defending customers from use-after-free vulnerabilities on extra platforms

0
52

[ad_1]

Posted by Keishi Hattori, Sergei Glazunov, Bartek Nowierski on behalf of the MiraclePtr staff
Welcome again to our newest replace on MiraclePtr, our challenge to guard towards use-after-free vulnerabilities in Google Chrome. In case you want a refresher, you may learn our earlier weblog publish detailing MiraclePtr and its aims.

We’re thrilled to announce that since our final replace, we now have efficiently enabled MiraclePtr for extra platforms and processes:

In June 2022, we enabled MiraclePtr for the browser course of on Home windows and Android.

In September 2022, we expanded its protection to incorporate all processes besides renderer processes.

In June 2023, we enabled MiraclePtr for ChromeOS, macOS, and Linux.

Moreover, we now have modified safety pointers to downgrade MiraclePtr-protected points by one severity stage!

First let’s deal with its safety impression. Our evaluation is predicated on two major info sources: incoming vulnerability studies and crash studies from consumer units. Let’s take a better have a look at every of those sources and the way they inform our understanding of MiraclePtr’s effectiveness.

Bug studies

Chrome vulnerability studies come from varied sources, similar to:

For the needs of this evaluation, we deal with vulnerabilities that have an effect on platforms the place MiraclePtr was enabled on the time the problems have been reported. We additionally exclude bugs that happen inside a sandboxed renderer course of. For the reason that preliminary launch of MiraclePtr in 2022, we now have acquired 168 use-after-free studies matching our standards.

What does the information inform us? MiraclePtr successfully mitigated 57% of those use-after-free vulnerabilities in privileged processes, exceeding our preliminary estimate of fifty%. Reaching this stage of effectiveness, nonetheless, required further work. As an illustration, we not solely rewrote class fields to make use of MiraclePtr, as mentioned within the earlier publish, but in addition added MiraclePtr help for sure perform arguments, similar to Unretained pointers. These pointers have been a major supply of use-after-frees in Chrome, and the extra safety allowed us to mitigate 39 extra points.

Furthermore, these vulnerability studies allow us to pinpoint areas needing enchancment. We’re actively engaged on including help for choose third-party libraries which have been a supply of use-after-free bugs, in addition to creating a extra superior rewriter software that may deal with transformations like changing std::vector<T*> into std::vector<raw_ptr<T>>. We have additionally made a number of smaller fixes, similar to extending the lifetime of the duty state object to cowl a number of points within the “this pointer” class.

Crash studies

Crash studies supply a special perspective on MiraclePtr’s effectiveness. As defined within the earlier weblog publish, when an allocation is quarantined, its contents are overwritten with a particular bit sample. If the allocation is used later, the sample will usually be interpreted as an invalid reminiscence handle, inflicting a crash when the method makes an attempt to entry reminiscence at that handle. For the reason that dereferenced handle stays inside a small, predictable reminiscence vary, we will distinguish MiraclePtr crashes from different crashes.

Though this method has its limitations — similar to not with the ability to acquire stack traces from allocation and deallocation occasions like AddressSanitizer does — it has enabled us to detect and repair vulnerabilities. Final 12 months, six crucial severity vulnerabilities have been recognized within the default setup of Chrome Secure, the model most individuals use. Impressively, 5 of the six have been found whereas investigating MiraclePtr crash studies! One notably fascinating instance is CVE-2022-3038. The problem was found by MiraclePtr crash studies and stuck in Chrome 105. A number of months later, Google’s Risk Evaluation Group found an exploit for that vulnerability used within the wild towards purchasers of a special Chromium-based browser that hadn’t shipped the repair but.

To additional improve our crash evaluation capabilities, we have just lately launched an experimental function that permits us to gather further info for MiraclePtr crashes, together with stack traces. This successfully shortens the common crash report investigation time.

MiraclePtr permits us to have strong safety towards use-after-free bug exploits, however there’s a efficiency value related to it. Due to this fact, we now have carried out experiments on every platform the place we now have shipped MiraclePtr, which we utilized in our decision-making course of.

The primary value of MiraclePtr is reminiscence. Particularly, the reminiscence utilization of the browser course of elevated by 5.5-8% on desktop platforms and roughly 2% on Android. But, when analyzing the holistic reminiscence utilization throughout all processes, the impression stays inside a average 1-3% vary to decrease percentiles solely.

The primary reason behind the extra reminiscence utilization is the additional measurement to allocate the reference rely. One may assume that including 4 bytes to every allocation wouldn’t be an enormous deal. Nevertheless, there are numerous small allocations in Chrome, so even the 4B overhead isn’t negligible. Furthermore, PartitionAlloc additionally makes use of pre-defined allocation bucket sizes, so this additional 4B pushes sure allocations (notably power-of-2 sized) into a bigger bucket, e.g. 4096B → 5120B.

We additionally thought-about the efficiency value. We verified that there have been no regressions to nearly all of our top-level efficiency metrics, together with all the web page load metrics, like Largest Contentful Paint, First Contentful Paint and Cumulative Structure Shift. We did discover a number of regressions, similar to a ten% enhance within the 99th percentile of the browser course of primary thread rivalry metric, a 1.5% regression in First Enter Delay on ChromeOS, and a 1.5% regression in tab startup time on Android. The primary thread rivalry metric tries to estimate how usually a consumer enter could be delayed and so for instance on Home windows this was a change from 1.6% to 1.7% on the 99th percentile solely. These are all minor regressions. There was zero change in day by day lively utilization, and we don’t anticipate these regressions to have any noticeable impression on customers.

In abstract, MiraclePtr has confirmed to be efficient in mitigating use-after-free vulnerabilities and enhancing the general safety of the Chrome browser. Whereas there are efficiency prices related to the implementation of MiraclePtr, our evaluation means that the advantages by way of safety enhancements far outweigh these. We’re dedicated to repeatedly refining and increasing the function to cowl extra areas. For instance we’re working so as to add protection to third-party libraries utilized by the GPU course of, and we plan to allow BRP on the renderer course of. By sharing our findings and experiences, we hope to contribute to the broader dialog surrounding browser safety and encourage additional innovation on this essential space.

[ad_2]