Interview with Chris Evans, Founder of Google Chrome Security Team
BK Team : Can You Please Introduce Yourself to Security Kaizen Readers ?
Chris : Hi. I am Chris. I work at Google where I founded and built the Google Chrome Security Team. Previously, I’ve Worked on sandboxing technologies, security research, and open sources software such as vsftpd
Bk Team : Can you please give us more details about the nature of your job in Google?
Chris: I still spend much of my time on Google Chrome, because I like the product and enjoy the responsibility of looking after our users. I like working out what projects we should undertake to best secure our users,or investigating novel defensive techniques.
I also keep an eye on Google’s Vulnerability Reward Programs. I find it very rewarding to be able to engage and reward the wider security community. A well-run program is a good way of moving your security ahead of the pack.
BK team : What is the future of Google Native Client ( NaCI ) plugin in Chrome Project ?
Chris : Native Client because it can be used to increase security. The history of the security industry is plagued by problems with native code, including browser plug-ins. Native Client runs code at pretty much native speed, but inside a couple of layers of sandboxing. There’s already a rich ecosystem of Chrome (and Chrome OS) applications that have Native Client components, such as a high-performance SSH client [link: https://chrome.google.com/webstore/detail/secure-shell/pnhechapfaindjhompbnflcldabbghjo] or the Google Plus photos application [link: https://chrome.google.com/webstore/detail/google%2Bphotos/efjnaogkjbogokcnohkmnjdojkikgobo]
Bk Team : Privacy is always an issue when we talk about Goggle Products. Goggle Knows my place, my phone number, my friends… etc. How do you deal with your customers’ concern about their privacy especially after the Prism case ?
Chris : Probably the most important thing you can do to protect your privacy is to use secure client software and secure web services. My personal choice for my e-mail is Gmail, accessed via Google Chrome.
State-sponsored attackers frequently go after weaknesses in client software. Your data, wherever you put it, is only as safe as the computer you use to access it. We’ve responded to this concern by putting significant effort into securing Google Chrome. It automatically updates itself with security fixes and integrates with Google’s Safe Browsing facilities. It deploys strong sandboxing technology and we were very excited to extend our strong sandbox to the Flash plug-in last
year [link: http://blog.chromium.org/2012/08/the-road-to-safer-morestable-and.html].
We also have some pioneering technology in Chrome that validates SSL certificates more carefully. This protection played a big role in the 2011 incident
(with regional connections) involving the former Dutch certificate authority, DigiNotar [link: http:// en.wikipedia.org/wiki/DigiNotar]. It was Chrome that detected the DigiNotar compromise and Chrome users were automatically protected from the fraudulent certificate when connecting to Gmail
We’re always pushing ourselves to add more defenses and protections
Bk Team : what are the different bounty programs that google provide for security researchers ?
Chris : We have two well-established bounty programs — Google Web [link: http://www.google.com/about/appsecurity/reward-program/] and Chromium[link: http://www.chromium.org/Home/chromiumsecurity/vulnerability-rewards-program] —
and one occasional competition, Pwnium. We also sponsor the well known Pwn2Own competition. Overall, we recently announced that we’ve paid out over $2 million USD to researchers. You can read more here [link: http://googleonlinesecurity.blogspot. com/2013/08/security-rewards-at-google-two.html].
BK Team : What was the most critical vulnerability discovered in chrome? And what was the highest reward provided by Google?
Chris : We’ve received some excellent submissions as part of our Pwnium competition [link: http://blog.chromium.org/2012/02/pwnium-rewards-for-exploits.html]. We’ve paid out $60,000 USD a few times. Thanks to our reward programs, any serious bugs tend to get safely reported to us, instead of becoming critical and turning up “in the wild”.
Bk Team : What does it take for a person to find bugs in chrome?
Chris : Finding security bugs in a browser can be tricky. One strategy that can be effective is to start “fuzzing”, which is the art of throwing malformed input at a product to see if it gets confused. Since we’re open source, other researchers like to read and study modules of Chrome until they understand an area well enough to spot possible bugs. Another tack is to try and get ideas from past security bugs in Chrome, which we publicly document in our open bug tracker.
External submissions of Chrome security bugs are dropping off as it gets harder and harder to find serious issues, but we have recently raised our reward levels to compensate!
Bk Team : After exploiting chrome in competitions like pw2own. what is your response? you get mad because your product got hacked or you get happy because vulnerability was discovered ?
Chris: We are delighted. There’s no point in running or participating in these competitions unless you get results that you can learn from. In fact, we go out of our way to help researchers compete, engage in sponsorship, and set payout levels such that we’re almost guaranteed to get entries. We get to learn a lot from every valid entry, and often devise general hardening measures to make Chrome more solid overall.
I’d also note that no-one gets “hacked” at these competitions. That’s the whole point — they are a safe outlet for advanced security research. Having and supporting Pwnium and Pwn2Own is an important reason why we’re not seeing critical Chrome threats in the wild.
Bk Team : What does it need to get hired at chrome security team?
Chris : Most of our hires are strong engineers who are passionate about security. The engineering background is important as we have a culture of fixing things and implementing defenses, as well as simply finding issues. Being a strong engineer means you can dive into the code and make it better.
Bk Team : What are your advices, best practices, to our readers to have a secure browsing on Google chrome?
Chris : I recommend browsing the web with Google Chrome. Disable (or better uninstall) unnecessary plug-ins (see chrome://plugins). Chrome helps you keep your plugins
up to date and has warns you before running certain more dangerous plug-ins, but it’s still safer to disable unwanted ones. Make sure your underlying operating system is fully patched. Try and avoid downloadingand opening anything outside the browser.
If all of this sounds a little bothersome, some Chrome OS laptop models are very inexpensive, and take care of a lot of these security measures automatically.