{"id":35140,"date":"2020-05-23T06:00:05","date_gmt":"2020-05-23T06:00:05","guid":{"rendered":"http:\/\/c5ac96ac-d645-4841-a624-61ed33111553"},"modified":"2020-05-23T06:00:05","modified_gmt":"2020-05-23T06:00:05","slug":"chrome-70-of-all-security-bugs-are-memory-safety-issues","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/chrome-70-of-all-security-bugs-are-memory-safety-issues\/","title":{"rendered":"Chrome: 70% of all security bugs are memory safety issues"},"content":{"rendered":"

\"chrome-memory-bugs.png\"<\/span>Image: Google<\/span><\/p>\n

Roughly 70% of all serious security bugs in the Chrome codebase are memory management and safety bugs, Google engineers said this week.<\/p>\n

Half of the 70% are use-after-free vulnerabilities, a type of security issue that arises from incorrect management of memory pointers<\/a> (addresses), leaving doors open for attackers to attack Chrome’s inner components.<\/p>\n

The percentage was compiled after Google engineers analyzed 912 security bugs fixed in the Chrome stable branch since 2015, bugs that had a “high” or “critical” severity rating.<\/p>\n

The number is identical to stats shared by Microsoft. Speaking at a security conference in February 2019, Microsoft engineers said that for the past 12 years, around 70% of all security updates for Microsoft products<\/a> addressed memory safety vulnerabilities.<\/p>\n

The never-ending problem of memory management<\/h3>\n

Both companies are basically dealing with the same problem, namely that C and C++, the two predominant programming languages in their codebases, are “unsafe” languages.<\/p>\n

They are old programming tools created decades ago when security exploitation and cyber-attacks were not a relevant threat model and far from the mind of most early software developers.<\/p>\n

As a result, both C and C++ let programmers have full control over how they manage an app’s memory pointers (addresses) and don’t come with restrictions or warnings to prevent or alert developers when they’re making basic memory management errors.<\/p>\n

\n<\/section>\n

These early coding errors result in memory management vulnerabilities being introduced in applications. This includes vulnerabilities like use-after-free, buffer overflow, race conditions, double free, wild pointers, and others<\/a>.<\/p>\n

These memory management vulnerabilities are the most sought-after bugs that attackers try to find and exploit, as they can grant them the ability to plant code inside a device’s memory and have it executed by the victim application (browser, server, OS, etc.).<\/p>\n

In a ranking released at the start of the year, the MITRE Corporation, the organization that manages the US government’s vulnerability database, ranked buffer overflow as the most dangerous vulnerability<\/a>, with two other memory management-related issues also ranked in the top 10 (out-of-bounds read on #5 and use-after-free on #7).<\/p>\n

As software engineering has advanced in recent years, developers have been getting better at rooting out most security flaws and adding security protections in place.<\/p>\n

But not for memory management vulnerabilities.<\/p>\n

Google to look into addressing Chrome’s memory bugs<\/h3>\n

Google says that since March 2019, 125 of the 130 Chrome vulnerabilities with a “critical” severity rating were memory corruption-related issues, showing that despite advances in fixing other bug classes, memory management is still a problem.<\/p>\n

The problem of memory management bugs has been such a big issue at Google that Chrome engineers now have to follow “The Rule of 2<\/a>.”<\/p>\n

According to this rule, whenever engineers write a new Chrome feature, their code must not break more than two of the following conditions:<\/p>\n