Published in News

Chrome’s security bugs are memory safety problems

by on25 May 2020


More than 70 percent of them

Most of Chromes serious security bugs are due to memory memory safety problems, the Chromium project said.

The percentage was compiled after Google engineers analysed 912 security bugs fixed in the Chrome stable branch since 2015, bugs that had a "high" or "critical" severity rating. The number is identical to stats shared by Microsoft.

Speaking at a security conference in February 2019, Microsoft engineers said that for the past 12 years, around 70 percent of all security updates for Microsoft products addressed memory safety vulnerabilities.

Both outfits are dealing with the same problem, namely that C and C++, the two predominant programming languages in their codebases, are "unsafe" languages.

Google says that since March 2019, 125 of the 130 Chrome vulnerabilities with a "critical" severity rating were memory corruption-related issues, showing that despite advances in fixing other bug classes, memory management is still a problem.

Half of the 70 percent were use-after-free vulnerabilities, a type of security problem that arises from incorrect management of memory pointers (addresses), leaving doors open for attackers to attack Chrome's inner components.

While software companies have tried before to fix C and C++'s memory management problems, Mozilla has been the one who made a breakthrough by sponsoring, promoting and heavily adopting the Rust programming language in Firefox.

Microsoft is heavily investing in exploring C and C++ alternatives as is Google .

Google says it plans to look into developing custom C++ libraries to use with Chrome's codebase, libraries that have better protections against memory-related bugs. The browser maker is also exploring the MiraclePtr project, which aims to turn "exploitable use-after-free bugs into non-security crashes with acceptable performance, memory, binary size and minimal stability impact".

Google also said it plans to explore using "safe" languages, where possible. Candidates include Rust, Swift, JavaScript, Kotlin, and Java.

 

Last modified on 25 May 2020
Rate this item
(0 votes)

Read more about: