Programming languages: How Google is enhancing C++ memory basic safety

Google’s Chrome group is looking at heap scanning to lower memory-relevant safety flaws in Chrome’s C++ codebase, but the strategy generates a toll on memory — except when newer Arm hardware is applied.   

Google cannot just rip and change Chromium’s present C++ code with memory safer Rust, but it is doing work on methods to make improvements to the memory safety of C++ by scanning heap allotted memory. The capture is that it really is highly-priced on memory and for now only experimental.

Google and Microsoft are big end users of and contributors to the fast programming language C++, which is made use of in jobs like  Chromium, Windows, the Linux kernel, and Android. There is increasing desire in employing Rust mainly because of its memory safety assures.  

But switching wholesale from C++ in Chrome to a language like Rust simply won’t be able to materialize in the around term. 

“Although there is hunger for different languages than C++ with more powerful memory protection guarantees, massive codebases such as Chromium will use C++ for the foreseeable foreseeable future,” describe Anton Bikineev, Michael Lippautz and Hannes Payer of Chrome’s security workforce.   

Presented this standing, Chrome engineers have observed approaches to make C++ safer to reduce memory-connected security flaws this sort of as buffer overflow and use-after absolutely free (UAF), which account for 70% of all software safety flaws. 

C++ doesn’t assurance that memory is usually accessed with the newest details of its structure. So, Google’s Chrome staff have been discovering the use of a “memory quarantine” and heap scanning to prevent the reuse of memory that is continue to reachable. 

UAFs make up the the vast majority of higher-severity issues affecting the browser. A circumstance in point is this week’s Chrome 102, which set 1 essential UAF, though 6 of eight superior-severity flaws ended up UAFs.

UAF access in heap allocated memory is induced by “dangling ideas”, which takes place when memory made use of by an application is returned to the fundamental system but the pointer points to an out-of-day object. Accessibility through the dangling pointer outcomes in a UAF, which are challenging to location in massive code bases.

To detect UAFs, Google by now employs C++ good ideas like MiraclePtr, which also induced a efficiency hit, as perfectly as static assessment in compilers, C++ sanitizers, code fuzzers, and a garbage collector called Oilpan. The attractiveness of Rust is that its compiler places pointer errors right before the code runs on a machine, consequently keeping away from general performance penalties. 

Heap scanning may perhaps insert to this arsenal if it helps make it over and above experimental period, but adoption will depend on units utilizing the most recent Arm hardware. 

Google clarifies how quarantines and heap scanning functions: “The key thought driving assuring temporal security with quarantining and heap scanning is to stay away from reusing memory till it has been tested that there are no additional (dangling) tips referring to it. To stay clear of modifying C++ person

Read More

Governor, Google announce guidance for laptop or computer science partnerships

RICHMOND, Va. (WDBJ/Governor’s Place of work Launch) – Google has pledged to make investments $300 million in Virginia with a overall financial impact to the Commonwealth at about $8.8 billion.

That announcement was built Tuesday by Governor Glenn Youngkin and Google Vice President & Main Online Evangelist Vint Cerf. Google also declared a $250,000 grant to Virginia’s personal computer science advocacy and company supplier, CodeVA, which will lover with Google and other stakeholders to build a network of Laptop or computer Science Lab Educational institutions, deliver computer science professional enhancement prospects for pc science teachers and grow personal computer science means for Virginia’s learners and employees hunting to be qualified for the information financial state.

Google will also lover with Virginia Local community University System’s 23 schools and five bigger education facilities to deliver a turnkey established of specialist certificates to support staff and learners acquire the most in-desire capabilities and competencies, according to Youngkin.

“Google’s investment decision and partnership announcement is a well timed and thrilling progress for the Commonwealth. Code with Google and CodeVA will put together the subsequent era of Virginia’s learners for occupations in computer science. As governor, I am fully commited to making workforce development alternatives, growing our computer science options for Virginia’s pupils, and reestablishing significant anticipations in education and learning. Now the standard assembly will have to act to move ahead with lab schools to maximize the potential of the partnerships announced currently for the gain of Virginia’s pupils,” reported Governor Youngkin.

“I have lived in Virginia for much more than 40 yrs and am thrilled to see Google continue on to grow and commit in the area,” mentioned Vint Cerf, VP and Main World-wide-web Evangelist at Google. “We’re committed to playing a favourable position in the communities we contact house, and our latest partnerships with CodeVA, VCCS, and the Office of Instruction to support nurture the following technology of tech expertise in Virginia are an additional testomony to that determination.”

The Grow with Google Husband or wife Program delivers no cost sources community companies can use to educate digital competencies that can aid individuals grow their careers and enterprises, according to the governor’s office. Partners receive, at no price tag, application materials, education and a dedicated support crew. To study additional, click on right here.

With its details centers in Loudoun County and a rising office environment in Reston, Google has a lot more than 480 employees throughout the Commonwealth doing the job in capabilities such as Google Cloud and the company infrastructure. Study extra about Google in Virginia in this article: g.co/economicimpact/virginia.

Copyright 2022 WDBJ. All rights reserved.

