undefined | Better HN

0 pointsom29y ago0 comments

Safari's sandbox is weaker in some ways and stronger in others. Saying which is overall stronger would be a judgment call. I wouldn't make a claim like that without spelling out at least some of the details.

This subthread is about the sandbox so I'm not sure why you threw in "and anti-exploit features". I'd probably say without qualification that Chrome has better memory corruption mitigations.

I hoped you might have concrete feedback on what aspects of our sandbox we should shore up. We have our own ideas but of course an informed outside view would be valuable.

0 comments

4 comments · 1 top-level

tptacek9y ago· 3 in thread

In what ways would you say the Safari sandbox is stronger than Chrome's, on macOS?

How would you compare Safari's anti-exploit technology (allocator hardening, Javascript engine hardening, &c) to that of Chrome? Do you think you do anything better than Chrome does on that front?

om2OP9y ago

Your original post here made a bold claim with no qualification and no supporting details. You're not providing any backing to your claim but at the same time you're asking me to give details. Plus you've repeatedly thrown in anti-exploit tech which wasn't the original point of contention.

It would be easy to get the impression that you're trying to shift the burden of proof and move the goal posts. Despite this, I will try to assume good faith.

I think you original post gave the impression that Safari either has no sandbox, or has a wildly ineffective sandbox. You didn't directly state it, but at least some users understandably took away that implication. I think this is inaccurate and unfair.

One piece of evidence we have is grey market prices for end-to-end Safari exploits (with full sandbox escape). By this metric, breaking out of our sandbox on Mac or iOS is not trivial, and is at least comparable in difficulty to Chrome or Edge on Mac, Windows or Android. On the flip side, it seems to be significantly easier to get inside-the-sandbox remote code execution in Safari if you go by market prices, hacking contests, etc. That's something we're working on. Chrome and Edge definitely have materially better mitigations here (as I said in my earlier post).

And finally, to answer your question: One small way Safari has better sandboxing is the we sandbox our network process (something that Chrome is still working on).

tptacek9y ago

My contention was that Safari is less safe than Chrome, not that Safari's sandbox was in particular worse than Chrome's. Nevertheless, on balance, Safari's sandbox is significantly worse than Chrome's. I think --- but you'd know better than I would --- that this is because browser security is a platform problem for Apple, and an application problem at Google. Apple's platform-level mitigations are very powerful on iOS, but substantially less powerful on general-purpose operating systems. Chrome's sandboxing is specific to Chrome itself, and thus finer grained and more powerful.

I think if you create a breakdown of all the facets of browser security, it will look something like this:

Isolation: Chrome > Edge | Safari > Firefox

Anti-Exploit: Edge > Chrome > Firefox > Safari

UX: Chrome > Firefox > Safari > Edge (U2F, password manager)

TLS: Chrome > Firefox > Safari | Edge

Library Security: Chrome > Edge > Firefox > Safari

If you want to add privacy controls here, you'll get an easy win for Safari, but privacy isn't security.

You're close to this stuff though, so if you disagree with any of these informal rankings, or think I've got the rankings wrong, please correct me.

1 more reply

nthuser9y ago

Why don't you first answer the question that was asked?.

j / k navigate · click thread line to collapse