Agregátor RSS
FTC reports 50% drop in unwanted call complaints since 2021
Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations
Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations
Retrofitting spatial safety to hundreds of millions of lines of C++
Attackers regularly exploit spatial memory safety vulnerabilities, which occur when code accesses a memory allocation outside of its intended bounds, to compromise systems and sensitive data. These vulnerabilities represent a major security risk to users.
Based on an analysis of in-the-wild exploits tracked by Google's Project Zero, spatial safety vulnerabilities represent 40% of in-the-wild memory safety exploits over the past decade:
Breakdown of memory safety CVEs exploited in the wild by vulnerability class.1
Google is taking a comprehensive approach to memory safety. A key element of our strategy focuses on Safe Coding and using memory-safe languages in new code. This leads to an exponential decline in memory safety vulnerabilities and quickly improves the overall security posture of a codebase, as demonstrated by our post about Android's journey to memory safety.
However, this transition will take multiple years as we adapt our development practices and infrastructure. Ensuring the safety of our billions of users therefore requires us to go further: we're also retrofitting secure-by-design principles to our existing C++ codebase wherever possible.
To that end, we're working towards bringing spatial memory safety into as many of our C++ codebases as possible, including Chrome and the monolithic codebase powering our services.
We’ve begun by enabling hardened libc++, which adds bounds checking to standard C++ data structures, eliminating a significant class of spatial safety bugs. While C++ will not become fully memory-safe, these improvements reduce risk as discussed in more detail in our perspective on memory safety, leading to more reliable and secure software.
This post explains how we're retrofitting hardened libc++ across our codebases and showcases the positive impact it's already having, including preventing exploits, reducing crashes, and improving code correctness.
Bounds-checked data structures: The foundation for spatial safetyOne of our primary strategies for improving spatial safety in C++ is to implement bounds checking for common data structures, starting with hardening the C++ standard library (in our case, LLVM’s libc++). Hardened libc++, recently added by open source contributors, introduces a set of security checks designed to catch vulnerabilities such as out-of-bounds accesses in production.
For example, hardened libc++ ensures that every access to an element of a std::vector stays within its allocated bounds, preventing attempts to read or write beyond the valid memory region. Similarly, hardened libc++ checks that a std::optional isn't empty before allowing access, preventing access to uninitialized memory.
This approach mirrors what's already standard practice in many modern programming languages like Java, Python, Go, and Rust. They all incorporate bounds checking by default, recognizing its crucial role in preventing memory errors. C++ has been a notable exception, but efforts like hardened libc++ aim to close this gap in our infrastructure. It’s also worth noting that similar hardening is available in other C++ standard libraries, such as libstdc++.
Raising the security baseline across the boardBuilding on the successful deployment of hardened libc++ in Chrome in 2022, we've now made it default across our server-side production systems. This improves spatial memory safety across our services, including key performance-critical components of products like Search, Gmail, Drive, YouTube, and Maps. While a very small number of components remain opted out, we're actively working to reduce this and raise the bar for security across the board, even in applications with lower exploitation risk.
The performance impact of these changes was surprisingly low, despite Google's modern C++ codebase making heavy use of libc++. Hardening libc++ resulted in an average 0.30% performance impact across our services (yes, only a third of a percent).
This is due to both the compiler's ability to eliminate redundant checks during optimization, and the efficient design of hardened libc++. While a handful of performance-critical code paths still require targeted use of explicitly unsafe accesses, these instances are carefully reviewed for safety. Techniques like profile-guided optimizations further improved performance, but even without those advanced techniques, the overhead of bounds checking remains minimal.
We actively monitor the performance impact of these checks and work to minimize any unnecessary overhead. For instance, we identified and fixed an unnecessary check, which led to a 15% reduction in overhead (reduced from 0.35% to 0.3%), and contributed the fix back to the LLVM project to share the benefits with the broader C++ community.
While hardened libc++'s overhead is minimal for individual applications in most cases, deploying it at Google's scale required a substantial commitment of computing resources. This investment underscores our dedication to enhancing the safety and security of our products.
From tests to productionEnabling libc++ hardening wasn't a simple flip of a switch. Rather, it required a multi-stage rollout to avoid accidentally disrupting users or creating an outage:
- Testing: We first enabled hardened libc++ in our tests over a year ago. This allowed us to identify and fix hundreds of previously undetected bugs in our code and tests.
- Baking: We let the hardened runtime "bake" in our testing and pre-production environments, giving developers time to adapt and address any new issues that surfaced. We also conducted extensive performance evaluations, ensuring minimal impact to our users' experience.
