InfoWorld Home / Security Central / Security Adviser / Google Chrome OS can't be perfectly secure
July 17, 2009

Google Chrome OS can't be perfectly secure

Developing a bulletproof OS isn't possible, especially one that people will want to use

| Print | 12 comments|
1011 Recommendations

Google's plan to release a Chrome-based OS next year has garnered the expected fanfare that comes with anything the company announces. I've also seen articles in which people at Google are quoted as saying the OS will be free from malware and immune to malicious hackers. My gut feeling is that these folks were misquoted. I don't think anyone with serious experience in this field would make that sort of claim -- but I could be wrong.

Whether or not they said it, the question remains: Is it truly possible for the search giant to accomplish what no other company has and release a perfectly secure OS? The answer: Probably not. (For the sake of full disclosure, I'm a security architect at Microsoft.)

[ See what Microsoft CEO Steve Ballmer had to say about Google Chrome OS. | Gets answers to all your questions in the Google Chrome OS FAQ. ]

For starters, the best indicator of future behavior is past behavior. Every software vendor who has promised perfect security has failed to deliver. Who can forget Oracle CEO Larry Ellison's pledge of "unbreakable software"? That was hundreds, if not thousands, of patched bugs ago. Unlike Oracle's offerings, Chrome OS will be available to and used by the general public, making it a huge target for malicious hackers and purveyors of malware. That alone renders the prospect of flawless security all but impossible.

Second, I don't know of a Google product to date that has not had its share of bugs. Even Google Chrome, the "most secure browser ever," has had at least eight discovered vulnerabilities in its very short life -- and with the browser's very small market share. If Google Chrome were to gain market share, more vulnerabilities would naturally emerge. No software has ever escaped that fact.

Related Content...
additional resources
White Paper - How to Improve Delivery of Advanced Web Applications

White Paper

Virtual Workforce: The Key to Expanding The Business While Cutting Costs

Get the independent advice and expertise you need to support a virtual workforce.

Go inside:
The three-step approach to making a virtual workforce a reality.
The four flavors of client virtualization technologies.
The three key initiatives that solve IT challenges.
Download now »
White Paper: Successfully Secure Your Wireless LAN With Wi-Fi firewalls.

White Paper

Addressing Linux Threats Leveraging Fewer Resources

The increase in Linux popularity has increased the frequency and sophistication of malware attacks. Read this 2 page white paper now to learn how you can protect your Linux environment with real-time protection that is certified by all major Linux vendors.

Download now »
White Paper - The 2009 Handbook of Application Delivery

White Paper

The 2009 Handbook of Application Delivery

Ensuring acceptable application delivery will become even more difficult over the next few years. As a result, IT organizations need to ensure that the approach that they take to resolving the current application delivery challenges can scale to support the emerging challenges. This handbook elaborates on the key tasks associated with planning, optimization, management and control and provides decision criteria to help IT organizations choose appropriate solutions.

Download now »
White Paper - Is Your Backup System Outdated?

White Paper

Mid-range Storage Considerations

A common misconception is that mid-range storage requirements are dramatically different than that of a larger enterprise. Mid-range storage users may require less capacity, but they have similar functionality and management requirements. This ESG paper examines mid-range storage needs and reviews a new solution that adjusts size while retaining value, performance and functionality.

Download now »
12 of 12 comments
Sign In or Register to comment
betomiller 17-Jul-09 9:54am
2 replies
Sorry to say this, Roger, but your article is juvenile. You need not state the obvious to any of us, that all code has its vulnerability. Nonetheless, we should support efforts to improve computing as a technology and an art.
tomaddox 17-Jul-09 10:06am
What Roger says is obvious to you and me, perhaps, but it's not obvious to a great many so-called technology pundits, who regurgitate the Google party line without real analysis or insight. For over a year, I've been reading about how amazing the cloud is, with very few "analysts" discussing the tremendous security issues involved in handing your data over to a third party. To me, this concern is obvious, but to many executives, journalists, and laymen, it might not be. Kudos to Roger for making sure this information is out there and available to search engines like, say, Google's.
Regaug 17-Jul-09 12:48pm
No, the article was not juvenile, you are juvenile, and obviously inexperienced in this business. When companies like Google make claims like this, executive's and salesmen read them and then make life miserable for IT workers, programmers, and architects. Kudos to Roger for pointing out that the Emperor is *always* naked.
chrisjmiller 17-Jul-09 10:39am
It is certainly possible to build a (more) secure OS - before there was OpenBSD anyone remember Multics? The problem is that users: a) Don't want a secure OS (that necessarily gets in the way of ease of use). Recall all the whining about UAC in Vista, now double it, double it again and add three zeros. b) Won't pay for a secure OS - of course Chrome will be free, but developing secure software (and keeping it secure) is expensive. c) Won't use a secure OS (see (a) above).
mentuser 17-Jul-09 11:35am
2 replies

