Google ChromeGoogle Chrome [©] >) [GE] Wy] Beating the Open Source Browser Project D| pan eeror tne scumeaenet oes Se terces, |) Beaches nent APPLICATIONS. —/ rn tows, WATCHING AND THESE Tunes Det: LOL UPLOADING VIDEOS, THAT DIDNT exist CHATTING WITH EACH WHEN THE FIRST OTHER, PLATING GROWERS WERE WES-SASED ‘eREATED. Ss © ‘aoa © 6a _—. fis AANO DESIGN WouLDn'T SOMETHING 6ASED IT BE GREAT, (ON THE NEEDS OF THEN, TO ‘TODAY'S WES. START FROM. APPLICATIONS ee = ‘AND TODAY'SFIRST, BROWSERS, NEED To GE MORE STABLE. WHEN YouRE WRITING AN IMPORTANT EMAIL OR EDITING A DOCUMENT, A BROWSER CRASH IS A GIG DEAL. Darn Fer SottnareEainer —— BROWSERS ALSO WEED To BE FASTER. THEY NEED TO START FASTER, LOAD PAGES FASTER —- AND FOR WES. APPS, JAVASCRIPT ITSELF CAN BE A ‘THEY NEED To GE MORE SECURE. civen wHar's KNOWN ABOUT MASS BROWSER EXPLOITS, BROWSERS NEED ARCHITECTURAL CHANGES TO DISADVANTAGE LOT FasTER. ray ae yey san Fea SS / a al Ail \ Soteras engineer AND WE WANT BROWSERS TO FIND THAT SWEET SPOT BETWEEN TOO MANY FEATURES AND TOO FEW, WITH a CLEAN, SIMPLE, ‘AND EFFICIENT USER INTERFACE, Sofware FIVALLY, GOOGLE CHROME IS A FULLY OPEN SOURCE GROWSER. we WANT OTHERS To ADOPT IDEAS FRON US =~ s-ustas weve apopten | 6000 IDEAS FROM, ‘OTHERS. /7A Stability, Testing and the MultiProcess Architecture wen We STARTED ‘THIS PROJECT, THE GEARS Gu¥S WERE SAYING THAT ONE OF THE PROBLEMS WITH BROWSERS 15 THAT ‘THEY'RE INHERENTLY SINGLE~THREADED. FOR EXAMPLE, ONCE YOU HAVE JAVASCRIPT EXECUTING, IT'S GOING To KEEP GOING, AND THE BROWSER CAN'T DO ANYTHING ELSE UNTIL JAVASCRIPT RETURNS CONTROL TO ‘ThE BROWSER, 50 DEVELOPERS WRITE APIS THAT ARE ASYNCHRONOUS —- CALL MEAS OI — AND EVERY NOW AND THEN THE BROWSER LOCKS UP BECAUSE JAVASCRIPT IS HUNG UP ON SOMETHING. Wn rm meTHE GEARS GUYS WERE THINKING ABOUT A MULTHTHREADED BRONSER. GUT THAT LED US TO TALK AGOUT, WELL, INSTEAD OF MULTIPLE THREADS ~~ arowser CP process == WHAT IF WE Have MULTIPLE PROCESSES? cach HAVING ITS OWN MEMORY AND ITS OWN COPY OF THE GLOBAL DATA ‘STRUCTURES. ) hid — LA “i CHROME PROCESS MANAGER Q process} [ Q) process (feo WE'RE APPLYING: THE SAME KIND OF PROCESS ISOLATION YOU FIND IN MODERN OPERATING SYSTEMS. 