Wednesday, March 3, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Chrome: 70% of all security bugs are memory safety issues

May 23, 2020
in Internet Security
Google cuts Chrome ‘patch gap’ in half, from 33 to 15 days
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Image: Google

Roughly 70% of all serious security bugs in the Chrome codebase are memory management and safety bugs, Google engineers said this week.

Half of the 70% are use-after-free vulnerabilities, a type of security issue that arises from incorrect management of memory pointers (addresses), leaving doors open for attackers to attack Chrome’s inner components.

You might also like

New app rollout helps reduce paperwork for NSW frontline child protection caseworkers

Linux Mint may start pushing high-priority patches to users

Ransomware puzzle: These two pieces of malware look very different, but they evolved from the same root

The percentage was compiled after Google engineers analyzed 912 security bugs fixed in the Chrome stable branch since 2015, bugs that had a “high” or “critical” severity rating.

The number is identical to stats shared by Microsoft. Speaking at a security conference in February 2019, Microsoft engineers said that for the past 12 years, around 70% of all security updates for Microsoft products addressed memory safety vulnerabilities.

The never-ending problem of memory management

Both companies are basically dealing with the same problem, namely that C and C++, the two predominant programming languages in their codebases, are “unsafe” languages.

They are old programming tools created decades ago when security exploitation and cyber-attacks were not a relevant threat model and far from the mind of most early software developers.

As a result, both C and C++ let programmers have full control over how they manage an app’s memory pointers (addresses) and don’t come with restrictions or warnings to prevent or alert developers when they’re making basic memory management errors.

These early coding errors result in memory management vulnerabilities being introduced in applications. This includes vulnerabilities like use-after-free, buffer overflow, race conditions, double free, wild pointers, and others.

These memory management vulnerabilities are the most sought-after bugs that attackers try to find and exploit, as they can grant them the ability to plant code inside a device’s memory and have it executed by the victim application (browser, server, OS, etc.).

In a ranking released at the start of the year, the MITRE Corporation, the organization that manages the US government’s vulnerability database, ranked buffer overflow as the most dangerous vulnerability, with two other memory management-related issues also ranked in the top 10 (out-of-bounds read on #5 and use-after-free on #7).

As software engineering has advanced in recent years, developers have been getting better at rooting out most security flaws and adding security protections in place.

But not for memory management vulnerabilities.

Google to look into addressing Chrome’s memory bugs

Google says that since March 2019, 125 of the 130 Chrome vulnerabilities with a “critical” severity rating were memory corruption-related issues, showing that despite advances in fixing other bug classes, memory management is still a problem.

The problem of memory management bugs has been such a big issue at Google that Chrome engineers now have to follow “The Rule of 2.”

According to this rule, whenever engineers write a new Chrome feature, their code must not break more than two of the following conditions:

  • The code handles untrustworthy inputs
  • The code runs with no sandbox
  • The code is written in an unsafe programming language (C/C++)
rule-of-two.png

Image: Google

While software companies have tried before to fix C and C++’s memory management problems, Mozilla has been the one who made a breakthrough by sponsoring, promoting and heavily adopting the Rust programming language in Firefox.

Today, Rust is considered one of the safest programming languages, and an ideal replacement for C and C++, primarily due to Mozilla’s early efforts.

But Mozilla has not been the only organization that has had enough of dealing with bug-prone C and C++ code.

Microsoft is also heavily investing in exploring C and C++ alternatives. From its early Checked C project, the company is now experimenting with Rust, and is also building its own Rust-like “safe” programming language (part of the secretive Project Verona).

Speaking at the Build virtual conference this week, Microsoft said these two efforts have been successful, and the company re-dedicated itself to adopting a safe programming language in the future.

But this week, Google also announced similar plans as well. The company said it also plans to look into “tackling the memory unsafety problem” for Chrome, today’s most popular web browser, used by almost 70% of internet users.

