Will Google's OS Make the Desktop Safe?  

Posted by dhamotharan in , ,

Google says that its forthcoming chrome OS will be so secure that "users don't have to deal with viruses, malware and security updates." But Google's claim is being met with skepticism within the Internet security world.

"I have serious doubts about their claims simply because an operating system must execute code and malware is code," says Dave Marcus, director of security research and communications for McAfee Avert Labs.

Like the chrome browser, Google Chrome OS will be based on an existing open-source project: Where the Chrome browser is based on the open-source Webkit project, the Chrome OS will be based on the open-source Linux kernel. It will be, Google says, a "lightweight" OS that will run on x86 or ARM processors and have a new windowing system. Furthermore, the Chrome OS will be positioned for use on netbooks, which are designed primarily for Internet use. The Android platform will remain Google's choice for mobile devices.

ROOM for Improvement

With its Chrome browser, Google did attempt torethink the browser. It created a new JavaScript virtual machine, V8, arguing that JavaScript today does much more than enable online novelties. JavaScript now runs applications, such as those built by Google itself. Among the optimizations introduced in the V8 engine is a new way of interpreting JavaScript source code so that it runs as machine code within the CPU. Thanks to another optimization, V8 also knows where the JavaScript pointers are, eliminating the need for repeated searches. But while V8 optimized performance, the Chrome browser hasn't eliminated the JavaScript threat landscape.

"Malware takes on many forms, including JavaScript malware, which Google's Chrome is still vulnerable to," says Robert Hansen, CEO of SecTheory. At last summer's Black Hat USA security conference, Hansen and Tom Stracener of Cenzic presented a talk showing how they were able to exploit Google Gadgets; they even coined the phrase Gmalware (for Gmodules-based malware) to describe this new class of vulnerabilities.

"Given the sheer volume of security failures found in all of Google's client-side applications [that] we have assessed, we find it unlikely that Google has suddenly found a silver bullet," Hansen says

This entry was posted on 7/9/09 at 6:43 PM and is filed under , , . You can follow any responses to this entry through the comments feed .


Post a Comment