|
|
|
|
|
|
by briansmith
6301 days ago
|
|
|
I understand how process-per-tab protects against cross-domain attacks. In protecting against cross-domain attacks, Chrome's architecture is safer than IE's since IE will often put multiple tabs in the same process. But, I don't think the number of tabs per process has an effect in the ability to prevent exploits of the local system. The feature of Chrome and IE Protected Mode that protects against local expoits is basically the same. There is a "main" process that has access to the local system (files, registry, other processes). And, there are some "sandboxed" processes that do not have access to the local system except for a communication channel to the main process. Any time these browsers interpret some input from the internet, they do so only in the sandboxed processes. The only way a sandboxed process can access local resources is by asking the main process to give it the local resource through the communication channel. The main process asks the user to approve the request before accessing the local resource on behalf of the sandboxed process. As long as the main process implements its side of this communication channel correctly, there is no way for malicious web content to break out of the sandbox. That is the case whether there is one tab per process or more than one tab per process. |
|
|
Vista Protected Mode (IIRC, it only works on Vista, because of XP's session security flaw) is like privsep SSH. It's primary job is to keep malware from persisting.
On Windows, my understanding is that Chrome Sandboxes do the same thing. But what the process-per-tab model is most notable for is defending against cross-domain attacks. Which, if you ask me --- and I'm a Microsoft booster --- is the more important threat model. Browser-resident malware is where we're headed.