Hacker News

Virtually Unlimited Memory: Escaping the Chrome Sandbox(googleprojectzero.blogspot.com)

129 pointsweinzierl posted 3 months ago52 Comments
52 Comments:
pcwalton said 3 months ago:

This is yet another use-after-free in C++ code. It's modern C++ code written by excellent programmers following state-of-the-art security practices. Smart pointers, lambdas, you name it: it's all there. Yet a critical memory safety vulnerability still slipped through the cracks.

theamk said 3 months ago:

This was because of base::Unretained, which extracts raw C style pointers out of nice, safe C++ wrappers. Unfortunately, this is still a requirement in the advanced C++ software.

I wish there was a nice way to remove a need for such things, like a weak pointer that work with unique_ptr, but I do not think it is possible to do this while preserving zero overhead implementation.

The only practical solution I can think of is a shared_ptr-like object limited to have unique_ptr semantics. This will have overhead, but it could be worth it for the security gains.

safercplusplus said 3 months ago:

> like a weak pointer that work with unique_ptr, but I do not think it is possible to do this while preserving zero overhead implementation

I think the type of pointer you're asking for basically does exist. First, you want to distinguish the cases when you want a "full featured" weak pointer that can gracefully handle the destruction of its target object [1] (rarely the case), or you just want a non-owning pointer that detects when the prorammer screws up and lets the target object be destroyed prematurely [2].

The latter is essentially just a non-owning reference counting pointer. The optimizer should be able to discard matching increments and decrements of the reference counter in many cases.

> This will have overhead, but it could be worth it for the security gains.

The performance cost of avoiding "unsafe" C++ elements is measurable, but reasonably modest [3].

[1] https://github.com/duneroadrunner/SaferCPlusPlus#registered-...

[2] https://github.com/duneroadrunner/SaferCPlusPlus#norad-point...

[3] https://github.com/duneroadrunner/SaferCPlusPlus-BenchmarksG...

pjmlp said 3 months ago:

It kind of is, but requires a complete stack change.

Solaris on SPARC, iOS and eventually Android, all make use of memory tagging.

It doesn't cover all cases, but still better than not having it at all.

saagarjha said 3 months ago:

Note that the bug was caused by broken code that creates an unsafe, unretained reference to a smart pointer.

pcwalton said 3 months ago:

Which you do in C++ every time you use an &-reference.

comex said 3 months ago:

True, but in this case the buggy code had to explicitly write "base::Unretained" because the callback system (base::BindOnce) performs additional checks.

saagarjha said 3 months ago:

But that's not modern C++ anymore–the whole point is to have RAII manage your pointer's lifetime so it doesn't dangle.

pcwalton said 3 months ago:

References are absolutely modern C++. There isn't a nontrivial C++ program in existence that doesn't use references.

int_19h said 3 months ago:

Yes, and most of those references are to locals that are passed as arguments to function calls that will never take their address. In other words, it's pass-by-ref - which is perfectly safe - not pointers.

To obtain a reference to an object that is managed by a smart pointer, you would have to, at the minimum, explicitly dereference that pointer with *. In most cases, this also happens in an argument context, and the caller will maintain the pointer. It breaks when the pointer that's managing lifetime is a part of mutable state that the callee can touch somehow without returning - then it can cause the object to be freed while still holding a non-counting reference to it. At that point, you basically need something like Rust lifetime/ownership tracking to prevent such unsafe situations from happening.

pjmlp said 3 months ago:

While I agree with you, minimising the use of unsafe, specially among cargo.io libraries is still an issue.

There is still too much code that relies on it, that could have been written without such constructs.

jcelerier said 3 months ago:

> This is yet another use-after-free in C++ code.

Use-after-free is the least common case of CVE in C++ : https://resources.whitesourcesoftware.com/research-reports/w...

xyzzy123 said 3 months ago:

Hm, a few years ago when I was actively fuzzing stuff, UAFs were something like 20-30% of the crashes and one of the more exploitable memory corruption bug classes.

I will grant that the fuzzing targets were browsers, pdf readers, office suites and stuff which have some characteristics not shared by all C++ software.

In particular, a script engine and usually a way for “native” objects to get referenced or frobbed by scripting. Along with complex trees of object references, custom allocators, object pools etc.

I would have loved to have written a more substantive response but I didn’t want to download the PDF and check their analysis because they wanted to harvest my email.

What I can say is that a large proportion of real-world attacks where a hapless user gets pwned by a malicious file, document or script have a UAF somewhere down below as a root cause.

Not sure how UAF as a bug class got rated “least common” in their analysis? Would love to see some insight here, it doesn’t mesh at all with my lived experience but of course I could be missing something.

jcelerier said 3 months ago:

> I would have loved to have written a more substantive response but I didn’t want to download the PDF and check their analysis because they wanted to harvest my email.

huh, they didn't ask me for any email (or maybe ublock handled it).

xyzzy123 said 3 months ago:

Thanks, I should have tried harder, any old email will do.

