For more thrilling security updates and feisty rants, subscribe to security-dev@chromium.org. You can find older updates at https://dev.chromium.org/Home/chromium-security/quarterly-updates.

Happy Hacking,

Parisa, on behalf of Chrome Security

Happy 2016 from the Chrome Security Team!

For those that don’t know us already, we do stuff to help make Chrome the most secure platform to browse the Internet. Here’s a recap of some work from last quarter:

The Bugs-- effort aims to find (and exterminate) security bugs. We’ve integrated libFuzzer into ClusterFuzz, which means we can do coverage-guided fuzz testing on a per-function basis. The result, as you may have guessed, is several new bugs. The Bugs-- team has a larger goal this year to help Chromium developers write a ClusterFuzz fuzzer alongside every unittest, and libFuzzer integration is an important step toward achieving that goal. Separately, we’ve made security improvements and cleanups in the Pdfium codebase and fixed lots of open bugs. We also started some manual code auditing efforts, and discovered several high severity bugs (here, here, and here), and 1 critical severity bug.

Bugs still happen, so our Guts effort builds in multiple layers of defense. On Android, we’re running an experiment that adds an additional seccomp-bpf sandbox to renderer processes, like we already do on Desktop Linux and Chrome OS. On Windows 8 (and above), a Win32k lockdown experiment has been implemented for PPAPI plugins including Flash and Pdfium to help reduce the kernel attack surface for potential sandbox escapes. Also on Windows 8 (and above), an AppContainer sandbox experiment has been introduced, which further reduces kernel attack surface and blocks network communication from renderers.

Our Site Isolation effort reached a large milestone in December: running trials of the --isolate-extensions mode on real Chrome Canary users! This mode uses out-of-process iframes to isolate extension processes from web content for security. (Give it a try!) The trials were made possible by many updates to session history, session restore, extensions, painting, focus, save page, popup menus, and more, as well as numerous crash fixes. We are continuing to fix the remaining blocking issues, and we aim to launch both --isolate-extensions and the broader Site Isolation feature in 2016.

We also spend time building security features that users see. The Safe Browsing team publicly announced a new social engineering policy, expanding Chrome’s protection against deceptive sites beyond phishing. One major milestone is the launch of Safe Browsing in Chrome for Android, protecting hundreds of millions of additional users from phishing, malware, and other web threats! This is on by default and is already stopping millions of attacks on mobile Chrome users. The next time you come across a Safe Browsing warning, you can search for the blocked website in the new Site Status section of the Transparency Report to learn why it’s been flagged by our systems. On the other hand, we’re also trying to show users fewer security warnings in the first place by decreasing our false positive rate for HTTPS warnings. We spent a large part of the quarter analyzing client errors that contribute to false alarm HTTPS errors; check out our Real World Crypto talk for more details.

Beyond the browser, our web platform efforts foster cross-vendor cooperation on developer-facing security features. We've made good progress with folks in the IETF to make some meaningful changes to cookies; cookie prefixes and locking down 'secure' cookies will be shipping shortly. Subresource Integrity and Mixed Content are trucking along the W3C Recommendation path, we've solidified our Suborigins proposal, and have our eyes on some new hotness like HSTS Priming, CSP3 bits and pieces, and limiting access to local network resources.

We see migration to HTTPS as foundational to any security whatsoever (and we're not the only ones), so we're actively working to drive #MOARTLS across Google and the Internet at large. We've continued our effort to deprecate powerful features on insecure origins by readying to block insecure usage of geolocation APIs. We also took to the stage at the Chrome Dev Summit to spread the word, telling developers about what we’re doing in Chrome to make deploying TLS easier and more secure.