- Gradual Production Rollout: We then rolled out hardened libc++ to production over several months, starting with a small set of services and gradually expanding to our entire infrastructure. We closely monitored the rollout, promptly addressing any crashes or performance regressions.
In just a few months since enabling hardened libc++ by default, we've already seen benefits.
Preventing exploits: Hardened libc++ has already disrupted an internal red team exercise and would have prevented another one that happened before we enabled hardening, demonstrating its effectiveness in thwarting exploits. The safety checks have uncovered over 1,000 bugs, and would prevent 1,000 to 2,000 new bugs yearly at our current rate of C++ development.
Improved reliability and correctness: The process of identifying and fixing bugs uncovered by hardened libc++ led to a 30% reduction in our baseline segmentation fault rate across production, indicating improved code reliability and quality. Beyond crashes, the checks also caught errors that would have otherwise manifested as unpredictable behavior or data corruption.
Moving average of segfaults across our fleet over time, before and after enablement.
Easier debugging: Hardened libc++ enabled us to identify and fix multiple bugs that had been lurking in our code for more than a decade. The checks transform many difficult-to-diagnose memory corruptions into immediate and easily debuggable errors, saving developers valuable time and effort.
Bridging the gap with memory-safe languagesWhile libc++ hardening provides immediate benefits by adding bounds checking to standard data structures, it's only one piece of the puzzle when it comes to spatial safety.
We're expanding bounds checking to other libraries and working to migrate our code to Safe Buffers, requiring all accesses to be bounds checked. For spatial safety, both hardened data structures, including their iterators, and Safe Buffers are necessary.
Beyond improving the safety of our C++, we're also focused on making it easier to interoperate with memory-safe languages. Migrating our C++ to Safe Buffers shrinks the gap between the languages, which simplifies interoperability and potentially even an eventual automated translation.
Building a safer C++ ecosystemHardened libc++ is a practical and effective way to enhance the safety, reliability, and debuggability of C++ code with minimal overhead. Given this, we strongly encourage organizations using C++ to enable their standard library's hardened mode universally by default.
At Google, enabling hardened libc++ is only the first step in our journey towards a spatially safe C++ codebase. By expanding bounds checking, migrating to Safe Buffers, and actively collaborating with the broader C++ community, we aim to create a future where spatial safety is the norm.
AcknowledgementsWe’d like to thank Emilia Kasper, Chandler Carruth, Duygu Isler, Matthew Riley, and Jeff Vander Stoep for their helpful feedback. We also extend our thanks to the libc++ community for developing the hardening mode that made this work possible.
-
Based on manual analysis of CVEs from July 15, 2014 to Dec 14, 2023. Note that we could not classify 11% of CVEs.. ↩
The EU seeks proposals for AI that should be banned
The EU, which is now developing guidelines for how the region’s new AI law must be complied with, has started collecting opinions in two areas via an online survey.
The first area involves how the law should define AI systems (compared to traditional software). Here, the EU wants to hear from people in the AI industry, companies, academics and civil society. The second area concerns when the use of AI should be prohibited. The EU wants detailed feedback on each prohibited use and is particularly interested in practical examples.
Points will be collected using the survey until Dec. 11, and the European Commission expects to publish guidelines regarding the definition of AI systems and any prohibited uses in early 2025.
D-Link nevydá záplaty na bezpečnostní chybu postihující více než 60 tisíc starších NASů
D-Link nevydá záplaty na bezpečnostní chybu postihující více než 60 tisíc starších NASů
Bitfinex hacker gets 5 years in prison for 120,000 bitcoin heist
Simplifying endpoint security
Webinar As organizations expand their digital footprint, the range of endpoints - spanning from laptops to IoT devices - continues to grow.…
Netflix a další na víkend: Přímý přenos Tyson vs. Paul, nová řada Silo, Cobra Kai. A Gladiátor
RISC-V deska pro Framework Laptop 13 v předprodeji
Microsoft pulls Exchange security updates over mail delivery issues
Google’s Gemini app is now available on iPhones
Google has entered a new and more intense phase of the AI wars, introducing its own Google Gemini app for iPhones; now you can use Apple Intelligence, ChatGPT, Microsoft Copilot and Google Gemini on one device.
Only one of those services tries to give you what you need without gathering too much information about you.
What is Gemini?Like most Google services, Google Gemini seems free, in that you don’t need to part with any cash credits to use it. Open it up, and you’ll find a chat window that also lets you get to a list of your previous chats. Speaking to Gemini is simple — text, voice, or even use a camera to point at something and you’ll get some answers. In other words, the app integrates the same features as you’ll find on the Gemini website, but it’s an app so that makes it cool.
Probably.