50, SEPARATE PRocesses, RENDERING ‘SEPARATE TAGS.HN Q Process rN QP recess AN Now you HAVE SEPARATE AS WELL, JAVASCRIPT THREADS one TAS 8USY, WHILE YOU'RE STILL'USING ALL THE oTHeRs. AND IF THERE'S A BROWSER BUG IN ‘THE REHDERER CAND CUR EXPERIENCE IS THAT IT'S ALMOST IMPOSSIBLE TO ELIMINATE ALL BUGS), WE STILL OuLy LOSE THE ONE TAG. can 3 WHEN ONE TA GES DOWN ¥0U GET A “SAD TAS’ BUT IT DOESN'T ‘CRASH THE WHOLE GROWSER. AND YES, IT REALLY Looks LiKe A MULTI-PROCESS BUT OVER TIME, IT DESIGN MEANS USING A o1T WILL ALSO MEAN MORE MEMORY UP FRONT. EACH LESS MEMORY PROCESS HAS A FIXED ADDITIONAL cosT. BLOAT. PAGES ITO. "THAT YOU KEEP LOADING WES AUN [IN A TRADITIONAL BROWSER, WHEN YOU HAVE TOO Many WHEN YOU BRING IN ANOTHER. YOU ONLY Have ONE PROCESS, ‘TABS OPEN, YOU CAN CLOSE “TRB, YOU USE THE MEMORY [AND ONE ADDRESS SPACE SOME TO FREE UP MEMORY. “THAT WAS PREVIOUSLY USED. oS oSUT AS TIME GOES ON. $<. FRAGMENTATION RESULTS ~~ UTTLE GITS OF MEMORY STILL GeT USED Even when | | A TAS GETS CLOSED. | EITHER WE WAVE MEMORY THAT NOTHING CAN REFER TO ‘AGAIN, OR THERE'S A | piece oF pe-aLtocareD so WHEN THE BROWSER WANTS TO OPEN ANEW TAB, IT CANT FIT ITN THE EXISTING SPACE ~~ MEMORY WE STILL HAVE POINTERS TO. ‘Software Engineer ‘AND THIS PROBLEM GROWS ALL DAY, AS ‘THE LIFETIME OF THE BROWSER EXTENDS. =~ AND 50, ‘THE 0S HAS To crow THE BROWSER’S, ‘ADDRESS ‘SPACE. ‘MuRRY UP,) (Try cLosine Some TARS. GUT WHEN A TAS IS CLOSED IN GoosLE CHROME, YOU'RE ENDING THE WHOLE PROCESS — SD Le | €/ >| [S| [ee] nto: memoryhog nelAND ALL THAT MEMORY ¢ Gers RECLAIMED. OPEN ANEW TAB i ‘SO AS YOU BROWSE, WE'RE CREATING AND. Now, AND YOU'RE DESTROYING PROCESSES ALL THE TIME. IF THERE'S A STARTING FROM, (CRAZY MEMORY LEAK IT WON'T AFFECT YOU FOR THAT LONG: SCRATCH. : BECAUSE YOULL PROBABLY CLOSE THE TAB AT SOME. POINT AND GET THAT MEMORY BACK. ‘rot Wis, Setware Engineer == SO NOW WE CAN THROW AWAY THE AND WE'RE TAKING IT ONE ‘OLD RENDERING ENGINE, THE OLD DATA ‘STEP FURTHER. SUPPOSE You STRUCTURES, THE OLD PROCESS. NAVIGATE FROM DOMAIN A TO DOMAIN @. THERE'S NO NEED FOR [ANY RELATIONSHIP BETWEEN ‘THE TWO SITES ~ KS ‘50. EVEN WITHIN A TAB, WE CAN BE COLLECTING AND. ‘TOSSING OUT THE GARaAGE, RECYCLING THE WHOLE Process.AND JUST LIKE WITH YOUR 05, YOU CAN Lock UNDER THE HOOD WITH GOOGLE cHROME'S TASK MANAGER TO SEE WHat THE at SITES ARE USING MOST MEMORY, DOWNLOADING THE MOST BYTES, AND (BUSING YOUR cpu. win 1s THIS DOWNLOADING ‘THE ENTIRE INTERNET? YOU CAN EVEN see PLUG-INS WITHIN THE TAG, SINCE ‘THEY APPEAR IN CHROME’S TASK MANAGER AS SEPARATE PROCESSES. 