Chrome has reached peak sandboxing

Until today, Google engineers have been ardent supporters of the sandbox approach in Chrome. They isolated tens of processes into their own sandbox, and have recently rolled out Site Isolation, a feature that puts each site’s resources into its own sandboxed process as well.

However, Google engineers say that their approach to sandboxing Chrome’s components has reached its maximum benefits when taking performance into account, and that the company must now look to new approaches.

Going forward, Google says it plans to look into developing custom C++ libraries to use with Chrome’s codebase, libraries that have better protections against memory-related bugs.

The browser maker is also exploring the MiraclePtr project, which aims to turn “exploitable use-after-free bugs into non-security crashes with acceptable performance, memory, binary size and minimal stability impact.”

And last, but not least, Google also said it plans to explore using “safe” languages, where possible. Candidates include Rust, Swift, JavaScript, Kotlin, and Java.

Credit: Zdnet

Previous Post

Doja Cat & Joe Biden Canceled on Same Day – Maybe They Should Run Together?

Next Post

Kick start your Machine Learning and AI journey at an initial commitment of ₹ 10,000

Related Posts

New app rollout helps reduce paperwork for NSW frontline child protection caseworkers
Internet Security

New app rollout helps reduce paperwork for NSW frontline child protection caseworkers

March 3, 2021
Linux Mint may start pushing high-priority patches to users
Internet Security

Linux Mint may start pushing high-priority patches to users

March 3, 2021
Ransomware puzzle: These two pieces of malware look very different, but they evolved from the same root
Internet Security

Ransomware puzzle: These two pieces of malware look very different, but they evolved from the same root

March 3, 2021
Google addresses customer data protection, security in Workspace
Internet Security

Google addresses customer data protection, security in Workspace

March 2, 2021
Australia’s new ‘hacking’ powers considered too wide-ranging and coercive by OAIC
Internet Security

Australia’s new ‘hacking’ powers considered too wide-ranging and coercive by OAIC

March 2, 2021
Next Post
Kick start your Machine Learning and AI journey at an initial commitment of ₹ 10,000

Kick start your Machine Learning and AI journey at an initial commitment of ₹ 10,000

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

New app rollout helps reduce paperwork for NSW frontline child protection caseworkers
Internet Security

New app rollout helps reduce paperwork for NSW frontline child protection caseworkers

March 3, 2021
Cloudera: An Enterprise-Level Play On Machine Learning And Big Data – Seeking Alpha
Machine Learning

Cloudera: An Enterprise-Level Play On Machine Learning And Big Data – Seeking Alpha

March 3, 2021
The Symbolic World: Raising A Turing’s Child Machine (1/2) | by Puttatida Mahapattanakul | Feb, 2021
Neural Networks

The Symbolic World: Raising A Turing’s Child Machine (1/2) | by Puttatida Mahapattanakul | Feb, 2021

March 3, 2021
Top 10 ‘Brand Guardian’ Most Famous, Most Reputable CEOs
Marketing Technology

Top 10 ‘Brand Guardian’ Most Famous, Most Reputable CEOs

March 3, 2021
Linux Mint may start pushing high-priority patches to users
Internet Security

Linux Mint may start pushing high-priority patches to users

March 3, 2021
Microsoft Ignite Data and Analytics roundup: Platform extensions are the key theme
Big Data

Microsoft Ignite Data and Analytics roundup: Platform extensions are the key theme

March 3, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • New app rollout helps reduce paperwork for NSW frontline child protection caseworkers March 3, 2021
  • Cloudera: An Enterprise-Level Play On Machine Learning And Big Data – Seeking Alpha March 3, 2021
  • The Symbolic World: Raising A Turing’s Child Machine (1/2) | by Puttatida Mahapattanakul | Feb, 2021 March 3, 2021
  • Top 10 ‘Brand Guardian’ Most Famous, Most Reputable CEOs March 3, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates