Google Improves Chrome Memory Safety: Reducing C++ Code Base Security Vulnerabilities Through Heap Scanning Algorithm

According to foreign media reports, the Google Chrome team is working on improving the memory safety of the C++ codebase through heap scanning technology. The technology is said to be memory-intensive unless newer Arm hardware is used.

As we all know, Google and Microsoft are the main users and contributors of the fast programming language C++, which is mainly used in projects such as Chromium, Windows kernel and Android. But because of its memory safety guarantees, people are starting to become more and more interested in using the Rust language.

Despite the security flaws, Google can't simply replace Chromium's existing C++ code with the more memory-safe Rust, and a large-scale conversion of C++ in Chrome to Rust is unlikely, at least in the short term.

Fortunately, Google is working on improving the memory safety of C++ through the heap scanning algorithm. Of course, there is also a problem with this approach, since this technique is very memory-intensive, it is currently only experimental.

Anton Bikineev, Michael Lippautz, and Hannes Payer of Google's Chrome security team said that despite the belief that languages other than C++ may have stronger memory safety guarantees, large codebases such as Chrome will still use C++ for the foreseeable future. .

With this in mind, Chrome engineers have found ways to make C++ more secure, such as buffer overflows and use-after free (UAF), to reduce memory-related security holes (these account for 70% of all software security holes) ).

Of course, C++ cannot guarantee that memory is always accessed with the latest information about its structure, so the Google Chrome team has been exploring the use of "memory quarantine" and heap scanning to prevent reuse of memory that is still accessible.

"Memory quarantine" and heap scanning work by ensuring memory time safety through quarantine and heap scanning to avoid reusing memory until it is proven that there are no more (dangling) pointers referencing the memory. To avoid changing C++ user code or its semantics, the memory allocator that provides new and delete is intercepted.

Google says that when delete is called, the memory is effectively isolated and cannot be reused by the application for subsequent new calls. At some point a heap scan is triggered, which scans the entire heap like a garbage collector for references to isolated memory blocks. Blocks without incoming references from regular application memory are transferred back to the allocator, where they can be reused for subsequent allocations.

Since UAFs constitute most of the high-severity issues affecting browsers, Chrome 102 just recently fixed a critical UAF, and 6 of the 8 high-severity vulnerabilities are UAFs.

The so-called heap scanning UAF access in memory is caused by "dangling pointers", that is, dangling pointers occur when the memory used by the application is returned to the underlying system, but the pointer points to an expired object. Accessing through dangling pointers can lead to UAFs, which are hard to spot in large codebases.

To detect UAFs, Google has used C++ "smart pointers" such as MiraclePtr, which also have a performance hit, as well as compilers, C++ cleaners, code fuzzers, and a garbage collector called Oilpan. Static analysis.

If heap scanning breaks through the experimental stage, Google may increase investment in the algorithm project later, but adoption will depend on devices using the latest Arm hardware.

According to reports, Google has tried hardware-assisted memory tagging through the relative memory tagging extension (MTE) in ARM v8.5A to reduce performance overhead. The experimental results with the MTE benchmark show that the memory consumption is significantly reduced. Still, it's still a matter of the future whether MTE will be more widely adopted next to do heap scanning in a way that doesn't have an unacceptable performance impact.

"C++ allows high-performance applications to be written, but at the cost of security. Hardware memory tags may fix some of C++'s security holes while still allowing high performance," says the Chrome security team. "We look forward to seeing hardware memory tags Wider adoption in the future and the use of heap scanning on hardware memory tags is recommended".

Reference link: https://www.zdnet.com/article/programming-languages-how-google-is-improving-c-memory-safety/#:~:text=Google%20can 't%20just%20rip%20and %20replace%20Chromium's%20existing,expensive%20on%20memory%20and%20for%20now%20only%20experimental.