Chrome OS Security Guide
Chrome OS Security Guide
An overview of Chrome OS security across the entire stack.
Join our Chrome OS Product Manager, David Karam for this in-depth discussion.
Content
2.98 -> hello everybody I am David Camm I'm the
5.899 -> product manager for chrome and Android
7.279 -> and the enterprise and I work very very
10.37 -> closely with our engineering team to
11.66 -> bring you all these features that you
13.25 -> know love about Chrome OS and Android
15.97 -> what I want to do today is talk to you
18.349 -> about security within Chrome OS
19.99 -> Chromebooks have a very strong
21.769 -> reputation in the market for being a
23.539 -> very very secure endpoint actually one
25.159 -> of the most secure endpoints on the on
26.659 -> the market and many people know that you
29.179 -> know and it's it's a reputation in the
30.65 -> market but do we know actually
32.359 -> concretely what makes Chrome OS more
34.19 -> secure than other platforms and what I
36.02 -> want to do today is actually take you
37.64 -> through a guide of all these features
39.079 -> and and and and improvements we've made
43.129 -> to the platform to actually make it as
44.629 -> secure as it is today and one
47.48 -> overarching message in that in that in
50.6 -> that tour is gonna be that across the
53.96 -> platform Security's actually built in we
56.719 -> don't it's not something we do in
58.85 -> parallel it's not like one feature which
60.53 -> is a super secret sauce of the platform
62.57 -> it's actually something we built built
64.759 -> into the platform and across the entire
66.5 -> stack so if you look around at the
68.21 -> device what constitutes a device right
70.1 -> it's the hardware the firmware the
71.75 -> operating system up to the management
73.369 -> layer and user sessions all the way up
75.95 -> to the Play Store in the browser and how
77.479 -> like the apps are delivered to the
78.829 -> platform and the thing to keep in mind
80.93 -> is actually big in security at every
82.7 -> single layer in that stack it's not one
85.009 -> or two is every single layer and every
87.11 -> time we add a feature in to the platform
90.17 -> we make a full security review and we
92.18 -> try to bake it 3d inside and this gives
94.79 -> us a really really good edge and as I'm
96.439 -> going to describe for Eve of each of
97.88 -> these features they all interact
101.09 -> together to produce an experience that
102.86 -> is really really secure and makes the
104.299 -> endpoint very very secure so I'm gonna
106.969 -> do now is take us through every single
108.5 -> layer and kind of describe a little bit
110.09 -> around the security stature and the
111.799 -> security features that exist in that
113.36 -> layer right so let's start on the
116.21 -> hardware layer what we know is that
118.159 -> every Chrome device on the market today
120.14 -> has a TPM a TPM is a trusted platform
122.539 -> module and a security chip that lives
124.549 -> within the Chrome device and this is
126.53 -> very very important to know right
127.939 -> because the trusted platform is in fact
129.53 -> it acts like is this a very secure chip
132.14 -> and it acts like a smart card on your
134.18 -> so which means every time you buy a
135.799 -> chrome device there's a built-in smart
137.299 -> and this is very very important to know
139.549 -> because as we will see later this
141.139 -> security chip is used in many many of
143.15 -> the features that that build the
145.249 -> security on the upper layers and what I
148.7 -> want to really only mention here is that
150.019 -> we don't sacrifice with that like every
152.75 -> single Chrome device has this trusted
154.76 -> platform that has this security chip and
156.889 -> even though it would you know enable us
158.75 -> to produce lower-cost Hardware by moving
161.329 -> this we actually do not do that we do
162.95 -> not sacrifice this on security in this
165.079 -> and this is very important on the
167.15 -> hardware level because it builds on a
168.62 -> lot of things that go on top of it we go
172.34 -> above the hard way now we look at the
174.169 -> frame where we have something called
175.549 -> verified boot which is one of those main
178.01 -> pillars of security for the platform I'm
180.439 -> going to try and describe it very
181.609 -> briefly here what you see in these
182.959 -> diagrams on the left and on the right is
185.03 -> that on Chrome OS the boot process
187.909 -> starts from the firmware and on the
