Welcome again to our newest replace on MiraclePtr, our mission to guard in opposition to use-after-free vulnerabilities in Google Chrome. If you want a refresher, you may learn our earlier weblog submit detailing MiraclePtr and its aims.
We are thrilled to announce that since our final replace, we have now efficiently enabled MiraclePtr for extra platforms and processes:
- In June 2022, we enabled MiraclePtr for the browser course of on Windows and Android.
- In September 2022, we expanded its protection to incorporate all processes besides renderer processes.
- In June 2023, we enabled MiraclePtr for ChromeOS, macOS, and Linux.
Furthermore, we have now modified safety pointers to downgrade MiraclePtr-protected points by one severity stage!
First let’s give attention to its safety affect. Our evaluation relies on two main info sources: incoming vulnerability experiences and crash experiences from consumer gadgets. Let’s take a better have a look at every of those sources and the way they inform our understanding of MiraclePtr’s effectiveness.
Bug experiences
Chrome vulnerability experiences come from numerous sources, similar to:
For the needs of this evaluation, we give attention to vulnerabilities that have an effect on platforms the place MiraclePtr was enabled on the time the problems had been reported. We additionally exclude bugs that happen inside a sandboxed renderer course of. Since the preliminary launch of MiraclePtr in 2022, we have now obtained 168 use-after-free experiences matching our standards.
What does the info inform us? MiraclePtr successfully mitigated 57% of those use-after-free vulnerabilities in privileged processes, exceeding our preliminary estimate of fifty%. Reaching this stage of effectiveness, nonetheless, required further work. For occasion, we not solely rewrote class fields to make use of MiraclePtr, as mentioned within the earlier submit, but additionally added MiraclePtr help for certain perform arguments, similar to Unretained pointers. These pointers have been a big supply of use-after-frees in Chrome, and the extra safety allowed us to mitigate 39 extra points.
Moreover, these vulnerability experiences allow us to pinpoint areas needing enchancment. We’re actively engaged on including help for choose third-party libraries which have been a supply of use-after-free bugs, in addition to creating a extra superior rewriter instrument that may deal with transformations like changing std::vector<T*> into std::vector<raw_ptr<T>>. We’ve additionally made a number of smaller fixes, similar to extending the lifetime of the duty state object to cowl a number of points within the “this pointer” class.
Crash experiences
Crash experiences supply a unique perspective on MiraclePtr’s effectiveness. As defined within the earlier weblog submit, when an allocation is quarantined, its contents are overwritten with a particular bit sample. If the allocation is used later, the sample will typically be interpreted as an invalid reminiscence tackle, inflicting a crash when the method makes an attempt to entry reminiscence at that tackle. Since the dereferenced tackle stays inside a small, predictable reminiscence vary, we will distinguish MiraclePtr crashes from different crashes.
Although this method has its limitations — similar to not with the ability to get hold of stack traces from allocation and deallocation instances like AddressSanitizer does — it has enabled us to detect and repair vulnerabilities. Last 12 months, six essential severity vulnerabilities had been recognized within the default setup of Chrome Stable, the model most individuals use. Impressively, 5 of the six had been found whereas investigating MiraclePtr crash experiences! One significantly fascinating instance is CVE-2022-3038. The challenge was found via MiraclePtr crash experiences and stuck in Chrome 105. Several months later, Google’s Threat Analysis Group discovered an exploit for that vulnerability used within the wild in opposition to shoppers of a unique Chromium-based browser that hadn’t shipped the repair but.
To additional improve our crash evaluation capabilities, we have just lately launched an experimental function that permits us to gather further info for MiraclePtr crashes, together with stack traces. This successfully shortens the typical crash report investigation time.
MiraclePtr allows us to have sturdy safety in opposition to use-after-free bug exploits, however there’s a efficiency price related to it. Therefore, we have now carried out experiments on every platform the place we have now shipped MiraclePtr, which we utilized in our decision-making course of.
The most important price of MiraclePtr is reminiscence. Specifically, the reminiscence utilization of the browser course of elevated by 5.5-8% on desktop platforms and roughly 2% on Android. Yet, when inspecting the holistic reminiscence utilization throughout all processes, the affect stays inside a average 1-3% vary to decrease percentiles solely.
The most important reason behind the extra reminiscence utilization is the additional measurement to allocate the reference rely. One may assume that including 4 bytes to every allocation wouldn’t be a giant deal. However, there are a lot of small allocations in Chrome, so even the 4B overhead isn’t negligible. Moreover, PartitionAlloc additionally makes use of pre-defined allocation bucket sizes, so this additional 4B pushes sure allocations (significantly power-of-2 sized) into a bigger bucket, e.g. 4096B → 5120B.
We additionally thought of the efficiency price. We verified that there have been no regressions to nearly all of our top-level efficiency metrics, together with all the web page load metrics, like Largest Contentful Paint, First Contentful Paint and Cumulative Layout Shift. We did discover a number of regressions, similar to a ten% enhance within the 99th percentile of the browser course of most important thread competition metric, a 1.5% regression in First Input Delay on ChromeOS, and a 1.5% regression in tab startup time on Android. The most important thread competition metric tries to estimate how typically a consumer enter could be delayed and so for instance on Windows this was a change from 1.6% to 1.7% on the 99th percentile solely. These are all minor regressions. There has been zero change in every day energetic utilization, and we don’t anticipate these regressions to have any noticeable affect on customers.
In abstract, MiraclePtr has confirmed to be efficient in mitigating use-after-free vulnerabilities and enhancing the general safety of the Chrome browser. While there are efficiency prices related to the implementation of MiraclePtr, our evaluation means that the advantages by way of safety enhancements far outweigh these. We are dedicated to repeatedly refining and increasing the function to cowl extra areas. For instance we’re working so as to add protection to third-party libraries utilized by the GPU course of, and we plan to allow BRP on the renderer course of. By sharing our findings and experiences, we hope to contribute to the broader dialog surrounding browser safety and encourage additional innovation on this essential space.