After looking at the paper I think the issue is that they are counting CWEs assigned to CVEs, but CWE assignment to CVEs is not very granular / accurate.

For a contrasting point of view here’s an alternative reference:

“FreeSentry: Protecting Against Use-After-Free Vulnerabilities Due to Dangling Pointers” - https://pdfs.semanticscholar.org/3829/df26d4ce686251b9b50308... - “In 2011 and 2012, the most exploited memory errors for Microsoft products were use-after-free vulnerabilities. It was also the most exploited vulnerability for both Windows Vista and Windows 7 and is the most common type of memory error that occurs in Internet Explorer.”. Ok, that’s a bit old. Also why doesn’t it show up in the data?

In an unscientific sanity check (bit slow to do because on mobile) I am not sure UAF is getting all the credit it deserves in CVE classification.

For example https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-20... is a UAF (https://www.exploit-db.com/exploits/46184) but is listed as CWE category 264 (permissions, privileges and access controls).

CVE-2017-8540 https://www.cvedetails.com/cve/cve-2017-8540 is also a UAF but is listed as CWE category 119 (memory corruption / code exec), ref: https://www.exploit-db.com/exploits/42088

I think I could find a lot more. CWE assignment to CVEs is not really an exact science. I suspect UAFs are getting under-counted because the bugs just went into “privesc” or “memory corruption / buffer overflow” buckets.

patternmaster said 3 months ago:

Hey xyzzy123, are you available for some freelancing on the subject?

bsagdiyev said 3 months ago:

Of course, rewriting in Rust is the only moral choice, right?

maximilianburke said 3 months ago:

I wouldn’t say moral choice but watching these types of issues crop up again and again even when the original vulnerable code has been written and reviewed by people with impeccable credentials and with the best intentions should give pause to those who wish to pursue new development with fundamentally vulnerable technologies, especially when there are alternatives that exist where these problems are much less likely to happen.

Waterluvian said 3 months ago:

We don't tear down every building when we update the building code. We just improve how we build the new ones.

goalieca said 3 months ago:

Or we require people to bring it up to code when they do major renovations (seems more in line with the Firefox rewrite)

s_y_n_t_a_x said 3 months ago:

FF does abide by this rule in-fact. Almost every new component is written in Rust. https://wiki.mozilla.org/Oxidation

s_y_n_t_a_x said 3 months ago:

So a new browser?

ip26 said 3 months ago:

Or periodic renovation to code on important components of e.g. the home envelope or electrical system.

nine_k said 3 months ago:

If zero-overhead interaction with OS APIs would still require unsafe blocks and raw pointers, a Rust implementation won't be bulletproof either.

said 3 months ago:
[deleted]
megous said 3 months ago:

It's a complicated and huge codebase created by many people. It will have bugs.

AgentME said 3 months ago:

When's the last time a Java codebase had a minor memory-handling mistake caused a bug that literally let an attacker inject their own code into the process?

I'm sure it somehow manages to happen here and there in Java code that's specifically managing data meant to be executed and a bug caused it to be mixed up with data not meant to be executed, but generally it's not something that happens in Java if you don't reach for APIs for starting programs. In C/C++, any code could potentially have any issue that disastrous. The fact that bugs enabled remote code execution can happen anywhere, not just near specific dangerous API calls or language features, is a uniquely C/C++ problem.

megous said 3 months ago:

Just google "RCE Java":

https://www.darkreading.com/informationweek-home/why-the-jav...

You may also be interested in JNI. Java is also written in C or some such, so it can't escape the realties of that language. Even if it would not be, it would probably run some kind of JITted assembly.

https://heimdalsecurity.com/blog/java-biggest-security-hole-...

Unless you're talking about some platonic ideal of Java, real world implementations have memory bugs.

Bug enabled RCE can't happen anywhere in a C codebase. It's comparatively rare, too, to other classes of bugs, and depends on how much an attacker can control the input.

AgentME said 3 months ago:

That first article is proving my point. RCE issues only happen in Java in code that unsafely uses specific APIs. In C/C++, a mistake in a basic for loop that writes values into an array can cause a RCE vulnerability. Any pointer being passed around and written to can cause a RCE vulnerability if it might possibly refer to already freed memory. It's often impossible to tell if a bit of code is safe by looking at it directly, and instead it requires a more holistic understanding of the program. In almost every other language, you can be reasonably confident a bit of code is safe if it doesn't use any code loading, deserialization, or unchecked memory manipulating APIs. The few parts that do use those kinds of APIs stand out and can be reviewed more easily.

>https://heimdalsecurity.com/blog/java-biggest-security-hole-...

I'm specifically talking about the rate and severity of bugs in non-malicious code. Java's sandboxing and plugin aspects were horribly flawed and were rightly put out to pasture.