189.949 -> farmer there's this very this is a
191.48 -> read-only partition this means it's a
193.31 -> piece of code that no one can change not
195.68 -> an attacker
196.909 -> not Google with this one update the
198.56 -> infrastructure no one can change that
200 -> it's truly read-only what happens in the
202.34 -> boot process is we start with this week
204.079 -> only with this only portion of the code
207.259 -> and start executing other pieces of code
209.93 -> that built on top of that and while we
212.389 -> execute that code we check for the
213.769 -> signature and all these signatures
215.389 -> chained back to this read-only partition
217.069 -> that cannot be changed this allows us to
219.049 -> ensure that all all the code that is
221.329 -> being executed is code that we know
222.919 -> about encode that we can verify the
224.689 -> integrity of and this is demonstrated on
228.59 -> the by the diagram on the right hand
230.78 -> side because if we if an attacker
232.609 -> actually manages to inject malware and
234.62 -> change this code execution routine to
236.989 -> have persistent malware on the system
239.139 -> the Chrome device will not boot right so
241.939 -> it was started from rain and then try to
243.769 -> execute those cold pieces and check
245.359 -> their signatures but then it will hit
246.979 -> the malware and we'll think oh well this
248.93 -> is code I have never seen before
250.34 -> so this was not what I know to be a
253.28 -> proper Chrome OS image and we'll stop
255.379 -> the boot process and then reboot back to
257.239 -> something that is clean and this really
259.969 -> raises the bar for persistent attacks
261.59 -> right because you cannot bring a piece
263.659 -> of code and have it execute within the
265.37 -> boot process or just afterwards
267.439 -> without triggering these these these
270.96 -> protections within the Chrome device
272.49 -> which you know causes it to boot back
274.889 -> into a clean image right above the
279.15 -> firmware and once now we're past the
280.889 -> verified boot layer well we have the
282.9 -> operating system and on the operating
285.03 -> system this is a very massive surface
286.65 -> right on operating system you have
288.509 -> services like the networking layer yes
290.43 -> services like that which deal with the
292.65 -> GPU they deal with you know bringing up
294.659 -> the user sessions all these services
297.169 -> have a very vast attack service and what
299.969 -> we need to make sure here is that if any
302.099 -> of these services is compromised
303.87 -> they cannot infect other services right
306.12 -> and this is what we talk about like with
308.37 -> process sandboxing all these services
310.53 -> interact with each other through very
312.24 -> well-defined interfaces so that if one
314.039 -> of them is compromised it cannot
315.27 -> compromise other services and with
317.58 -> privilege separation is a very very
319.229 -> close concept as well a lot of these
321.69 -> services do not need wide privileges so
324.93 -> if you look at something like the metric
326.159 -> layer it doesn't need access to things
328.08 -> like the camera or the GPU right so
330.599 -> Chrome OS really locks down and says
332.069 -> while you're the networking piece so you
333.75 -> will not give you access to the GPU or
335.46 -> to the camera so that if there's an
337.259 -> exploit that happens in that work piece
338.669 -> then that exploit cannot spread or it
342.15 -> cannot give this this attacker too much
344.69 -> privileges right so I'm again like this
347.819 -> is not a feature that's on its own will
350.699 -> protect the system but this feature in
352.529 -> combination with many other features
353.759 -> significantly raises the bar for any
355.8 -> attacker - and I do strange things on
358.77 -> the platform and resist attacks that go
360.69 -> beyond that another feature is full disk
363.9 -> encryption and this is something that is
366.419 -> not something that needs to be turned on
368.94 -> right on many other platforms you have
370.589 -> your hard disk and then you know it's a
372.36 -> feature where you can enable it and now
374.039 -> it protects your it encrypts your hard
375.93 -> drive uncompressed this is that this is
377.729 -> just the default all data that is stored
380.099 -> whether it's user session data or system
381.99 -> data is encrypted on the device at rest
384.96 -> so when the combat is turned off it's
386.879 -> actually not accessible the data on the
390.029 -> device is not accessible to attack this
391.65 -> from the outside and the first point
394.05 -> that we want to talk about is automatic
395.759 -> and seamless updates and this is really
397.709 -> a cornerstone of security because
400.29 -> once an exploit is actually found and
402.96 -> you know no system is prone to exploit
405.6 -> is every system is prone to exploit and
410.03 -> what we really want to make sure that if
412.38 -> an exploit is actually found then we can
414.75 -> actually issue a patch and update
416.04 -> devices in the field and this is very
418.35 -> very important right because we can
420.6 -> patch them we can issue a patch and we
422.52 -> can send the to all devices in the field
424.26 -> in a very very short time to be clean
426 -> the order of 24 and 48 hours and this is
428.58 -> something that does not exist on other
429.87 -> platforms the ability to issue patches
431.97 -> and update devices in the field in such
434.22 -> a quick and easy manner and this
436.11 -> protects the system against volume of
438.48 -> these that have been found but have been
440.01 -> patched and allows all the users to say
441.9 -> up to date and all the devices to stay
443.73 -> up to date and another feature of this
445.86 -> is that this is really seamless right so
447.96 -> this is not a device that you know oh I
449.46 -> got an updates in our - you know restart
451.41 -> the computer and wait three seconds for
453.51 -> it to apply the update there are three
454.71 -> minutes to apply the update I'll come as
457.32 -> this is super very very seamless so you
459.57 -> have the update it's downloaded and
461.01 -> placed next to the other system image
462.9 -> and then on boot
464.22 -> we still boot up in six seconds that's
466.02 -> the only thing we do is we swap to the
467.61 -> new image alright so the user doesn't
469.62 -> have to feel of that it so update stops
472.14 -> being a pain it's automatic and then all
474.51 -> users just get it and apply it without
476.64 -> having to wait or become out-of-date on
482.25 -> top of operating systems we have user
484.05 -> sessions and you know I'm Chrome OS it's
486.69 -> a device where multiple users can can
488.85 -> share the device and this has been very
490.62 -> very successful in many many different
492.03 -> use cases one of West's most prominent
495 -> of them is actually the education use
496.68 -> case right where you have a card that
498.06 -> comes into the school into the classroom
500.7 -> and then students just take any device
502.62 -> and just login and they have all the
504.18 -> apps and data but it's actually very
506.37 -> hard to protect users against each other
508.02 -> right because now you have multiple
509.13 -> users and you have multiple user data so
511.26 -> here comes our first feature which is
513.09 -> per user encryption every single user
515.25 -> has their data within within their own
516.93 -> partition and that protein is actually
518.79 -> encrypted with a hash of their password
520.44 -> so that if you have another user that
523.41 -> actually is compromised it will not
525.54 -> infect other users on the system so he
527.94 -> again we raise the bar significantly so
530.25 -> that a compromise that happens in one
531.96 -> place cannot spread to another
533.43 -> place and in this case it's compromised
535.47 -> for user a does not spread to user B
537.81 -> because users B user B's data is
540.57 -> actually encrypted with user base
541.86 -> password and even even compromise within
544.5 -> user a can not reach into that into that
547.17 -> data so we significantly raise the bar
550.32 -> there another one within user session is
552.87 -> again process sandboxing and
554.64 -> defense-in-depth the things we mentioned
556.2 -> on the operating system level but we
557.76 -> also take it to the user sessions
559.11 -> because we know within user sessions you
560.7 -> have a lot of apps that's one so take an
562.5 -> example like the Chrome browser which
564 -> has a vendor that displays the their the
567.06 -> page of web pages for the user so now
568.86 -> suppose an attacker actually finds an
570.959 -> exploit and wants to exploit the
572.79 -> renderer to get to that user data
574.52 -> actually chrome is treated as an
576.63 -> untrusted application within Chrome OS
579.33 -> and an exploit within chrome cannot leak
583.41 -> into chrome OS right so if you exploit