0, WHEN THINGS START FREAKING OUT, YOU'LL FINALLY FAVE SOME INSIGHT INTO WHO'S nisecHaving AND WHY ~~ PLACING. BLAME WHERE LAME BELONGS.CHROME 15 A MASSIVE, COMPLICATED PRODUCT THAT WILL NEED To Loan ILLIONS OF DIFFERENT WES PAGES. sO TESTING 1s; CRITICAL. Han Re, Sota Engineer \ TEST IT ON TENS OF THOUSANDS OF DIFFERENT WES PAGES. EACH WEEK, “CHROME BOT" TESTS MILLIONS OF PAGES, GIVING OUR DEVELOPERS EARLY RESULTS THEY'D OTHERWISE HAVE TO WAIT UNTIL EXTERNAL GETA FOR. THE Key IS CATCHING PROGLEMS AS EARLY AS POSSIBLE. IT 15 LESS EXPENSIVE AND EASIER TO FIN THEM RIGHT AWAY. AFTER A FEW DAYS IT 1S, HARDER TO TRACK THEM WITHIN 20-30 MINUTES OF EACH NEW GROWER BUILD, WE CAN FORTUNATELY, HERE AT Gooete, We HAVE AN EQUALLY MASSIVE INFRASTRUCTURE, AND CATCHING THEM EARLY WELPS ENGWEERS WRITE BETTER CODE. THEY Say, “OH, THIS MISTAKE (5 PART (OF A PATTERN” AND THE NEXT TIME, THEY'RE LESS LIKELY TO MAKE IT. Erk Kay, Sotare EngnoorONE BILLION. OF COURSE, THERE ARE GILLIONS, MAYSE TRILLIONS WEBPAGES OUT THERE. IF EACH WHICH miILLion Do we ust FORTUNATELY, WE HAVE A UNIQUE TAKE ON ‘THIS PROBLEM oo oo noone nee ene n eee eee THERE ARE SEVERAL WAYS WE TEST AGH CHECK-IN. FROM UNIT TESTS OF INDIVIDUAL PIECES OF CODE ~ oF seniPre' IS TESTED AGAINST A MILLION SITES, AUTOMATED UT TESTING LIKE “CLICKED BACK GUTTON., WENT To PAGE. suiLD cP --T0 -D USER ACTIONS Fuzz TESTING: SENDING YOUR APPLICATION RANDOM = ra Web Images We already rank pages based on which pages the average user is most likely to visit. At the very least, we'll make sure we won't be broken on the kinds of sites people use on a day-to-day basis.IN LAYOUT TESTING, WEBK'T FOUND THAT PRODUCING A SCHEMATIC OF WHAT THE GROWSER THINKS 17°5 DISPLAYING IS A MORE PRECISE WAY TO COMPARE LAYOUTS THAN TAKING SCREENSHOTS AND ‘CREATING A CRYPTOGRAPHIC HASH, WHEN WE STARTED WE WERE PASSING 23% OF WERKIT'S LAYOUT TESTS, MOVING FROM THERE TO 99% HAS GEN A FUN CHALLENGE AND ‘AN INTERESTING EXAMPLE OF TEST-DRIVEN DEsieN. THERE ARE WE CAN'T Limi To WHAT rest weesires WE CAN Do WITH ‘THAT REQUIRE A ‘AUTOMATED PASSWORD, FOR TESTING. Humans Only eeceee EXAMPLE, Nome Paveword AND IT'S NOT THE SAME AS A HUMAN BEING WALKING AROUND TT's HARD DON'T CARE IF AND MISUSING THINGS. WE ARE ‘To CoveR 100%, ‘THERE'S ONE FEWER USING THE BROWSER I THE WAY GUT THAT'S WHAT COOL FEATURE. T JUST WANT THIS PRODUCT TO ‘SE ROCK SOLID. WE'RE TRYING 10 vo. WE'VE DESIGNED IT To BE USED.Part Two {¢|>] (ei [Y8|_ speed: WebKit and ve WeEBKIT 15 THE OPEN SOURCE RENDERING ENGINE WE USED FOR Goosie CHROME. WEBKIT WE WERE IMPRESSED Gy How FAST IT IS. WE ALSO KNEW ‘THERE WAS A TEAM AT GOOGLE WORKING ON ANDROID AND WE ASKED. THEM, “wHy DID you GUYS USE WERKIT?” THEY SAID IT USES MEMORY EFFICIENTLY, WAS EASILY ADAPTED TO EMBEDDED DEVICES, AND IT WAS EASY FOR NEW BROWSER DEVELOPERS TO LEARN TO MAKE THE CODE GASE WORK. BROWSERS ARE COMPLEX. ONE OF THE ‘THINGS DONE WELL WITH WESKIT