Acidus wrote:
Its early (Actually very very late). Still trying to understand the implication of this. Lots of people in the web security space and beyond have been saying it for years: The browser is the new OS and JavaScript is the new shell code.

Only it was never designed to be an OS.

The long awaited Google OS is an open source web browser. I'm going to sleep.

(PS. Did I miss read page 10 through blurry sleep dep eyes? Did google really couple an input fuzzer to a web crawler for public sites?)

So we've gone back to a heavy weight multi-process architecture because we can't figure out how to write code that doesn't crash? I'm not saying this is a bad idea, but its a capitulation to the war on software bugs. We can't protect you from vulnerabilities but we can keep those bugs from taking the whole browser down with them if you're lucky enough to have encountered them without a payload attached.

Having said this, the process sandboxing sounds like a good idea. There will inevitably be papers on how to escape it.

RE: Google's Chrome