Industry News

Linux Version of Chrome Ships with New Sandbox

The sandboxing system implemented in Google’s Chrome browser has undergone a major overhaul in development version 23.0.1255.0 with the introduction of a brand new sandbox on Linux and ChromeOS for renderers.

The new sandbox uses a feature called Seccomp-BPF that gives the Linux kernel a higher degree of control in imposing restrictions to the application, as well as to evaluate system call numbers and their parameters. This approach will likely result not only in performance improvements, but will allow the kernel to detect logic traps such as code that makes it loop endlessly until it depletes the system’s resources.

Image credits: Google Chrome

The use of seccomp-BPF is believed to dramatically reduce the attack surface of the operating system kernel. “This is a huge change for sandboxing code in Linux, which, as you may recall, has been very limited in this area. It’s also a change that recognizes and innovates in two important dimensions of sandboxing […]” wrote Google Security Software Engineer Julien Tinnes in a blog post.

For now, Linux versions of the most popular browsers have been relatively safe from security incidents similar to the attacks against Java, Reader or Flash plugins, but, as cyber-threats become cross-platform, the manufacturers are becoming more and more concerned with unknown, zero-day attacks carried out through the browser.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.