IS THAT IT'S KEPT SIMPLE.BECAUSE JAVASCRIPT IS SO IMPORTANT To THE WE TODAY -— == we DECIDED IT WAS IMPORTANT TO WORK ON BUILDING A JAVASCRIPT. VIRTUAL MACHINE -- pent ye | exams ar vrnTonL nerd WHAT 7 machines. wHareveR Ne,Teamm | Nunee You wan 70 » A prairie ca TELL you Hiow To ® Sire fe GUT PREVIOUS VIRTUAL Machines FOR JAVASCRIPT WERE DESIGNED FOR SMALL PROGRAMS, WHERE ‘THE PERFORMANCE AND wintua. INTERACTIVITY OF THE WANTED TO MACHINES. SYSTEM WEREN'T THAT RUN SOME provipe sarery Me NpontaNT. VERY BASIC STUFF ON A ‘AND PLaTroRn | INDEPENDENCE. ae,BUT Now, YOU HAVE WER APPLICATIONS LIKE GMAIL THAT ARE USING THE WES GROWSER TOITS FULLEST WHEN IT COMES ‘TO DOM MANIPULATIONS AND. ‘JAVASCRIPT, SO WE STARTED WITH Ho cove, JUST SOME WD IDEAS ABOUT HOW TO MAKE IT GO REALLY FAST ~ = suet as siwpusre APPROACH TO IDDEN CLAS SnvageRipr eNetves NT ‘TRANSITIONS. [ENOUGH ANYMORE, JAVASCRIPT ITSELF 1S CLASSLESS. BUT IN VB. AS EXECUTION GOES ON. YOU CAN CREATE A NEW OBJECT, OBJECTS THAT END UP WITH THE SAME DYNAMICALLY ADD PROPERTIES TO PROPERTIES WILL SHARE THE SANE HIDDEN IT AND G0 ON. CLASS AND WE CAN START APPLYING DYNAMIC OPTIMIZATIONS GASED ON THAT. WHEN OTHER JAVASCRET ENGINES RUN, THEY ox st THE JnvnseniPr SOURCE CODE AND N vais SPEED IS Genenare Aa NTEBNAL EDREEENTATON Or 7 ees THEY CAN INTERPRET. ANOTHER FACTOR o ||0s4 2/7 PARSE 22 450 INSTEAD, V8 LOOKS AT THE JAVASCRIPT SOURCE CODE AND GENERATES MACHINE CODE THAT CAN RUN DIRECTLY ON THE CPU ‘THAT'S RUNNING THE GROWSER. UT, WHEN YoU HAVE ‘To DO INTERPRETATION, YOU HAVE TO LOOK AT ‘THE STRUCTURE OF YOUR Jostlorl @ Parse ||compiLe|| RUN wren you nrERPRET ONCE AND COMPILE MACHINE CODE, THEN THAT coDE I$ YOUR REPRESENTATION OF THE JAVASCRIPT SOURCE ODE anb IT DOESN'T NEED TO GE INTERPRETED, IT JUST RUNS. 2?10100010100010101001010100001010100001011 —— JAVASCRIPT AND OTHER NODERN OBJECT-ORIENTED PROGRAMMING LANGUAGES HAVE AUTOMATIC setae (sbi, — FINALLY, THE CORE DESIGN FLAW OF CURRENT JAVASCRIPT eNGmes ~— --1s BAD COLLECTION GeHavion. IF YOU DON'T HAVE A REFERENCE TO AN euT ‘OSJECT ANYMORE, ITS MEMORY CAN BE Wy existiNe RECLAIMED ay THE SYSTEM. THAT'S ‘JAVASCRIPT. GARGAGE COLLECTION, AND ITS A FAIRLY VIRTUAL MACHINES, TRIVIAL PROCESS. THEY USE CONSERVATIVE== wiiclt MEANS ‘THAT BECAUSE YOU DON'T KNOW EXACTLY WHERE ALL THE POINTERS ARE =~ AND, BECAUSE WE KNOW PRECISELY WHERE ALL THE POINTERS ARE, WE CAN ALSO IMPLEMENT INCREMENTAL GARGAGE COLLECTION. ve oa DY & == YOU START SEARCHING THROUGH THE EXECUTION STACK 70 SCE WHICH WORDS LOOK LIKE POINTERS. BUT THE ONES THAT SORT