>Bug enabled RCE can't happen anywhere in a C codebase. It's comparatively rare, too, to other classes of bugs, and depends on how much an attacker can control the input.

It's definitely not rare compared to the rate of RCE bugs in other languages. I'd be surprised if most C/C++ programmers who have written their own non-trivial programs haven't written at least one memory-mishandling bug that allowed RCE. I really don't think the fraction of Java programmers who have ever mis-used JNI or deserialization is nearly that high.

Sophistifunk said 3 months ago:

...and yet there's so many C++ programmers walking around telling themselves they're so special they can write correct C++ code, everybody else is just stupid, and C++ is still a good idea.

flukus said 3 months ago:

The bug is thinking we can sandbox and run arbitrary code safely. Java, Javascript, flash, and even intel have failed at this.

It would be nice if we could acknowledge this rather than rewrite everything again and still fail.

arthur_pryor said 3 months ago:

sandboxing may not be perfect, but it provides an important layer of protection. it takes effort to break out of a sandbox.

if the protections that sandboxing offered were so flimsy as to be a false sense of security, that would be an argument against sandboxing. but that does not seem to be the situation we're in.

bitwize said 3 months ago:

This is why we need to pass the Rust New Deal.

IloveHN84 said 3 months ago:

And how do you want to write it? With 'safer' JVM based languages? Rust? Go?

C++ has the best memory model out there. Why do they want to extract raw C pointers from smart ones? This seems like a bad practice if you need to do that.

pcwalton said 3 months ago:

Any memory-safe language. Pick your favorite.

Despegar said 3 months ago:

Unrelated but does anyone at Google still work on Blogger or is it going down the Google Finance path of neglect and eventual shutdown?

Etheryte said 3 months ago:

I've used Blogger on a semi-regular basis, say, once a month for countless years. It still receives occasional updates every now and then, last time last year if I remember correctly. So there's certainly maintenance crew assigned to it, even some new features have been added. I do agree that it's a pretty niche product in their lineup these days.

techntoke said 3 months ago:

Personally I hope it goes away. I would like to see Google focus on enabling bloggers and site creators to host their own sites and work to build and automate open source projects into their cloud products. There are so many static site frameworks for bloggers at this point that it would be ideal for them to do something similar to Netlify and work on great themes for Hugo or other static site generators.

coldtea said 3 months ago:

>Personally I hope it goes away.

Yeah, let's let millions of words, and thousands of invaluable posts go to bit rot...

techntoke said 3 months ago:

There are already a lot of tools for migrating Blogger sites. I'm sure they could setup a migration path to their free cloud tier.

dcbadacd said 3 months ago:

You're assuming every blog is cared about by its owner, what if it's just the readers?

snazz said 3 months ago:

Switching it to read-only/static and offering migration paths would satisfy both parties then.

arthur_pryor said 3 months ago:

if you like something or think it's important, and you want the internet to preserve it for posterity, force it to be crawled by the wayback machine:

https://web.archive.org

(usually stuff i want to save has already been crawled, but i always find it satisfying when something i plug in there hasn't been archived yet)

Waterluvian said 3 months ago:

I'm going to guess around 99% of bloggers don't want to think at all about site creation and hosting. They want to buy/pick a theme, modify it a little, and focus on the reason they're there in the first place.

techntoke said 3 months ago:

And this could be accomplished. Check here for some solutions:

https://gohugo.io/tools/frontends/

GitLab already integrates with Hugo for one-click site hosting and deployment using Pages:

https://gohugo.io/hosting-and-deployment/hosting-on-gitlab/

Waterluvian said 3 months ago:

What percentage of bloggers do you suspect meet the "assumptions" criteria on that page?

I'm fascinated by how tech people perceive the other 99% of web users/content creators.

techntoke said 3 months ago:

I'm not saying it is perfect, but it could quickly be made ready to be as simple as Blogger is today.

joshuamorton said 3 months ago:

Short of being hosted for you, no, it simply can't.

techntoke said 3 months ago:

Services like GitLab and GitHub already host these sites for you for free.

Crinus said 3 months ago:

If you are going to rely on a 3rd party host why switch Blogger (which handles everything for you) with GitLab/GitHub (which requires a bit of extra maintenance from your side)?

techntoke said 3 months ago:

AWS already provides hosting for static sites, as does Firebase. GitLab and GitHub both APIs. It really could be as simple as Blogger is today with little effort from Google. Building a community around static sites is nothing new. Jekyll, Hugo and many other static site generators have been doing this with embedded comments using Disqus and other providers. Hugo already provides internal shortcodes for all these features and more, as well as analytics. It is really just a matter of creating some great templates for people to start using and automating the deployment (or migration) portion of the website so that users that don't want to deal with any additional steps can do it from a single interface.

ramon said 3 months ago:

I knew about this unlimited memory for years Chrome uses all the memory it can get. This is why I was testing firefox the other day.