The author is overlooking a simple fact--all you have to do make a completely secure operating system is control write access to the OS drive, for example the 'C' drive in Windows.

Elfish 17-Jul-09 3:47pm
1 reply
Nope. If it can be read by those that shouldn't be reading or copying the information, it's still not secure.
rcprimak 20-Jul-09 11:14pm
And I know that Google OS is Linux based. But it does not fully implement Linux security, so it does write to non-sandboxed parts of the C: drive during normal operations.
rcprimak 20-Jul-09 11:12pm
Shadow Protect used to claim that it totally stops anything from being writtten to the C: Drive. This proved not to be true, as many now virus-infected users of this product have discovered -- or continue to deny as they spread their infections out over the Internet.

All browsers must maintain a cache somewhere on the hard drive, and Chrome is no exception. Windows is not like Linux, which at least has some sandboxing features. Instead of a separate "No Exec" partition, Windows uses a swap or PageFile system right there on the C: drive. Nothing can prevent writing to or reading from the PageFile during normal Windows operations. Nothing.

zornwil 17-Jul-09 1:33pm
Lots of good points in the article but we shouldn't blame an OS if hacking occurs via DNS or other external means, and we shouldn't be discussing that the mere existence of bugs is a lack of security, given the bugs may not affect security per se. So some stuff really shouldn't have been raised here as such. But it is useful and even important for non-technical people to realize why an OS isn't going to be 100% secure no matter how good it is (unless of course, as mentioned, it's so bereft of functionality it is a truly niche OS).
rcprimak 20-Jul-09 11:15pm
One bigger point about Google OS security: Read Robert X. Cringely's July 15, 2009 blog entry. Until Google locks down Password Recovery, nothing else matters.
j0nnysmith 30-Jul-09 7:03am
All program have vulnerabilities that are fixed in time but every new version adapted on the continues evolutin of platforms and program to work close in hand with the browser has other vulnerabilities that have to be fixed and so and so . http://www.securecomputing.net.au/Feature/123669,safe-browsing-with-goog... here it says that the new version is safer that the old one but not perfect so ... What matter is to use other softwear to help prevent future problems like an antivirus with good rating on the marked . Personaly i use bitdefender on my laptop for a year now and i didn t have any major problem that couldn t be resolved quick and easy so far.
khurt 7-Aug-09 12:14pm
"the best indicator of future behavior is past behavior." WRONG. The present is the best indicator of future behaviour because decisions about the future are made in the present.

Today's Headlines: First Look Newsletter

Find out what will be news for the day, with our first-thing-in-the-morning briefing.

White paper

Log Management: How to Develop the Right Strategy for Business and Compliance

This white paper provides guidance on how to develop a strategic approach to managing and monitoring logs, a key function required for compliance with many regulatory mandates and a critical defense against security threats.

Download now! »

White paper

The Essential Series: Security Information Management

Learn about the processes and technologies that support security information management (SIM) operations, as well as the business case for SIM. The series examines different options for implementing SIM and gives you evaluation criteria for selecting the best option for your organization.

Download now! »

White paper

Aberdeen: Choosing and Consuming Managed Security Services

Learn the strategies, actions, and capabilities that Best-in-Class organizations employ and technologies they choose to obtain superior performance against various security performance metrics. This report provides guidelines for identifying which security solutions to consume as a MSS and defines best practices for choosing and managing MSSPs.

Download now! »
©1994-2010 Infoworld, Inc.