Read More

Purdue University lawsuit says Google copied smartphone technology

The Google brand is pictured at the entrance to the Google workplaces in London, Britain January 18, 2019. REUTERS/Hannah McKay

Register now for Absolutely free unrestricted entry to Reuters.com

Sign up

  • University’s patent covers tech for repairing computer software code
  • Criticism suggests Google engineer copied code for Android software program

(Reuters) – Purdue University’s Purdue Investigate Basis has sued Google LLC in Texas federal court docket, alleging that Android program for eradicating programming problems in smartphones copies areas of its professors’ creation.

The basis requested the U.S. District Courtroom for the Western District of Texas for royalties and an undisclosed sum of revenue damages on Tuesday dependent on Google’s alleged willful patent infringement.

The grievance mentioned two professors and two pupils at the West Lafayette, Indiana university invented the patented technological know-how, which detects software program programming glitches that could have an impact on a mobile device’s electric power management.

Sign up now for Free unlimited obtain to Reuters.com

Register

Purdue stated that right after a Google engineer posted an write-up about a person of the professors in an Android forum in 2012, yet another Google engineer discovered and integrated code disclosed by the inventors into Android software.

Purdue gained the patent in 2019. The university stated it despatched Google a detect of infringement past August, but the enterprise carries on to use the patented code.

A Purdue spokesperson stated in a Wednesday statement that the study basis tried to meet with Google for weeks, but the firm refused “reasonable conditions” for a conference.

The spokesperson said Google infringes multiple additional Purdue patents, and the college will amend its grievance to increase them if Google “proceeds to refuse to negotiate a license.”

Google spokesperson José Castañeda stated Wednesday that the company develops its products independently, and that it was reviewing the criticism and would “vigorously” defend by itself.

The scenario is Purdue Study Foundation v. Google LLC, U.S. District Courtroom for the Western District of Texas, No. 6:22-cv-00119.

For Purdue: Michael Shore and Alfonso Chan of Shore Chan, Mark Siegmund of Steckler Wayne Cochran Cherry

For Google: n/a

Sign-up now for No cost limitless entry to Reuters.com

Sign up

Our Standards: The Thomson Reuters Believe in Concepts.

Read More

Emergency Google Chrome update fixes zero-days used in attacks

Google has released Chrome 95.0.4638.69 for Windows, Mac, and Linux to fix two zero-day vulnerabilities that attackers have actively exploited.

“Google is aware that exploits for CVE-2021-38000 and CVE-2021-38003 exist in the wild,” Google disclosed in the list of security fixes in today’s Google Chrome release.

While Google states that the new version may take some time to reach everyone, the update has already started rolling out Chrome 95.0.4638.69 to users worldwide in the Stable Desktop channel. 

To install the Chrome update immediately, go to Chrome menu Help About Google Chrome, and the browser will begin performing the update.

Chrome 95.0.4638.69 was installed immediately
Chrome 95.0.4638.69 was installed immediately

Google Chrome will also check for available updates and install them the next time you launch the web browser.

Zero-day attacks’ details not disclosed

This Chrome release fixes a total of seven vulnerabilities, with two being zero-days that are known to have been exploited in the wild.

The first zero-day, tracked as CVE-2021-38000, is described as an “Insufficient validation of untrusted input in Intents” and was assigned a High severity level. This vulnerability was discovered by Clement Lecigne, Neel Mehta, and Maddie Stone of Google Threat Analysis Group on September 15th, 2021.

The second zero-day, tracked as CVE-2021-38003, is a High severity “Inappropriate implementation” bug in the Chrome V8 JavaScript engine. This vulnerability was discovered by Lecigne as well and reported on October 24th.

At this time, Google or the researchers have not provided further details regarding how threat actors used the vulnerabilities in attacks. However, as Google discovered the vulnerabilities, we may learn more in future reports by Google TAG or Project Zero.

As these two vulnerabilities have been used in attacks, it is suggested that all Chrome users perform a manual upgrade or restart their browser to install the latest version.

Fifteenth zero-day fixed this year

With these fixes, Google has patched 15 Chrome zero-day vulnerabilities since the beginning of 2021.

The other thirteen zero-days patched this year are listed below:

  • CVE-2021-21148 – February 4th, 2021
  • CVE-2021-21166 – March 2nd, 2021
  • CVE-2021-21193 – March 12th, 2021
  • CVE-2021-21220 – April 13th, 2021
  • CVE-2021-21224 – April 20th, 2021
  • CVE-2021-30551 – June 9th, 2021
  • CVE-2021-30554 – June 17th, 2021
  • CVE-2021-30563 – July 15th, 2021
  • CVE-2021-30632 and CVE-2021-30633 – September 13th
  • CVE-2021-37973 – September 24th, 2021
  • CVE-2021-37976 and CVE-2021-37975 – September 30th, 2021

As Google is now pushing out Chrome updates to fix zero-days as they are reported, it is strongly advised that users do not block updates and install new versions as they become available.

https://www.bleepingcomputer.com/news/google/emergency-google-chrome-update-fixes-zero-days-used-in-attacks/…

Read More