There is one more thing — access to the more conversational Gemini Live bot, which works a little like ChatGPT in voice mode. You can even assign access to Gemini as a shortcut on your iPhone’s Action button for fast access to the bot, which can also access and control any Google apps you’re brave enough to install on your iPhone.
All about GoogleAnd that’s the thing, really. Like so much coming out of Silicon Valley now, Google Gemini is self-referencing.
You use Google on your iPhone to speak to a Google AI and access Google services, which gives you a more Android-like experience if you happen to have migrated to iOS from Android. You can use Gemini on your iPhone to control YouTube Music, for example, and you’ll get Google Maps if you ask for directions.
You even get supplementary privacy agreements for all those apps, some of which deliver exactly what you expect from Google the ads sales company, which is probably a little different than the privacy-first Apple experience you thought you were using. Gemini does put some protection in place, but your location data, feedback, and usage information can be reviewed by humans.
Most people won’t know this. Most people don’t read privacy agreements before accepting them. They should – but they are long, boring, and archaically written for a reason.
AI tribalismIf art reflects life and tech is indeed the new creativity, then the emergence of these equal but different digital tribes reflects the deeper tribalism that seems to be impacting every other part of life. Is that a good thing? Perhaps that depends on which state you live in.
At the end of days, Gemini on iPhone is your gateway to Google world, just as Windows takes you to Microsoft planet and Apple takes you to its own distorted reality, (subject to the EU). There are other tech worlds too, but this isn’t intended to be a definitive list of differing digital existences, especially now that these altered states have become both cloud- and service-based. It’s a battle playing out on every platform and on every device.
After all, if your primary computing experience becomes text- and voice-based, and the processors handling your requests are in the cloud, then it matters less which platform you use, as long as you get something you need. (It’s only later we’ll find that we get slightly less than what we need, with the difference between the two being the profit margin.)
Apple’s approach is to support those external services while building up its own AI suite with its own unique — and, if you ask me, vitally necessary — selling point around privacy. Others follow a different path, but it’s hard to ignore that control of your computational experience is the root of all these ambitions.
King of the hillWith its early mover advantage, OpenAI is not blind to the battle. Just this week it introduced support for different applications across Windows and Mac desktops. In a Nov. 14 message on X (for whomever remains genuinely active there), Open AI announced: “ChatGPT for macOS can now work with apps on your desktop. In this early beta for Plus and Team users, you can let ChatGPT look at coding apps to provide better answers.”
That means it will try to help when working in applications such as VS Code, Xcode, and Terminal. While you work, you can speak with the bot, get screenshots, share files and more. There is, of course, also a ChatGPT app for iPhones, and the first comparative reviews of the experience of using both Gemini and ChatGPT on an Apple device show pros and cons to both. Downstream vendors, most recently including Jamf, are relying on tools provided by the larger vendors to add useful tools to their own.
Google and OpenAI are not alone. Just last month, Microsoft introduced Copilot Vision, which it describes as autonomous agents capable of handling tasks and business functions, so you don’t need to. Apple, of course, remains high on its recent introduction of Apple Intelligence.
Things will get better before becoming worseIt’s a clash of the tech titans. And like every clash of the tech titans so far this century, you — or your business — are the product the titans are fighting for. That raises other questions such as how will they monetize your experience of AI.
How high will energy prices climb as a direct result of the spiraling electricity demands of these services? At what point will AI eat itself, creating emails from spoken summaries that are then in turn summarized by AI? When it comes to security and privacy, is even sovereign AI truly secure enough for use in regulated enterprise? Just how secure are Apple’s own AI servers?
And once the dominant players in the New AI Empire finally emerge, how, just how, will they do what Big Tech always does and follow Doctorow’s orders?
You can follow me on social media! You’ll find me on BlueSky, LinkedIn, Mastodon, and MeWe.
Zemřel Thomas Eugene Kurtz, spolutvůrce programovacího jazyka BASIC
Čína pracuje na energetické zbrani schopné spojit několik mikrovlnných paprsků do jediného
Palo Alto Networks warns of critical RCE zero-day exploited in attacks
Bitfinex burglar bags 5 years behind bars for Bitcoin heist
The US is sending the main figure behind the 2016 intrusion at crypto exchange Bitfinex to prison for five years after he stole close to 120,000 Bitcoin.…
Jen věci do 500 Kč. Amazon spustil levný e-shop, kterým chce vyhnat lidi z Aliexpressu a Temu
České dráhy vylepšují aplikaci Můj vlak. Jízdenku v podobě QR kódu si můžete poslat do Peněženky Google i Apple
Researchers Warn of Privilege Escalation Risks in Google's Vertex AI ML Platform
- « první
- ‹ předchozí
- …
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- …
- následující ›
- poslední »