585.33 -> the browser you will not be able to leak
587.07 -> that exploit into for example the
588.99 -> network layer because these are sandbox
591.24 -> and they again they they they talk to
593.459 -> each other within very defined
595.16 -> interfaces another feature is cross
599.07 -> device policy compliance and this is
601.32 -> important to note because what
603.9 -> enterprises and it schools generally
605.64 -> want to do is that policies actually
607.41 -> follow users around so I'm a user and I
609.779 -> log into Chromebook a versus Chromebook
612.15 -> be it's very important from from an
615.69 -> administration perspective from a
617.19 -> security perspective that my policies
618.51 -> actually follow me around and this is
620.43 -> something that we have implemented in
621.75 -> Chrome OS so that you as a user whether
623.91 -> you're logged into one device or the
625.56 -> other it doesn't matter your policies
626.94 -> follow you around so if if I've set a
630.18 -> certain set of policies for user a if
632.61 -> that user logs into one Chromebook or
635.13 -> the other to their personal Chromebook
637.2 -> or into the enterprise and welcome book
639.06 -> it doesn't matter they will get a
640.68 -> managed session and this is very
642.48 -> important from a security perspective
643.77 -> because many times those manage policies
646.47 -> imply things like you know I want to
648.72 -> enable your lock screen or I want to
650.82 -> monitor the network traffic that is
652.89 -> happening and this follows the user
654.69 -> around as they go from device to device
656.839 -> there are also other features that we
659.1 -> inherit from Chrome browser such as Safe
661.2 -> Browsing which is this chrome knows that
664.079 -> there's a lot of malicious websites out
666.029 -> there and we
666.73 -> do a lot of analysis on our servers of
670.209 -> websites that we know to host malware or
672.43 -> websites that we know that will exploit
674.139 -> the users so we generally block users
676.209 -> from going to those websites right and
677.949 -> admins can enable that feature for their
679.6 -> users so that they know they can browse
681.31 -> safely on the Internet
682.48 -> and they won't be taken through
683.74 -> clickbait and through other measures
685.24 -> into websites that will eventually
687.279 -> install malware on their system
689.01 -> certificate enrollment again is one of
691.51 -> those things where you can use the TPM
694.42 -> on the device the security chip to
696.519 -> actually generate keys that let you
698.199 -> allow you to know for a certificate with
699.73 -> the packet and this is very important
701.68 -> because every as we mentioned every
703.81 -> Chrome device has a TPM so you have a
705.639 -> guarantee when you're on Chrome device
707.019 -> that you can have your entire fleet and
709.449 -> you know all your users using Hardware
711.04 -> Baxter certificates which are my have
712.93 -> much stronger security stature than
715.41 -> software back certificates that can be
718.959 -> copied around and taken from user to
720.82 -> user and from machine to machine if we
725.26 -> go even on a how I'll ever like you look
727.18 -> at like policy and management right so
729.19 -> when what we have on Chrome OS is and
731.62 -> something is also a big focus for us how
734.41 -> do you I can actually achieve security
735.76 -> when you're looking at that layer and we
737.86 -> have many many actually complete
739.06 -> features that we added over time one of
740.769 -> them is permission controls an admin
743.139 -> might say well I I would like actually
745.3 -> to have a strong leader security posture
747.97 -> when it comes to audio and video where I
749.649 -> do not want my users to be allowed to
752.44 -> use video all right and you can actually
754.87 -> enforce that on a Chrome device so that
756.61 -> you can block the users from from from
758.23 -> from accessing apps that actually use
760.389 -> their video okay some malware and now
762.55 -> decides to spy on users so that it's
764.47 -> through their cameras if you look at
766.449 -> another networking player we also have
767.98 -> policies there that allow you for
770.199 -> example to restrict the chrome device
771.91 -> from connecting to any network that is
773.589 -> not a managed network right so when you
775.72 -> come to work you can actually connect
777.04 -> your network to them your Chromebook to
778.69 -> the Internet but if you take your