OF LOOK LIKE POINTERS COULD ‘ALSO GE INTEGERS THAT JUST HAPPEN To HAVE THE SAME ADDRESS AS AN OBJECT IN THE OBJECT HEAP. 1M VB, WE ARE USING PRECISE GARBAGE COLLECTION, 50 WE KNOW Y PRECISELY WHERE ALL OF THE POINTERS ‘ARE ON THE STACK AND THIS GIVES US. SEVERAL ADVANTAGES. ONE IS THAT WE CAN MIGRATE AN OBJECT TO ANOTHER PLACE AND JUST REWIRE THE PONTER. MEANING QUICK GARGAGE COLLECTION ROUND-TRIPS THAT ARE CLOSE TO A FEW MILLISECONDS, COMPARED TO PROCESSING. [ALL I00MB OF DATA WHICH COULD CAUSE SECOND-LONG PAUSES.ve HAs A THIS MEANS MucH SPECIFIC API THAT AUF, GETTER INTERACTIVE GOOGLE CHROME USES, ‘@ * PERFORMANCE OF WEE surctie cone part or | ~ a [APPLICATIONS UKE THe ENGINES = = SMOOTHER DRAG AND woerenvent oF THe) - == OR, IF THERE'S Soyerien ANOTHER PROJECT THAT Growsens cas JAVASCRIPT CAN APPLY INCLUDE TT == TO, DEVELOPERS CAN TAKE V8 GY ITSELF. WE HOPE Vo'S PERFORMANCE WILL SET ANEW GAR, AND THAT ‘THE OTHER DEVELOPMENT TEAMS WILL CONTINUE To IMPROVE IN, ‘THIS SPACE. SYSTEM THAT'S BECOME FASTER OVER TIME, WHAT HAPPENS IS THAT YOU GET BIGGER, \ BETTER, MORE INVENTIVE APPS.f } ; Part Three y : i {e€ A&I Search and the User Experience d) IN GoosLE, CHROME, ‘THe PRIMARY Piece oF THE useR INTERFACE IS THE TAB. WE COULD DETACH THE ‘TASS EASILY BECAUSE OF THE SEPARATION OF THE BROWSER AND TAS PROCESSES. > =< ==], ————] AS SOON AS WE STARTED THIEN ABOUT IT THAT War, | ‘THE DESIGN NATURALLY FOLLOWED. ia iste, \ REBUILDING THE UT SO THE Tass, WERE ON Top. Move 1 FROM WINDOW TO. WINDOW AND THE ‘TAG'S STATE GOES‘AND GECAUSE THE TASS ARE THE MOST IMPORTANT PART OF THE UI, EACH TAG HAS ITS ONN CONTROLS. URL BOX. THE Besnece HALES FAR YOU HAVE FULL TEXT SEARCH MORE THAN JUST URLS. Iraiso lovén yous HisteR¥. fu FOUND crrens 2.6000 SITE FOR DIGITAL CAMERAS suscesTions ‘YeoTeRony, You DON'T Have TO " fon seancnts, BOOKMARK THAT Pact. "Tob Paces (estou sere 5 ‘Search Google for cars: BEFORE, PAGES: N wave.cers.com YOu HAVENT eT es Smemsemigomarona) — Gartneur _/ oairat camera: Seactaarovbagewa, ITED our, fb auicety ce BACK TO 1 conan a ‘AND MORE... C) [digital camera ‘Search Google for digital camel www. cigitalcamera.com Glen mupny, Seirware en http://www.pomag, ticles! Nikon Dicital SLA. 17WHEN THE TEAM SUGGESTED GUT, THEY SAID, No, INLINE COMPLETIONS AUTOCOMPLETION IN LINE, T No, IT'LL BE FINE. WILL Never FLickeR, SAID | HATED IT WHEN ‘TRUST US == AND NEVER FLASH. IT'S BROWSERS STICK ALL THIS ‘THEY WENT ON AND PERFECTLY, RAP INTO A LOCATION GAR MADE IT SOMETHING AESTHETICALLY [AS I'M TYPING. IT'S NEVER REALLY