Arjun Baokar's answers
======================

1) Explain in your words what privilege separation is.

Privilege separation is when a system is divided into smaller parts, and each part is given only the privileges it needs to accomplish its tasks. This means that extra privileges that are unnecessary for tasks can't be abused by malicious attacks exploiting that part of the system, reducing potential damage from an attack.

2) Why is it not a good idea to run an entire web browser into one protection domain?

This creates a huge TCB (trusted computing base) which is much more prone to error than a smaller one. In the case of Chromium, the rendering engine is known to have a lot more code and vulnerabilities. If this was in the same protection domain as the kernel, it would have access to many more privileges and each of the vulnerabilities could be used to own the user's system. By having separated modular protection domains, the TCB can be smaller and easier to secure (such as the kernel in this case). It also helps enforce privilege separation, since some protection domains can essentially be sandboxed.

3) Why does the Chromium browser's architecture protect against attacks such as file theft described on page 3?

Reading and writing to the file system are restricted to the browser kernel, and the rendering engine must go through the kernel API to do so. The kernel API provides checks to ensure that the rendering engine can only access the files that the user has authorized access to in the file picker dialog box. the kernel API also employs blacklisting to prevent certain kinds of filenames when downloading files, which helps prevent arbitrary drive-by downloads of malware that could do file theft when on the user's system.

4) Why doesn't the Chromium browser's architecture protect against phishing?

The browser architecture can't make up for users' gullibility if the attacker makes a convincing fake. The browser highlights the website domain name to help them, but if the user is stupid, Chromium can't stop the user unless it sacrifices functionality (which is bad for the browser). On the other hand, if the attacker exploits a vulnerability in the rendering engine, he can corrupt a window displaying an honest site and use that to phish. The architecture's privilege separation doesn't stop this, because the rendering engine needs to be able to render website content.

Eleanor Cawthon's answers
=========================

1) Explain in your words what privilege separation is.

Privilege separation is the idea that components of a program that require particular privileges should be isolated from components that do not require these privileges. That way, if the less-privileged components are compromised, the attacker only gains the minimal amount of power to disrupt other parts of the system.

2) Why is it not a good idea to run an entire web browser into one protection domain?

The most frequently exploited parts of a browser, like the HTML parser, do not actually require the permissions that other parts of the browser need to run (like access to the filesystem). Running these in the same protection domain means more exploits have access to, e.g., the filesystem.

3) Why does the Chromium browser's architecture protect against attacks such as file theft described on page 3?

As explained on page 6, any instance of the rendering engine can only upload files by going through the browser kernel's file chooser, which manages which files that instance can access. Compromising the rendering engine would therefore not allow the attacker to access any parts of the filesystem to which the user had not already authorized access.

4) Why doesn't the Chromium browser's architecture protect against phishing?

In a phishing attack, the target is information held directly by the user, not any aspect of the user's system. The attack is inherently embedded in the rendering of the page (to look like an honest website), so no amount of encapsulation from the rest of the system would be an appropriate defense.


Rishabh Poddar
===============

Summary

The developers of the Chromium browser divided its architecture into two components - the browser kernel and the rendering engine - each within a separate protection domain. The rendering engine is responsible for interpreting and executing web content, and the browser kernel manages instances of the rendering engine and interacts with the user's operating system. While the browser kernel has user level privileges and can read and write to the file system, the rendering engines are sandboxed and run with restricted privileges. As a result, the architecture of Chromium helps protect the confidentiality and integrity of the user's file system, even if an attacker manages to compromise a particular rendering engine by exploiting some unpatched vulnerability. Further, this architecture also ensures that the browser remains compatible with existing web sites.

1) Explain in your words what privilege separation is.

Privilege separation refers to a technique in which an application is divided into multiple parts, where each part runs with a different level of privilege. For example, the web browser Chromium is divided into two parts -  (a) the browser kernel, which has user level privileges and can read and write to the user's file system, and (b) the rendering engine, which does not have these privileges by default. The aim of privilege separation is to contain any malicious activity within an unprivileged component, prevent it from compromising more privileged parts of the application, and thus protect the confidentiality and integrity of the underlying system.

2) Why is it not a good idea to run an entire web browser into one protection domain?

A web browser needs to be compatible with the existing web, and must support a range of activities to be useful. These activities often require higher levels of privilege, such as reading and uploading files, which an attacker could exploit towards compromising the user's system. This would be potentially unavoidable if the entire web browser were run in a single protection domain with a high level of privilege, as a malicious web page could then exploit browser vulnerabilities, obtain the same privileges as the rest of the browser, and compromise the confidentiality and integrity of the user's system. 

3) Why does the Chromium browser's architecture protect against attacks such as file theft described on page 3?

The Chromium browser is divided into two parts - the rendering engine (which interprets and executes web content), and the browser kernel (which manages rendering engine instances and interacts with the operating system). While the browser kernel has user level privileges and can read and write to the file system, the rendering engine are sandboxed and have reduced privileges. Thus, even if an attacker manages to compromise a rendering engine and obtain its privileges, the sandbox prevents the attacker from issuing system calls as the engine does not have those privileges. To read a file, the rendering engine must use the browser kernel's interface with the file system, thus protecting the system against attacks such as file theft (and others that involve compromising the user's machine).

4) Why doesn't the Chromium browser's architecture protect against phishing?

In phishing attacks, attackers masquerading as trustworthy entities attempt to trick a user into divulging private information. Such attacks can be attempted from within the browser's rendering engine to create a convincing phishing site by corrupting a window displaying an honest site. They are not aimed at compromising the user's file system, do not require any special privileges outside the rendering engine, and in effect exploit a user's lack of judgement into divulging private information. Thus, the sandboxing mechanism provided by Chromium's architecture cannot protect against phishing. While Chromium does provide useful security features to mitigate phishing attacks, these features are orthogonal to its architecture per se, and can be found in other browsers as well.