With the announcement of the upcoming Google Chrome OS, Google is adding some hype to the mix. Google is boldly stating that they are “going back to the basics and completely redesigning the underlying security architecture of the OS so that users don't have to deal with viruses, malware and security updates.
It should just work.” That is a very lofty goal and a loaded statement. In reality, Google is not too off base here. What it seems they are going to do is make a very small OS. The OS will really only be responsible for basic input and output and run a browser. This means that all of the security holes that go along with the “extras” of modern operating systems will not be a factor. This will have an impact on malware. It means that there won't be any holes in code that doesn't exist.
This will dramatically reduce the security footprint of the operating system. This is true. Generally speaking, when you develop something, it will have errors. The errors can be limited and if there are any vulnerabilities, they can be mitigated. However, if you develop software that is used to interact with other peoples projects, then the security is only as good as the weakest link. In Google's case, they may be developing a light-weight, hardened OS that only runs a browser (for use with Google docs and other web-based applications), but if you use the browser to view a page that is vulnerable then you are still just as insecure.
THE REAL DEAL
Here is a prediction. Google Chrome OS will set out to revolutionize the OS world. They will be successful overall in producing a shift in concepts, but not in the ways they intend on security. There will be exploits that take advantage of the basic input and output. Not only that, but there will be exploits that take advantage of cross-site malware, session hijacking and other browser-only tricks. For instance, Google intends that for productivity you will be using Google Docs.
What would happen if you browse a site that has a cross-site exploit that steals your Google Docs? That's just one thought. I also predict that there will be security updates. Any operating system has the distinct responsibility to be in charge of any input and output of the entire system. Anything that can subvert this is malware and must be dealt with. Any OS is vulnerable just by the nature of being an OS. The advantage to Google's approach is that any holes will be found quickly as there will be a much smaller footprint. Also, you will still need to install some third party drivers and such for input and output. Vulnerabilities can quickly show up here (and although Google can't be held responsible, neither can Microsoft and we all know how we act when something *seems* to be Microsoft's bug).
IF THE HYPE IS RIGHT
If Google is fully successful in securing their code and making an OS that depends on software that exists over a network then this means that Internet security will inherently be much more important. IPS offerings will be in charge of securing your documents rather than client-based AV protection. Security will shift along with the new thoughts on OS technology and application flow. This is an announcement that should live up to the hype, either way.
The original article/video can be found at Google Chrome OS and Some Words On Hype