Google looks at bypass in Chromium's ASLR security defense, throws hands up, won't patch garbage issue

"Thanks for the report anyway."

Every time a bug bounty decision maker types these words God kills a hundred freelance vulnerability researchers.

To be fair, they only have a few hundred billion $'s kicking around.

So if you find a bug so bad

That they can't fix it, it doesn't warrant payment? I would think that's exactly the kind of bug you would want to pay for, to keep whoever found it from turning around and selling it to blackhats - an unfixable bug is their dream scenario!

Re: shoddy

It's not the best we can do. Get a Real Programmer to write the code in a language that uses deterministic memory allocation. Problem solved.

Re: shoddy

We're building the modern world on computers and that's the best we can do?

I was going to suggest we should worry more about Facebook than shoddy garbage collection, but I suppose "shoddy garbage collection" is as good a description of social media as any. As you were...

Re: shoddy

How f*cking shoddy is that?

We're building the modern world on computers and that's the best we can do?

No matter what university lecturers say (at least mine did 25 years ago), CPU isn't cheap, memory isn't cheap, storeage isn't cheap.

How often do people complain about how much memory, or CPU, or disk (not so much disk in this case) browsers use up? It's always a tradeoff between memory usage and CPU cycles. Sure, they could have mechanisms to identify pointers vs integers, but that'd take more memory to do, a flag/mark isn't magically 0 bytes of data, it'd have to take up some amount of bits/bytes in the data structures, the millions of data structures thus taking up even more RAM in the already bloated RAM usage of browsers. Each flag might be tiny, but even a tiny number multiplied by millions becomes a big aggregate number.

Alternatively (RAM vs CPU tradeoff), they could have more smarts and try to work out dynamically (and transiently, remember, we aren't storing this knowledge in RAM beyond the GC cycle in this case, as opposed to the previous one) at GC time whether it's a pointer or an interger, taking, say, 20 cycles to do it, millions of times over on a GC. And like with the flag in memory, even a tiny number times millions of iterations in a GC will be a big number, being multiple seconds of processing on what people want to be an instantly-responsive system. Thus taking massively more CPU on what people complain are already CPU-hogging processes.

So they chose an RAM/CPU optimsed method, but if you don't do a CPU vs RAM tradeoff, the tradeoff comes from somehwere else. And as a consumer, would you rather your browser hangs continually for GC (excessive CPU), takes significantly more RAM (do you have enough RAM? How many tabs/windows can you now have open? How many other apps can you have running in the background?) or uses what was at the time thought to be a secure alternative method because of ASLR mitigating the issue?

From a developers perspective, this is definitely a damned if you do, damned if you don't scenario.

Re: shoddy

It's not the best we can do - precise garbage collectors exist and work.

However, there are performance vs accuracy/security/whatever tradeoffs, and people choose performance almost every time.

Re: Root Cause Analysis

I would top that list with people who come up with excessively complex and inaccurate designs then refuse to take responsibility or admit any fault for them. That's how systems get exploited.

Re: Root Cause Analysis

Neither upvoted nor downvoted, but it seems to me that the state that you call "asshole" is just a modern equivalent of long-time practice. Whether it be nations abusing security to spy on each other, or proper dodgy blokes fleecing unsuspecting people, they both have long histories predating electricity, never mind processor cache technology. It's unfortunate that problems in processor design [*] have made this situation possible, but it is what it is.

* - you can have security or you can have speed, pick one.

Re: Root Cause Analysis

First, it's not "people" being "assholes"--it only takes one. You are saying that the problem is human nature. So? So what?

Second, we speculative speculative loads & stores first came out, very senior people attempted--and failed--to realize SPECTRE-class attacks. Side-channel attacks had been well known for decades (look up TEMPEST), so this was not babe in the woods situation. It is telling, however, that just inside the cover of the manual for the parts, there is a page-sized notice that the processor is NOT rated for use with any US government classified material. Which was no big deal before people started living their entire lives online.

Re: Why not Firefox?

They're not using a tracing based garbage collector. Chrome & Firebox both use reference counting in the main. However Chromium also implements a second tracing garbage collector inside the rendering engine, apparently to make collection of objects that form cycles more efficient, and that's where the issue lies. Detecting cycles in a browser engine gets especially challenging because they can form across language boundaries.

Firefox's equivalent solution is a 'complex cycle collector' (casual use of either browser shows neither solution works perfectly by the way). Mozilla's new rendering engine Servo was supposedly taking advantage of Rust language features to do object lifetime analysis at compile time and make the cycles easier to track, or less likely to form in the first place(?), and the whole process less bug prone, but I don't know the status of that effort.