Google Chrome offers more protection against online attacks than any other mainstream browser, according to an evaluation that compares exploit mitigations, malicious link detection, and other safety features offered in Chrome, Internet Explorer, and Firefox.

The 102-page report, prepared by researchers from security firm Accuvant, started with the premise that buffer overflow bugs and other security vulnerabilities were inevitable in any complex piece of software. Rather than relying on metrics such as the number of flaws fixed or the amount of time it took to release updates, the authors examined the practical effect protections included by default in each browser had on a wide class of exploits.

Their conclusion: Chrome is the most secured browser, followed closely by Microsoft IE. Mozilla's open-source Firefox came in third, largely because of its omission of a security sandbox that shields vital parts of the Windows operating system from functions that parse JavaScript, images and other web content.

"We found that Google Chrome did the most sandboxing," Chris Valasek, who is a senior research scientist for Accuvant, told The Register. "It restricted the movements more than any other browser. Internet Explorer came up a close second because it implemented a sandbox where you could do certain things but you were allowed to do more things than you could in Chrome. Lastly, Firefox came in last because it didn't implement a sandbox yet."

The report was commissioned by Google, but the authors insist they had complete autonomy in deciding what metrics to use and what conclusions they made. The researchers have released more than 20MB worth of data, software tools, and methodology so peers may review or build upon the research. The study focused solely on the security offered by Chrome, IE, and Firefox, which when combined account for more than 93 percent of web users, according to the report. All three browsers tested were run on Windows 7.

Their finding is backed up by anecdotal evidence, as well. Chrome has emerged unscathed during the annual Pwn2Own hacker contest for three years in a row, something no other browser entered has done. Reports of in-the-wild exploits that target the browser are also extremely rare.

Not all sandboxes are equal

In much the way traditional sandboxes prevent sand from mixing with grass on a playground, security sandboxes isolate application code inside a perimeter that's confined from sensitive OS functions. By placing severe restrictions on an application's ability to read and write to the hard drive and interact with other peripheral resources, sandboxes are designed to lessen the damage attackers can do when they successfully exploit a vulnerability in the underlying code base.

The so-called token in the Chrome sandbox, for instance, doesn't allow browser processes to access files outside of an extremely limited set of directories. It also forbids them from creating connections known as network sockets to communicate directly with servers over the internet. The sandbox in IE, by contrast, allows browser resources to read almost all parts of a hard drive and puts few restrictions on the creation of network sockets, the researchers said.

As a result, attackers who exploit a vulnerability in the Microsoft browser will have an easier time accessing contacts, documents, and other data stored on the hard drive of a targeted computer and uploading it to a command and control server.

"The Google Chrome token is far more restrictive," said Accuvant Chief Research Scientist Ryan Smith, who compared tokens to a driver's license that spells out what vehicles a holder is permitted to drive and other conditions, such as whether eyeglasses are required. "It's more like a learner's permit, whereas the Internet Explorer token is more like a Class C regular driver's license."

The researchers analyzed each browser's ability to read files, write files, and perform 13 other actions. As indicated in the graphic below, Chrome blocked all but two of them. Of those, one known as "system parameters" was partially blocked. IE, meanwhile, completely blocked only two actions, and partially blocked seven more actions. Seven additional actions, including the ability to read files, access networks, and create processes, were completely unrestricted.

In last place was Firefox, which allowed nine actions and partially blocked the remaining six actions.

Side-by-side comparison of sandbox protections in Chrome, IE, and Firefox. Source Accuvant (click to enlarge)

Sin of omission

The report refers to sandboxing as a "standard best practice within many popular applications." Chrome implements sandboxes in versions that run on Windows, Mac OS X, and Linux. Microsoft deployed sandboxing more than five years ago, starting when users ran IE version 7 on Windows Vista or later versions of Windows. Even Apple, which commands a tiny fraction of the browser market, implemented a robust sandbox in versions of Safari that run on Lion, the latest release of OS X.

In this context, the continuing failure of Firefox to offer sandboxing features is hard to excuse.

In a statement issued prior to the release of Accuvant's report, Johnathan Nightingale, Mozilla's director of Firefox engineering, said:

"Firefox includes a broad array of technologies to eliminate or reduce security threats, from platform level features like address space randomization to internal systems like our layout frame poisoning system. Sandboxing is a useful addition to that toolbox that we are investigating, but no technology is a silver bullet. We invest in security throughout the development process with internal and external code reviews, constant testing and analysis of running code, and rapid response to security issues when they emerge. We're proud of our reputation on security, and it remains a central priority for Firefox.

