Chrome netbook security

Sometime back i was involved in audit of a app for chrome netbook. While doing that i did some analysis on the security of Chrome Netbook(Cr-48). Summarizing my findings here.

1. At a time only one user can be logged on.
2. All users browser session runs under one UNIX user “chronous”.
3. Users data is encrypted using keys derived from the login session info.
4. User is given direct access permission only to /home/chronos/user/Downloads/ folder.
         a. Users downloads go into this folder.
         b. Users encrypted data is mounted under this folder /home/chronos/user/
5. Following data is stored separately for each and every user.
         a.    History
         b.    Cookies
         c.    Downloads
         d.    Extensions
         e.    Local Storage
         f.    Pepper Data  (flash local data.)
         g.    Sync Data
         h.    Log
         i.    Login Data
         j.    Tab
6. There is no way one user can modify the data of another user (locally).
7. “shell” access is given only in DEV mode. Otherwise all you have is the browser.
8. Chrome “extensions” are given special permission.
        a.    notifications, unlimitedStorage , geolocation , tabs,
        b.    It can work across domain. (Something not allowed in browser.)

Advertisements
This entry was posted in Chrome, Cr-48 and tagged , , . Bookmark the permalink.

One Response to Chrome netbook security

  1. Pingback: Google Chrome/ChromeOS bug – 189250 | Source Code Auditing, Reversing, Web Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s