruce Schneier shares a similar view on his blog, with an interesting theory behind it:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: