the Chromium logo

The Chromium Projects

Security guidelines for closed-source components

Closed-source third-party components pose particular challenges to ensuring the overall security and stability of ChromeOS since they:

For these reasons binary third-party components should be avoided as far as possible.

If there are strong business reasons to include the component, then it must be strictly isolated. It should:

In addition, we must require the vendor to use some means of ensuring robustness. For example:

The vendor should be asked to document their development practices, with emphasis on:

The first party code that interacts with the binary component must strictly verify its inputs and outputs, and fuzzing is strongly recommended.

For firmware binaries, the sandboxing should ideally take the form of hardware mechanisms that make it impossible for compromised firmware to affect the rest of the system (eg. IOMMU).