The policy-allowed calls are then executed by the broker and the results returned to the target process via the same IPC.
Security is one of the most important goals for Chromium.
The key to security is understanding: we can only truly secure a system if we fully understand its behaviors with respect to the combination of all possible inputs in all possible states.
For a codebase as large and diverse as Chromium, reasoning about the combined behavior of all its parts is nearly impossible.
The sandbox objective is to provide hard guarantees about what ultimately a piece of code can or cannot do no matter what its inputs are.
Sandbox leverages the OS-provided security to allow code execution that cannot make persistent changes to the computer or access information that is confidential.
The architecture and exact assurances that the sandbox provides are dependent on the operating system.
This document covers the Windows implementation as well as the general design.
The Linux implementation is described here, the OSX implementation here. There are no special kernel mode drivers, and the user does not need to be an administrator in order for the sandbox to operate correctly.
The sandbox is designed for both 32-bit and 64-bit processes and has been tested on all Windows OS flavors between Windows 7 and Windows 10, both 32-bit and 64-bit. Anything that needs to be sandboxed needs to live on a separate process.