COMPELLING.. NON-DISTRACTING. WHAT I WANT. PLUS, IT'LL ONLY AUTOCOMPLETE TO SOMETHING YOU'VE EXPLICITLY TYPED BEFORE. AND YOU MIGHT GO STRAIGHT TO \. [enn-com/2008/politics/07/27 /eampaign. wrap/index.himi?ire ‘nb WHEN you SEARCH ON SITES LIKE 50 YOU CAN SEARCH THOSE SAME AMAZON, WIKIPEDIA OR EVEN GOOLE =~ Sires witw DIFFeacNT Tens LATER On, sTaalctt FRom THE ADDRESS ——————————— Sak, 8” STARTING THE SITE'S NAME Search (66005 gry 5) [Tae --tHe Bap prestase Ae; seanon eoxes — ontiose paces | “Age capruRED a IN YOUR LOCAL sySTeM - ~ ‘Search Amazon.) Zamfir tab ee ., ola ’ —|[ return 20 - o— (oven nen mam MOST SRONSERS TODAY, ‘AND YOU'LL GET YOUR KO reneenee SOME USERS [wave « avanie | pace gecause 17 OPENS uiexty. Deraulr EXPERIENCE, ‘THEN, 1S THE NEW. TAB PAGE wiTH YOUR NINE MOST MistTED PAGES HERE -- UT THe AcriON OF OPENING A TAB IS A STATEMENT OF INTENT: vou want To GO SOMEPLACE! Mayse You know WHERE. MAYBE YOU DON'T KNOW AND NEED To wen conspoonane NYG, erase ot, == AND THE SITES You SEARCH ON most HERE. P 2iT'S THE PAGES YOU WERE GOING TO TYPE INTO THE URL BOX ANYWAY. GOOGLE CHROME USES YOUR BEHAVIOR IN THE OMNIBOX TO FEED INTO THAT PAGE. \ EHOe YOU MIGHT OPEN IT AND 8&, LIKE, WHAT'S ALL MY STUFF DOING HERE? BUT AFTER A WHILE, YOU SEE THIS PAGE AND IT'S JUST YOU, IT"S YOUR BROWSER. GOOGLE CHROME HAS A PRIVACY MODE. YOU CAN CREATE AN INCOGNITO" WINDOW AND NOTHING ‘THAT OCCURS IN THAT WINDOW IS EVER LOGGED ON YOUR COMPUTER. IT'S A READ-ONLY MODE: YOU ‘CAN STILL ACCESS YOUR BOOKMARKS, BUT NONE OF YOUR HISTORY IS SAVED IN THE GROWSER — == AND WHEN YoU Lose THE WINDOW, THE cookies FROM ‘THAT SESSION ‘ARE WIPED our.WANT TO KEEP A SURPRISE GIFT @ SECRET? POP-UPS ARE ‘SCOPED To THE ‘TAB THEY CAME 'A POP-UP INTO YOUR WORLD. IF IT'S SOMETHING YoU WANT, THOUGH =~ == JUST Drag IT ouT [AND IT'LL BE PROMOTED ETT Tilt hail ' a a et “ey ) @) & Security, Sandboxing and Safe Browsing MALWARE AND PHISHING ~~ ARE A HUGE PROGLEM FOR USERS, ‘AFFECTING TRUST AND CONFIDENCE I THE WER. WHEN WE STARTED THIS PROJECT, IT WAS & VERY DIFFERENT LANDSCAPE FROM WHEN THE OTHER BROWSERS STARTED. BACK THEN: IT was asouT RENDERING ‘THE PAGE AND GETTING THE CooL THINGS WORKING. THERE WAS NO MONETARY INCENTIVE TO PUT MALWARE ON users? MACHINES. NOW, MALWARE 15 VERY FINANCIALLY DRIVEN. IT's, ALL AgOUT STEALING PASSWORDS, AND MOVING Money AROUND. Joan Ab Et4 IN THINKING ABOUT SECURITY, WE BEGAN WITH ‘THE ASSUMPTION THAT YOUR BROWSER WOULD GET COMPROMISED. you WILL EVENTUALLY ENCOUNTERWITH SANDBOXING, OUR GOAL IS TO PREVENT MALWARE FROM INSTALLING ITSELF ON YOUR