Welcome again to our newest replace on MiraclePtr, our mission to guard towards use-after-free vulnerabilities in Google Chrome. In the event you want a refresher, you’ll be able to learn our earlier weblog publish detailing MiraclePtr and its goals.
We’re thrilled to announce that since our final replace, we’ve got efficiently enabled MiraclePtr for extra platforms and processes:
- In June 2022, we enabled MiraclePtr for the browser course of on Home windows and Android.
- In September 2022, we expanded its protection to incorporate all processes besides renderer processes.
- In June 2023, we enabled MiraclePtr for ChromeOS, macOS, and Linux.
Moreover, we’ve got modified safety tips to downgrade MiraclePtr-protected points by one severity degree!
First let’s give attention to its safety impression. Our evaluation is predicated on two main data sources: incoming vulnerability studies and crash studies from consumer units. Let’s take a better take a look at every of those sources and the way they inform our understanding of MiraclePtr’s effectiveness.
Bug studies
Chrome vulnerability studies come from varied sources, comparable to:
For the needs of this evaluation, we give attention to vulnerabilities that have an effect on platforms the place MiraclePtr was enabled on the time the problems have been reported. We additionally exclude bugs that happen inside a sandboxed renderer course of. For the reason that preliminary launch of MiraclePtr in 2022, we’ve got obtained 168 use-after-free studies matching our standards.
What does the info inform us? MiraclePtr successfully mitigated 57% of those use-after-free vulnerabilities in privileged processes, exceeding our preliminary estimate of fifty%. Reaching this degree of effectiveness, nevertheless, required further work. For example, we not solely rewrote class fields to make use of MiraclePtr, as mentioned within the earlier publish, but in addition added MiraclePtr assist for sure perform arguments, comparable to Unretained pointers. These pointers have been a big supply of use-after-frees in Chrome, and the extra safety allowed us to mitigate 39 extra points.
Furthermore, these vulnerability studies allow us to pinpoint areas needing enchancment. We’re actively engaged on including assist for choose third-party libraries which were a supply of use-after-free bugs, in addition to growing a extra superior rewriter device that may deal with transformations like changing std::vector<T*> into std::vector<raw_ptr<T>>. We have additionally made a number of smaller fixes, comparable to extending the lifetime of the duty state object to cowl a number of points within the “this pointer” class.
Crash studies
Crash studies provide a special perspective on MiraclePtr’s effectiveness. As defined within the earlier weblog publish, when an allocation is quarantined, its contents are overwritten with a particular bit sample. If the allocation is used later, the sample will usually be interpreted as an invalid reminiscence tackle, inflicting a crash when the method makes an attempt to entry reminiscence at that tackle. For the reason that dereferenced tackle stays inside a small, predictable reminiscence vary, we are able to distinguish MiraclePtr crashes from different crashes.
Though this method has its limitations — comparable to not with the ability to get hold of stack traces from allocation and deallocation occasions like AddressSanitizer does — it has enabled us to detect and repair vulnerabilities. Final yr, six crucial severity vulnerabilities have been recognized within the default setup of Chrome Secure, the model most individuals use. Impressively, 5 of the six have been found whereas investigating MiraclePtr crash studies! One notably fascinating instance is CVE-2022-3038. The difficulty was found by MiraclePtr crash studies and stuck in Chrome 105. A number of months later, Google’s Menace Evaluation Group found an exploit for that vulnerability used within the wild towards shoppers of a special Chromium-based browser that hadn’t shipped the repair but.
To additional improve our crash evaluation capabilities, we have lately launched an experimental characteristic that permits us to gather further data for MiraclePtr crashes, together with stack traces. This successfully shortens the common crash report investigation time.
MiraclePtr allows us to have strong safety towards use-after-free bug exploits, however there’s a efficiency price related to it. Subsequently, we’ve got carried out experiments on every platform the place we’ve got shipped MiraclePtr, which we utilized in our decision-making course of.
The principle price of MiraclePtr is reminiscence. Particularly, the reminiscence utilization of the browser course of elevated by 5.5-8% on desktop platforms and roughly 2% on Android. But, when analyzing the holistic reminiscence utilization throughout all processes, the impression stays inside a reasonable 1-3% vary to decrease percentiles solely.
The principle reason behind the extra reminiscence utilization is the additional dimension to allocate the reference depend. One would possibly assume that including 4 bytes to every allocation wouldn’t be a giant deal. Nevertheless, there are lots of small allocations in Chrome, so even the 4B overhead just isn’t negligible. Furthermore, PartitionAlloc additionally makes use of pre-defined allocation bucket sizes, so this further 4B pushes sure allocations (notably power-of-2 sized) into a bigger bucket, e.g. 4096B → 5120B.
We additionally thought of the efficiency price. We verified that there have been no regressions to nearly all of our top-level efficiency metrics, together with the entire web page load metrics, like Largest Contentful Paint, First Contentful Paint and Cumulative Structure Shift. We did discover just a few regressions, comparable to a ten% enhance within the 99th percentile of the browser course of essential thread competition metric, a 1.5% regression in First Enter Delay on ChromeOS, and a 1.5% regression in tab startup time on Android. The principle thread competition metric tries to estimate how usually a consumer enter may be delayed and so for instance on Home windows this was a change from 1.6% to 1.7% on the 99th percentile solely. These are all minor regressions. There was zero change in each day energetic utilization, and we don’t anticipate these regressions to have any noticeable impression on customers.
In abstract, MiraclePtr has confirmed to be efficient in mitigating use-after-free vulnerabilities and enhancing the general safety of the Chrome browser. Whereas there are efficiency prices related to the implementation of MiraclePtr, our evaluation means that the advantages when it comes to safety enhancements far outweigh these. We’re dedicated to repeatedly refining and increasing the characteristic to cowl extra areas. For instance we’re working so as to add protection to third-party libraries utilized by the GPU course of, and we plan to allow BRP on the renderer course of. By sharing our findings and experiences, we hope to contribute to the broader dialog surrounding browser safety and encourage additional innovation on this essential space.
