I’ve recently read the chromium sandbox architecture overview and the multi process architecture high level design.
The developers claim they run the tabs and web apps in a privileged external process for 2 main reasons:
1) Prevent the browser from crashing in case a tab or a web app crashes.
2) Various security reasons.
The security reasons I read about were mostly about changing the user’s system configuration via Win32 API.
Now let’s assume I develop a web browser that uses Webkit and V8 JS Engine and does not allow browser extensions and flash to be executed from within the browser.
Furthermore let’s assume that application crashes are not an issue.
1) What advantages do I gain by implementing the sandbox architecture?
2) Can pure Javascript code access the memory\file system or invoke any unwanted windows API function?
3) What are the other security concerns I’m not aware of?
People have been hacked though web browsers for years, this is a silly question. Of course JavaScript can be used to gain access to the shell. This is the basis of browser based exploitation. Not only JavaScript, but malformed HTMl and CSS are also commonly used to corrupt memory and gain remote code execution. WebKit is new, and it has a lot of security problems. Keep WebKit Up to date, or you will be hacked.
It should be noted that JavaScript runs within a sandbox that jails it from accessing important resources on your machine or other websites, we call this the same origin policy. Google introduced another sandbox for Chrome to try and prevent remote code execution as a method of defense in depth, security in layers.