COMPUTER OR USING NHAT HAPPENS IN ‘ONE TAG TO AFFECT WHAT HAPPENS IN ANOTHER. | 80, FOR EACH OF THESE PROCESSES WE'VE STRIPPED AWAY ALL OF THEIR RIGHTS, Io THEY CAN compute out THEY CAN'T WRITE Se < FILES To YOUR HARD DRIVE OR READ FILES FROM SENSITIVE AREAS Like your DOCUMENTS OR DeskTop. A PROCESS (Dsaaaee] [O\aons| [O Saacre OR AS. THE SANDBOX TEAM PUT IT ~~ ‘BOUNDARY -— = WE'VE TAKEN THIS EXISTING PROCESS AND MADE IT Into a JATL. ee < =a ey = a [Overs y aa ( is ine \ \ ' U] (a) UR) 6 1 a \ a J ine fe W ae yyno ‘THAT MEANS No WaT chine You wrenacrine TYBE YOUR cneDIT Seas SOMETHING BAD COULD 8E RUNNING IN THIS TAB =~ GP erocess| % THE PERIMETER OF THE SANDBOX 15 LARGELY BASED ON PERMISSIONS. Mark Laron, Progam Waneger UT AS S0ON [AS YOU CLOSE IT, IT'S GONE. No NO TELLING READING sont ‘WINDOWS TO RUN. ‘AN EXECUTABLE, [AT START-UP. RETURNS. NO EFFECT oN YOUR MACHINE AND No EFFECT (ON OTHER PROCESSES. VISTA USES A MODIFIED VERSION (OF THE BISA SECURITY MODEL WHICH very ‘TRUSTED. SOMEWHAT TRUSTED AT ALL. HAS THREE LEVELS.THIS LeveL 15 FOR SACKUP SYSTEMS, PROGRAMS THAT. UPDATE, ETC, TYPICALLY, APPLICATIONS RECEIVING AND PROCESSING DATA FROM THE INTERNET [ARE SPLIT INTO THE TWO LOWER LeveLs. fi9101011 10019 10010100101 10110 2190100010103) THIS LEVEL 15 FOR EVERYTHING THE USER RUNS NORMALLY. NOTEPAD, SOLITAIRE, cALcULATOR.. THE PROBLEM IS THAT UNLIKE THE HiGH LEVEL, THERE 'S ALOT OF SENSITIVE INFO HERE ‘OnLy FROM HIGH TO, Low. “THAT THIS LeveL sHouLD NOT se ALLOWED To READ!1 OUR MODEL, THERE'S ‘THE USER, AND THERE'S THIS SIDE can REPLY SUT IT HAS NO way TO ACCESS ANYTHING THAT ISN'T EXPLICITLY PROVIDED Gy THE USER. ‘The SANDBOX. AND auy COMMUNICATIONS MUST BE INITIATED Y THE USER, Fr WE CAN DO THIS BECAUSE ALL OUR CODE tS nthe weRe unite exception -- ‘hte cove, 30 gooue Plugins. ‘CHROME HAS FULL CONTROL OVER THIS. BECAUSE WEBPAGES ARE MORE ‘THAN JUST HTML AND JAVASCRIPT.ee IN TERMS OF PERMISSIONS. ON THE SYSTEM, GOOGLE CHROME’S RENDERER MAY RUN AT VERY LOW PRIVILEGES, BUT THERE ARE PLUGINS THAT RUN AT THE ‘SAME LEVEL OR EVEN HIGHER n> THAN THE GROWSER. user t PLUGINS HAVE CAPABILITIES ‘THAT AREN'T PUBLIC STANDARDS, SO WE CAN'T SANDBOX THESE YET. THOUGH WiTH ‘SOME SMALL CHANGES OW THE PART (OF THE PLUGIN MAKERS, WE CAN GET THEM TO RUN AT A LOWER PRIVILEGE WHICH WOULD BE MUCH MucH SAFER. MEANWHILE, WE Have A. HuGe SURFACE AREA REDUCTION IN VULNERABILITY, FROM ALLsor WORKED oN RIPPING PLUGINS OUT OF THE RENDERING PROCESS AND PUTTING THEM IN A SEPARATE PROCESS ALL THEIR WHEN A PLUGIN comeies WITH HTML AND. JAVASCRIPT. IT ‘ALL RUNS IN THE SAME Process. —_ ~ THAT Way, ‘THE REST OF THE PAGE CAN STILL SE ‘SANDSOXED, EVEN IF THE PLUGIN can'T Be.wa = SANDBOXING CAN HELP TYPICAL DSH SEHEME, AN pa¥,,{ EROTEET users raon HaLuane, Ar TAeKeR SENOS CUT Ma Sar, * Lee “ri youR sane, YOUR AccouNT Is * " COMPROMISED, GIVE ME YOUR SSN SO can venir ere ‘THEN THEY SEND USERS TO A NEARLY EXACT COPY OF THEIR GANK'S WEBSITE AND START STEALING THEIR NFCRMATICN, §— -— a2 x Ga) [ES nttp:www.(vank’s name).com (6) [Bo ntp:eww.cank’s namejlognz.com| Lot oF THESE ‘THE HARD PART = aS ware) | Ee a oun = ron ZERO. 32WE'VE MADE THIS. ‘SERVICE FREELY AVAILASLE. WE'RE HAPPY TO GIVE IT AWAY.IT'S A PUBLIC APT. coocte chaome 1s CONTINUALLY DOWNLOADING LISTS (OF HARMFUL SITES, ONE FOR PHISHING, ONE FOR MALWARE. WessiTe THAT MATCHES THE LIST, youLL Get A WARNING. ‘THERE'S A SECOND LIST OF MALWARE WEBSITES. WESSITES WHERE A TON OF GAD THINGS MIGHT HAPPEN ‘To YOUR COMPUTER, JUST ON ARRIVAL. ————— WHEN We Discover maLicious CONTENT. WE NOTIFY THE OWNER OF A wessiTe, WHO USUALLY WASN'T INTENDING To BE MALICIOUS, AND ‘THEY CAN TAKE THIS INFORMATION AND CLEAN UP THEIR site,{¢[>] G ‘Y2|_ Gears, Standards and Open Source ANOTHER THING. ‘WE GUILT INTO GOOGLE CHROME IS: Software engineer Part Five ID GEARS BASICALLY ADDS AN API TO. YOUR BROWSER -- AN EXTENSION THAT INPROVES ITS. ‘CAPAGILITIES. PERSPECTIVE, GOOGLE CHROME [AND GEARS ARE ENTERING THE WES be eee, ‘THE SROWSER PROJECT 1S EFFORT To MARE THE WES. GETTER FOR USERS. (as) x— THE GEARS TEAM WANTS To MAKE THE WES BETTER For DEVELOPERS.‘THERE ARE A LOT OF LIMITATIONS TO THE KINDS OF APPLICATIONS THAT YOU CAN BUILD TODAY WITH WES BROWSERS, AND THE SUBSET OF THINGS YOU CAN 00 IS DIFFERENT FOR EACH BROWSER. TF ONE BROWSER HAS A COOL FEATURE, THAT DOESN'T HELP =~ emo ) (. “on we tsrenver. ee wt 7 stten INTEREST TO MAKE THE INTERNET BETTER AND WITHOUT COMPETITION WE Kaeo” / ‘THAT's way WE'RE OPEN sourcine THE WHOLE THING. WE NEED THE INTERNET TO BEA FAIR, SMART, SAFE PLACE. #as EXCITED AS. WE ARE ABOUT BUILDING Goocte ‘CHROME, IT'S. IMPORTANT TO HELP ‘ALL BROWSERS BECOME MORE POWERFUL == 00011101010 10101000101001 To Keep, EVOLVING wiTH THE WES AND, CONTINUING TO BuiLD A SOLID FOUNDATION FoR MODERN WES APPLICATIONS. We OWE A REAT 0€8T TO OTHER OPEN ‘SOURCE BROWSER PROJECTS ~ ESPECIALLY, MOZILLA AND WEBKIT. 38 ‘THIS 1S OUR couTRisuTioN, ‘AND WE HOPE. PEOPLE WILL TAKE ‘SOME OF THESE IDEAS, TOO; | CHALLENGE THEM, xx\ BUILD on THEM, AND KEEP MOVING, THE wes. FORWARD.Words: The Google Chrome Team Comics Adaptation: Scott McCloud