安全注意事项 - ChromeDriver - Chrome 的 Webdriver [英] Security Considerations - ChromeDriver - Webdriver for Chrome

问题描述

我想知道是否有人对本声明所关注的使用 chromedriver 的具体风险有更多信息.

I was wondering if anyone had more information on what the specific risks for using chromedriver as was concerned by this statement.

如果可能，请使用无法访问敏感本地或网络数据的测试帐户运行 ChromeDriver.绝不应使用特权帐户运行 ChromeDriver."

"If possible, run ChromeDriver with a test account that has no access to sensitive local or network data. ChromeDriver should never be run with a privileged account."

想知道使用特权帐户时的具体风险是什么，以及是否可以采取任何预防措施来防范这些风险.

Would like to know what the specific risks are when using a privileged account and what if any preventative measures can be taken to protect against them.

提前感谢您！

推荐答案

Google Chrome 浏览器的工作原理

在文章 Chrome 浏览器安全 @STEPHANIE CRAWFORD 提到，谷歌有通过创建 安全浏览 技术利用其作为搜索引擎的强大功能，如果 Chrome 检测到您正在访问的网站包含 恶意软件 或 网络钓鱼.

How Google Chrome Browser Works

In the article Chrome Browser Security @STEPHANIE CRAWFORD mentioned, Google has leveraged its power as a search engine by creating its Safe Browsing technology which will automatically warn you if Chrome detects that a site you're visiting contains malware or phishing.

Chrome 通过称为 沙盒.沙盒意味着将每个进程分成独立的空间，以查看它们如何单独运行.Chrome 将其工作负载作为一系列多个进程来处理，而不是作为一个大型浏览器进程的一部分.每次打开网页时，Chrome 都会启动一个或 更多新功能进程 在该页面上运行脚本.此外，每个 Chrome 扩展程序和应用程序都在自己的进程中运行.Chrome 通过其多进程架构实现沙盒.沙盒的安全优势在于 Chrome 能够控制每个进程的访问令牌.进程的这些访问令牌允许该进程访问有关您的系统的重要信息，例如其文件和注册表项.Chrome 从浏览器启动的进程中拦截每个访问令牌，并修改该令牌以限制其对该信息的访问.因此，Chrome 的沙盒有助于阻止试图安装恶意软件、捕获您的个人信息或从您的硬盘驱动器获取数据的网页.沙盒的缺点是，它无法捕获所有内容.沙盒进程可能仍然能够访问不太安全的文件系统.它还可能无法保护由第三方软件管理的注册表项和文件，例如非系统原生的游戏或聊天程序.

Chrome deploys this security measure through a unique security feature termed as Sandboxing. Sandboxing implies, separating each process out into independent spaces to see how they function individually. Chrome handles its workload as a series of multiple processes rather than as part of one large browser process. Each time you open a Web page, Chrome launches one or more new processes to run the scripts on that page. Also, each Chrome extension and app runs in its own process. Chrome implements sandboxing through its multi-process architecture. The security advantage in sandboxing comes with Chrome being able to control the access token for each process. These access token for a process allows that process access to important information about your system, like its files and registry keys. Chrome intercepts each access token from the processes launched from the browser, and it modifies that token to limit its access to that information. So, Chrome's sandboxing helps block web pages that try to install malware, capture your personal information or obtain data from your hard drive. The drawback of sandboxing is that, it can't catch everything. A sandboxed process might still be able to access less secure file systems. It's also likely to miss protecting registry keys and files managed by third party software, like a game or chat program that isn't native to the system.

在启动 WebDriver 使用 Chrome 浏览上下文>Selenium 最近我们一直在提倡使用某个命令行参数:

While initiating a WebDriver controled Chrome Browsing Context using Selenium recently we had been advocating to use a certain command line argument:

• --no-sandbox:为所有通常被沙盒处理的进程类型禁用沙盒.

见:

• WebDriverException:未知错误:DevToolsActivePort 文件尝试启动 Chrome 浏览器时不存在
• 如何配置 ChromeDriver 以通过 Selenium 以 Headless 模式启动 Chrome 浏览器?
• 未知错误:由于未知错误导致页面崩溃而删除会话:无法从 ChromeDriver Selenium 崩溃的选项卡中确定加载状态

还有几个可用的与沙盒相关的标志，使沙盒进程能够在没有分配作业对象的情况下运行.此标志是允许 Chrome 在 RemoteApps 或 Citrix 中运行所必需的.此标志会降低沙盒进程的安全性，并允许它们执行某些 API 调用，例如关闭 Windows 或访问剪贴板.我们也失去了杀死某些进程的机会，直到拥有它们的外部作业完成.

There are a couple of more Sandbox related flags available which enables the sandboxed processes to run without a job object assigned to them. This flag is required to allow Chrome to run in RemoteApps or Citrix. This flag can reduce the security of the sandboxed processes and allow them to do certain API calls like shut down Windows or access the clipboard. Also we lose the chance to kill some processes until the outer job that owns them finishes.

• --allow-no-sandbox-job:禁止使用沙盒作业.
• --allow-sandbox-debugging:允许调试沙盒进程.
• --disable-gpu-sandbox:禁用 GPU 进程沙箱.
• --disable-namespace-sandbox:禁用命名空间沙箱.
• --disable-seccomp-filter-sandbox:禁用 seccomp 过滤器沙箱 (seccomp-bpf)(仅限 Linux).
• --disable-setuid-sandbox:禁用 setuid 沙箱(仅限 Linux).
• --disable-win32k-lockdown:对子进程禁用 Win32K 进程缓解策略.
• --enable-audio-service-sandbox:启用音频服务沙箱.
• --gpu-sandbox-allow-sysv-shm:允许在 GPU 沙箱中调用 shmat() 系统.
• --gpu-sandbox-failures-fatal:使 GPU 沙箱故障致命.
• --no-sandbox-and-elevated:禁用沙箱并赋予进程提升的权限(仅限 Windows).

• --allow-no-sandbox-job: Disables usage of sandbox job.
• --allow-sandbox-debugging: Allows debugging of sandboxed processes.
• --disable-gpu-sandbox: Disables the GPU process sandbox.
• --disable-namespace-sandbox: Disables usage of the namespace sandbox.
• --disable-seccomp-filter-sandbox: Disable the seccomp filter sandbox (seccomp-bpf) (Linux only).
• --disable-setuid-sandbox: Disable the setuid sandbox (Linux only).
• --disable-win32k-lockdown: Disables the Win32K process mitigation policy for child processes.
• --enable-audio-service-sandbox: enable the audio service sandbox.
• --gpu-sandbox-allow-sysv-shm: Allows shmat() system call in the GPU sandbox.
• --gpu-sandbox-failures-fatal: Makes GPU sandbox failures fatal.
• --no-sandbox-and-elevated: Disables the sandbox and gives the process elevated privileges (Windows only).

沙盒利用操作系统提供的安全性来允许执行无法对计算机进行持久更改或访问机密信息的代码.沙盒提供的架构和确切保证取决于操作系统.

Sandbox leverages the OS-provided security to allow code execution that cannot make persistent changes to the computer or access information that is confidential. The architecture and exact assurances that the sandbox provides are dependent on the operating system.

• windows 实现原则:
  • 不要重新发明轮子:扩展 os 内核具有更好的安全模型.别.让操作系统将其安全性应用于它控制的对象.另一方面，可以创建具有自定义安全模型的应用程序级对象(抽象).
  • 最小权限原则:这应该适用于沙盒代码和控制沙盒的代码.换句话说，即使用户无法提升为超级用户，沙盒也应该可以工作.
  • 假设沙箱代码是恶意代码:出于威胁建模的目的，一旦执行路径超过 main() 功能.在实践中，它可能会在第一个外部输入被接受时发生，或者在进入主循环之前发生.
  • 灵活:非恶意代码不会尝试访问它无法获得的资源.在这种情况下，沙箱应该对性能产生近乎零的影响.当需要以受控方式触摸敏感资源一次时，可以对特殊情况进行性能惩罚.如果正确使用操作系统安全性，通常会出现这种情况.
  • 仿真不安全:仿真和虚拟机解决方案本身并不提供安全性.沙盒不应依赖代码模拟、代码转换或修补来提供安全性.
  • windows implementation principles:
    • Do not re-invent the wheel: It is tempting to extend the os kernel with a better security model. Don't. Let the operating system apply its security to the objects it controls. On the other hand, it is just okay to create application-level objects (abstractions) that have a custom security model.
    • Principle of least privilege: This should be applied both to the sandboxed code and to the code that controls the sandbox. In other words, the sandbox should work even if the user cannot elevate to super-user.
    • Assume sandboxed code is malicious code: For threat-modeling purposes, we consider the sandbox compromised (that is, running malicious code) once the execution path reaches past a few early calls in the main() function. In practice, it could happen as soon as the first external input is accepted, or right before the main loop is entered.
    • Be nimble: Non-malicious code does not try to access resources it cannot obtain. In this case the sandbox should impose near-zero performance impact. It's ok to have performance penalties for exceptional cases when a sensitive resource needs to be touched once in a controlled manner. This is usually the case if the OS security is used properly.
    • Emulation is not security: Emulation and virtual machine solutions do not by themselves provide security. The sandbox should not rely on code emulation, code translation, or patching to provide security.

    这篇关于安全注意事项 - ChromeDriver - Chrome 的 Webdriver的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！