780.01 -> Chromebook and try to go to a Starbucks
782.38 -> cafe then or two it like a regular
784.75 -> Internet cafeteria then you will not be
787.36 -> able to connect to the internet proxies
789.399 -> is another one of those policies where
790.99 -> you can force the user and a device into
793.269 -> a certain proxy so that you can monitor
795.43 -> all the traffic that is going through
797.319 -> the session and of course we have many
799.39 -> other policies that
800.59 -> can be enabled signing restrictions
802.09 -> where you can define which users can use
805.029 -> a device and things like sign policy
809.17 -> delivery where every or any policy that
811.12 -> actually comes unto the device is signed
813.16 -> by the Google servers so that you know
814.96 -> that attacks like for example injecting
817.12 -> policy via men via men in the middle
820.36 -> attack is not possible because we were
822.19 -> always very far the signature before
823.72 -> applying the policy and that makes the
825.58 -> policy completely unspookable right
829.98 -> let's take it even a level further so
832.96 -> once you are on the device here booted
834.52 -> your operating system you are within a
836.02 -> user session and it is a managed user
838.54 -> session and as we mentioned we have all
840.279 -> these mitigations in place to actually
841.81 -> make sure that this is a secure endpoint
843.61 -> and we take it to the next level which
845.98 -> is app delivery so I go to something
847.63 -> like the Play Store how can I verify
849.64 -> that the abs I'm getting from the place
851.23 -> were actually good apps that you know
852.7 -> this is not malware how can we actually
854.95 -> protect the user in these situations and
858.07 -> this is where we also have a lot of
859.42 -> protections in place so for the Play
861.19 -> Store for example we have massive
862.93 -> infrastructure that actually checks each
864.91 -> and every app that is uploaded for any
866.95 -> signs of malware right we have this as
869.62 -> you know all based on Google's machine
871 -> learning algorithms and it's how it's
873.46 -> becoming better and better and better
874.99 -> with time and this is a way where you
878.29 -> know yeah
878.92 -> Mary the technologies who Mary
880.54 -> client-side and server-side technologies
882.19 -> to protect the users so that even when
884.29 -> the users are not actively on their
885.7 -> machines we're still doing a lot of
886.93 -> stuff on the back end that ends up
889.15 -> increasing the level of protection for
891.73 -> users on their devices another thing
893.98 -> that is possible is to remotely
895.15 -> uninstall apps from user systems so if
898.72 -> we you know after users have installed
900.67 -> apps that have been and then they have
902.71 -> been detected by Google to be malware
904.39 -> can issue an uninstall command and these
906.94 -> can be move all these apps from users
909.37 -> machines and this is again this is very
911.709 -> unique to the to the place where into
914.26 -> Google's platforms rights and it is it
917.05 -> is one of those security features that
919.29 -> differentiate it from other platforms
921.55 -> for administrators there's also many
924.07 -> different ways to block users from using
926.08 -> certain apps right so you can actually
928.15 -> configure a chrome device and the place
931.36 -> where on the chrome device to not allow
933.04 -> the installation of any
934.3 -> except those within a certain whitelist
936.31 -> and this is a poster that many
938.17 -> enterprises like right because they can
939.94 -> control exactly what users can install
941.5 -> so in a way they limit the ability of
943.72 -> users and the flexibility to use the
945.67 -> platform but again it increases their
947.8 -> security support because they know they
951.37 -> have certainty around which apps can be
953.41 -> installed and because we don't let allow
955.75 -> side-loaded
956.41 -> apps on Chrome devices now they have a
959.14 -> very good certainty that they decide to
961.57 -> be in the whitelist
962.56 -> is actually what is being installed one
967.3 -> last thing we want to describe and and
968.92 -> this is a feature that has been added
971.32 -> recently and where a lot of you heard
973.45 -> about it and wanted to hear more about
974.83 -> this is verified access referent access
977.59 -> is actually very interesting and it goes
979.33 -> beyond a lot of things we it builds on
