Welcome again to our newest replace on MiraclePtr, our mission to guard towards use-after-free vulnerabilities in Google Chrome. Should you want a refresher, you may learn our earlier weblog publish detailing MiraclePtr and its aims.
We’re thrilled to announce that since our final replace, we’ve efficiently enabled MiraclePtr for extra platforms and processes:
- In June 2022, we enabled MiraclePtr for the browser course of on Home windows and Android.
- In September 2022, we expanded its protection to incorporate all processes besides renderer processes.
- In June 2023, we enabled MiraclePtr for ChromeOS, macOS, and Linux.
Moreover, we’ve modified safety tips to downgrade MiraclePtr-protected points by one severity stage!
First let’s deal with its safety impression. Our evaluation relies on two main data sources: incoming vulnerability stories and crash stories from person units. Let’s take a more in-depth have a look at every of those sources and the way they inform our understanding of MiraclePtr’s effectiveness.
Bug stories
Chrome vulnerability stories come from varied sources, akin to:
For the needs of this evaluation, we deal with vulnerabilities that have an effect on platforms the place MiraclePtr was enabled on the time the problems have been reported. We additionally exclude bugs that happen inside a sandboxed renderer course of. Because the preliminary launch of MiraclePtr in 2022, we’ve obtained 168 use-after-free stories matching our standards.
What does the information inform us? MiraclePtr successfully mitigated 57% of those use-after-free vulnerabilities in privileged processes, exceeding our preliminary estimate of fifty%. Reaching this stage of effectiveness, nonetheless, required extra work. As an illustration, we not solely rewrote class fields to make use of MiraclePtr, as mentioned within the earlier publish, but additionally added MiraclePtr help for certain operate arguments, akin to Unretained pointers. These pointers have been a big supply of use-after-frees in Chrome, and the extra safety allowed us to mitigate 39 extra points.
Furthermore, these vulnerability stories allow us to pinpoint areas needing enchancment. We’re actively engaged on including help for choose third-party libraries which were a supply of use-after-free bugs, in addition to creating a extra superior rewriter device that may deal with transformations like changing std::vector<T*> into std::vector<raw_ptr<T>>. We have additionally made a number of smaller fixes, akin to extending the lifetime of the duty state object to cowl a number of points within the “this pointer” class.
Crash stories
Crash stories supply a distinct perspective on MiraclePtr’s effectiveness. As defined within the earlier weblog publish, when an allocation is quarantined, its contents are overwritten with a particular bit sample. If the allocation is used later, the sample will usually be interpreted as an invalid reminiscence tackle, inflicting a crash when the method makes an attempt to entry reminiscence at that tackle. Because the dereferenced tackle stays inside a small, predictable reminiscence vary, we are able to distinguish MiraclePtr crashes from different crashes.
Though this method has its limitations — akin to not having the ability to receive stack traces from allocation and deallocation instances like AddressSanitizer does — it has enabled us to detect and repair vulnerabilities. Final yr, six essential severity vulnerabilities have been recognized within the default setup of Chrome Secure, the model most individuals use. Impressively, 5 of the six have been found whereas investigating MiraclePtr crash stories! One notably fascinating instance is CVE-2022-3038. The problem was found by MiraclePtr crash stories and stuck in Chrome 105. A number of months later, Google’s Risk Evaluation Group found an exploit for that vulnerability used within the wild towards shoppers of a distinct Chromium-based browser that hadn’t shipped the repair but.
To additional improve our crash evaluation capabilities, we have just lately launched an experimental characteristic that enables us to gather extra data for MiraclePtr crashes, together with stack traces. This successfully shortens the common crash report investigation time.
MiraclePtr permits us to have sturdy safety towards use-after-free bug exploits, however there’s a efficiency value related to it. Subsequently, we’ve carried out experiments on every platform the place we’ve shipped MiraclePtr, which we utilized in our decision-making course of.
The primary value of MiraclePtr is reminiscence. Particularly, the reminiscence utilization of the browser course of elevated by 5.5-8% on desktop platforms and roughly 2% on Android. But, when analyzing the holistic reminiscence utilization throughout all processes, the impression stays inside a reasonable 1-3% vary to decrease percentiles solely.
The primary reason behind the extra reminiscence utilization is the additional measurement to allocate the reference depend. One would possibly suppose that including 4 bytes to every allocation wouldn’t be a giant deal. Nevertheless, there are numerous small allocations in Chrome, so even the 4B overhead just isn’t negligible. Furthermore, PartitionAlloc additionally makes use of pre-defined allocation bucket sizes, so this further 4B pushes sure allocations (notably power-of-2 sized) into a bigger bucket, e.g. 4096B → 5120B.
We additionally thought of the efficiency value. We verified that there have been no regressions to the vast majority of our top-level efficiency metrics, together with all the web page load metrics, like Largest Contentful Paint, First Contentful Paint and Cumulative Format Shift. We did discover a number of regressions, akin to a ten% enhance within the 99th percentile of the browser course of fundamental thread competition metric, a 1.5% regression in First Enter Delay on ChromeOS, and a 1.5% regression in tab startup time on Android. The primary thread competition metric tries to estimate how usually a person enter might be delayed and so for instance on Home windows this was a change from 1.6% to 1.7% on the 99th percentile solely. These are all minor regressions. There was zero change in day by day energetic utilization, and we don’t anticipate these regressions to have any noticeable impression on customers.
In abstract, MiraclePtr has confirmed to be efficient in mitigating use-after-free vulnerabilities and enhancing the general safety of the Chrome browser. Whereas there are efficiency prices related to the implementation of MiraclePtr, our evaluation means that the advantages by way of safety enhancements far outweigh these. We’re dedicated to repeatedly refining and increasing the characteristic to cowl extra areas. For instance we’re working so as to add protection to third-party libraries utilized by the GPU course of, and we plan to allow BRP on the renderer course of. By sharing our findings and experiences, we hope to contribute to the broader dialog surrounding browser safety and encourage additional innovation on this essential space.
