Google pursuing out-of-the-sandbox Chrome memory bugs fixes

Don Sharpe
by Don Sharpe
Author
Loading Comments
Download PDF

  • Google is looking for ways other than sandboxing to solve persistent Chrome memory bugs.
  • The Chromium team seeks to solve memory vulnerabilities at the source, which includes custom C++ libraries. 
  • Catch up on more updates like this on the News page.
  • Our cybersecurity hub features more insights into application bugs and their fixes. Feel free to visit it anytime.
Chrome browser

Google is looking for ways other than sandboxing to solve persistent Chrome memory bugs. The problem the Chromium team is addressing has something to do with liberal memory management in programming languages like C++ and C.

These tools give developers plenty of lee way when working with pointers and memory initialization. Such architecture enhances app performance, and but bad actors are taking advantage of it.

Solving Chrome memory bugs requires more than just sandboxing

A report by the Chromium team revealed that 70% of high-severity Chrome bugs are an outcome of C++ and C memory exploits.

Also, the study found 36.1% of the bugs to be of the use-after-free variety. These types of bugs involve attempts to access system memory only after it has been freed.

The outcome of such a breach can be anything from system crash to the execution of arbitrary code. Some hackers deploy use-after-free bugs to carry out remote code execution (RCE) attacks.

Just like many other software giants, Google has been using sandboxing to handle chrome security issues.

But the company says that advanced security threats have stretched sandboxing capabilities to the limit. Usually, the technique prevents arbitrary code from executing outside of a specific environment.

So, if an attacker successfully breaches Chrome security, they should not be able to move their code to other environments, such as the user’s PC.

But sandboxing or site isolation is a process-intensive technique. As such, it can compromise the overall system performance.

In any case, the approach deals with malicious code that has already been delivered.

Google is therefore looking for ways to address Chrome memory bugs at the point of origin.

We’re tackling the memory unsafety problem — fixing classes of bugs at scale, rather than merely containing them — by any and all means necessary.

The Chromium project is now looking for solutions in places like custom C++ libraries, hardware mitigations, and also the use of safer languages.

However, Google is not the only company looking for more effective ways to eliminate memory bugs.

Microsoft, for example, is currently working to solve memory initialization vulnerabilities in C++ applications.

Reach out to us with any suggestions or questions by leaving a message in the comments section below.