982.96 -> top of it a lot of things we are doing
984.7 -> and I'll try to describe it here what
988.93 -> basically gives you is a legal time
991.66 -> check on the integrity of your system
993.61 -> right so in real time you can tell
996.55 -> whether chromebook is actually a
998.02 -> chromebook that's has been booted into
1000.06 -> verified mode and is enterprise enroll
1002.04 -> and this is a very very strong check
1003.99 -> because it's a cryptographic check based
1005.61 -> on the TPM there are many different
1007.65 -> platforms you can make similar checks
1009.51 -> but they're all heuristics based so
1011.55 -> they're trying to figure from the client
1013.05 -> whether it's compromised or not but we
1015.12 -> know that this is not enough because a
1016.59 -> compromised client can always proof
1018.24 -> these signals so if you have a virus on
1019.89 -> the system and your system Hey are you
1021.96 -> in a good state well the virus has
1023.97 -> already compromised the assistant and it
1025.56 -> can spoof that signals like yes I am in
1027.21 -> a good state carry on right give me your
1029.52 -> valuable resources download your email
1031.76 -> give me access to your network and this
1035.88 -> is something we want to avoid so what
1037.95 -> happens today on a chrome device is the
1040.98 -> following you can actually set up a
1042.72 -> network service so that it can know
1044.64 -> whether it's talking to a genuine and
1046.56 -> Chromebook with that's been booted and
1048.93 -> verified mode and the way it does is
1051.21 -> first of all you want the Chromebook
1054.6 -> comp device goes to the google verified
1056.82 -> access server and it asks for a
1058.8 -> challenge it gives it back that
1060.48 -> challenge and what it does on the device
1062.43 -> it uses the TPM to go in and produce a
1065.43 -> response for that challenge and that
1067.2 -> response
1068.16 -> for the challenge its bottom to that
1069.6 -> challenge and it verifies that this
1072.39 -> device has is actually in verified mode
1075.21 -> now it sense this challenge response to
1077.19 -> the network service network service
1079.14 -> jolly is responsible for protecting the
1081.48 -> certain resource so for example imagine
1084.09 -> network service that gives you access to
1086.04 -> a certificate so you're trying to mint a
1087.96 -> certificate for your device now before
1090.24 -> you give that certificate back to the
1092.01 -> device you take that challenge response
1094.23 -> and verify with a Google server API
1096.03 -> again well here's the challenge response
1097.89 -> I received from a Chrome device is this
1099.96 -> a valid Chrome device and this is a
1102.06 -> real-time integrity check because the
1103.95 -> Google service can now actually tell the
1106.68 -> network service that's trying to give a
1108.24 -> certificate or trying to give you an e a
1110.04 -> bunch of emails then tell you yes this
1112.26 -> is actually a Chromebook that has booted
1115.02 -> in verified mode and is enterprise
1116.52 -> enrolled so you have this reached and
1118.32 -> check out the NPO Tegrity and then you
1120.72 -> know then a free service can decide well
1122.1 -> now that I can trust this endpoint I'm
1123.99 -> gonna give it a certificate I'm gonna
1125.79 -> give it its emails and this is very very
1129.14 -> secure and very cryptographic and it's
1131.79 -> really a very strong check regarding the
1135.09 -> integrity of the endpoint so this
1139.14 -> concludes our our tour of all the
1143.01 -> different layers and as we have seen you
1145.14 -> know this security is not one thing or
1147.57 -> one feature on a certain layer it's
1149.49 -> actually something that we spread across
1151.08 -> many many different layers in the
1152.85 -> operating system and this goes all the
1154.83 -> way from the free hardware to the
1156.15 -> framerate to the operating system to use
1157.98 -> their sessions through policy and
1160.02 -> management at delivery we have a Play
1162.09 -> Store and verified access which is the
1164.31 -> feature we mentioned last now the would
1169.89 -> love to hear your comments on this and
1171.78 -> of course if you have any questions
1173.4 -> please send us send us these questions
1176.04 -> and we'll try to answer them as well as
1179.28 -> possible I really hope you have enjoyed
1181.38 -> this tour and looking forward to all
1183.9 -> your questions many many thanks
1195.63 -> you
Source: https://www.youtube.com/watch?v=maCSmdy3an4