Introduction

In our continuing series on personal computing security, we’re talking with Collin Jackson and Adam Barth to discuss the security features of Google Chrome. Both Collin and Adam are members of the Web Security Group at Stanford University. Collin is still finishing his PhD at Stanford, while Adam completed both his Masters Degree and a PhD at Stanford. After completing his training at the Best School in the Bay Area, Adam spent some time as a post-doc at the second-rate public school across the bay (UC Berkeley). Both of them have worked at Google. While there, they were the lead authors on an academic analysis of the security architecture of Chromium, the core upon which Google Chrome is built.

Alan: Thanks for taking the time to talk with us. Let’s start with the basics. Why don’t you tell me a little bit about yourself? How did you decide to specialize in security research, and why did you both choose Stanford University?

Collin: I picked Stanford because it is has top-notch professors working in a broad range of fields, and I wasn't yet sure what I wanted to do. When I got there, I got drawn in to Web security because all the most interesting applications are moving to the Web, yet the details of the Web security model are still poorly understood.

Adam: I've been interested in security since I was a kid. One of my favorite games growing up was to invent ciphers for my friends to break. I chose Stanford because I have a personal connection with Stanford: I grew up in Palo Alto and my mother is a professor in the business school.

Alan: When I was in CS106B, I won first place in the programming contest (Fastest Algorithm: Panex Puzzle). The instructor was from Google, which was then only about a year and a half old. I’ve always wondered if I could have gotten a job at Google if I wanted to pursue a career in CS. What was the coolest thing about working at Google?

Adam: For me, the coolest thing about working at Google was being able to use their massive computing infrastructure to run experiments. For example, we used this infrastructure to optimize the security of Chrome's content sniffing algorithm (these experiments eventually lead to this paper: http://www.adambarth.com/papers/2009/barth-caballero-song.pdf).

Alan: There have been a few designers who have recently left Google because they felt that the process was too bureaucratic. Was it hard to get them to let you run an experiment on a new algorithm using Google’s database of billions of Web pages as the data set, and then convince them to let you use the QA team to manually test the top 500 sites? How long did it take to run your algorithm through the billions of Web sites?

Adam: There wasn't any resistance to running the experiments. I'm not sure exactly how long they took to run, but it certainly took less time to run the experiments than to design them in the first place. We did this work in collaboration with the HTML 5 standardization effort, and we hope that other browsers can benefit from these experiments by adopting the HTML 5 content sniffing algorithm.