Reining in add-ons

The researchers also gave Chrome high marks for the strict limitations it places on software add-ons that extend the things users can do with the browser. As a result, attackers who manage to exploit extension bugs or trick victims into installing malicious add-ons are severely limited in the damage they can do. By comparison, IE and Firefox give extensions much wider latitude. IE add-ons, for instance, have the ability to create processes and to access the Windows clipboard, which can be a means of funneling malicious data from one application to another.

The other area where Chrome outflanked its rivals was its offering of what's known as JIT hardening. Short for just in time, JIT refers to code that's compiled on the fly and executed inside the browser. Attackers have long relied on JIT techniques to convert JavaScript into malicious machine code that bypasses exploit mitigations such as ASLR.

JIT hardening in Chrome, and to a lesser extent in IE, counteract JIT attacks by compiling JavaScript in an unpredictable way that makes it hard for attackers to control. Mozilla developers have yet to implement the feature in Firefox.

Accuvant rated Chrome and Firefix the most and least secured of the major browsers respectively (click to enlarge)

Besides ranking the security of the top three browsers, the paper argues that many of the metrics regularly used to gauge how well software stands up to hack attacks are unreliable. One such metric is the number of vulnerabilities patched, based on the assumption that more bugs indicate poorer-quality code than programs with fewer bugs. Other frequently cited factors include how quickly bugs are fixed and the severity of the bugs.

In the end, a browser will either succumb to a given exploit or it won't, and that's all that mattered to the paper's authors.

"We really didn't believe those [metrics] had much merit because it's really hard to correlate those things, especially between browsers and vendors," said Valasek, who along with Smith, was assisted by Accuvant colleagues Joshua Drake, Paul Mehta, Charlie Miller, and Shawn Moyer. "So we decided: Let's focus this paper on exploitation mitigation technology to show how these actually stand up against attackers when they find a vulnerability." ®

Related stories

• Firefox 'new tab' feature exposes users' secured info: Fix promised (22 June 2012)

  https://www.theregister.com/2012/06/22/firefox_new_tab_security_concerns/

• Apple patches steaming heap of Safari bugs (13 March 2012)

  https://www.theregister.com/2012/03/13/safari_5_1_4/

• Chrome patches up after double dose of CanSecWest pwnage (9 March 2012)

  https://www.theregister.com/2012/03/09/pwn2own_pwnium_cansecwest/

• Microsoft schtum on Dropbox snags with IE (27 January 2012)

  https://www.theregister.com/2012/01/27/microsoft_ie_dropbox_warning/

• Microsoft celebrates the death of IE6 (3 January 2012)

  https://www.theregister.com/2012/01/03/microsoft_ie6_death/

• Mozilla isn't a charity case - and Google's $300m will do nicely (28 December 2011)

  https://www.theregister.com/2011/12/28/google_mozilla/

• Newfangled graphics engine for browsers fosters data theft (14 December 2011)

  https://www.theregister.com/2011/12/14/browser_image_theft_threat/

• Major overhaul makes OS X Lion king of security (21 July 2011)

  https://www.theregister.com/2011/07/21/mac_os_x_lion_security/

• Whitehats break out of Google Chrome sandbox (9 May 2011)

  https://www.theregister.com/2011/05/09/google_chrome_pwned/

• Researcher breaks security sandbox in Adobe Flash (7 January 2011)

  https://www.theregister.com/2011/01/07/adobe_flash_bypass/

• Adobe (finally) adds security sandbox to Reader (19 November 2010)

  https://www.theregister.com/2010/11/19/adobe_reader_sandbox/

• Researchers penetrate last bastion of Windows security (3 February 2010)

  https://www.theregister.com/2010/02/03/microsoft_windows_protection_bypass/

• Snow Leopard security - The good, the bad and the missing (29 August 2009)

  https://www.theregister.com/2009/08/29/snow_leopard_security/

• Microsoft fortifies Windows 7 kernel with overrun buster (28 May 2009)

  https://www.theregister.com/2009/05/28/windows_kernel_safe_unlinking/

• Web browsers face crisis of security confidence (23 June 2008)

  https://www.theregister.com/2008/06/23/marginal_browser_security_protections/