In addition to more TLS, we want to ensure more secure TLS, which depends heavily on the certificate ecosystem. Via Certificate Transparency, we detected a fraudulent Symantec-issued certificate in September, which subsequently revealed a pattern of additional misissued certificates. Independent of that incident, we took proactive measures to protect users from a Symantec Root Certificate that was being decommissioned in a way that puts users at risk (i.e. no longer complying with the CA/Browser Forum’s Baseline Requirements). Other efforts include working with Mozilla and Microsoft to phase out RC4 ciphersuite support, and continuing the deprecation of SHA-1 certificates, which were shown to be even weaker than previously believed. To make it easier for developers and site operators to understand these changes, we debuted a new Security Panel that provides enhanced diagnostics and will continue to be improved with richer diagnostics in the coming months.

For more thrilling security updates and feisty rants, subscribe to security-dev@chromium.org. You can find older updates at https://dev.chromium.org/Home/chromium-security/quarterly-updates.

Happy Hacking,

Parisa, on behalf of Chrome Security

For those that don’t know us already, we do stuff to help make Chrome the most secure platform to browse the Internet. Here’s a recap of some work from last quarter:

The Bugs-- effort aims to find (and exterminate) security bugs. We’ve continued our collaboration with Android Security team and now have a fully functional AddressSanitizer (ASAN) build configuration of AOSP master (public instructions here). ClusterFuzz is helping Android Security team triage and verify bugs, including incoming vulnerability reward submissions, and now supports custom APK uploads and the ability to launch commands. Back on the Chrome front, we’re working on enabling Control Flow Integrity (CFI) checks on Linux, which converts invalid vptr accesses into non-exploitable crashes; 8 bugs discovered so far! We’ve made numerous improvements to how we fuzz Chrome on Android with respect to speed and accuracy. We also made some progress toward our goal of expanding ClusterFuzz platform support to include iOS. In our efforts to improve Chrome Stability, we added LeakSanitizer (LSAN) into our list of supported memory tools, which has already found 38 bugs.

Bugs still happen, so our Guts effort builds in multiple layers of defense. Plugin security remains a very important area of work. With the final death of unsandboxed NPAPI plugins in September, we’ve continued to introduce mitigations for the remaining sandboxed PPAPI (Pepper) plugins. First, we implemented support for Flash component updates on Linux, a long-standing feature request, which allows us to respond to Flash 0-day incidents without waiting to qualify a new release of Chrome. We’ve also been spending time improving the code quality and test coverage of Pdfium, the now open-source version of the Foxit PDF reader. In addition, we have been having some success with enabling Win32k syscall filtering on Windows PPAPI processes (PDFium and Adobe Flash). This makes it even tougher for attackers to get out of the Chromium Flash sandbox, and can be enabled on Windows 8 and above on Canary channel right now by toggling the settings in chrome://flags/#enable-ppapi-win32k-lockdown.

We’ve been making steady progress on Site Isolation, and are preparing to enable out-of-process iframes (OOPIFs) for web pages inside extension processes. You can test this mode before it launches with --isolate-extensions.  We have performance bots and UMA stats lined up, and we'll start with some early trials on Canary and Dev channel.  Meanwhile, we've added support for hit testing in the browser process, scrolling, context menus, and script calls between all reachable frames (even with changes to window.opener).

Not all security problems can be solved in Chrome’s guts, so we work on making security more user-friendly too. To support developers migrating to HTTPS, starting with M46, Chrome is marking the “HTTPS with Minor Errors” state using the same neutral page icon as HTTP pages (instead of showing the yellow lock icon). We’ve started analyzing invalid (anonymized!) TLS certificate reports gathered from the field, to understand the root causes of unnecessary TLS/SSL warnings. One of the first causes we identified and fixed was certificate hostname mismatches due to a missing ‘www’. We also launched HPKP violation reporting in Chrome, helping developers detect misconfigurations and attacks by sending a report when a pin is violated. Finally, in an effort to support the Chrome experience across languages and locales, we made strides in improving how the omnibox is displayed in RTL languages.

Beyond the browser, our web platform efforts foster cross-vendor cooperation on developer-facing security features. We shipped Subresource Integrity (SRI), which defends against resource substitution attacks by allowing developers to specify a hash against which a script or stylesheet is matched before it's executed. We’re excited to see large sites, like Github, already deploying SRI! We've sketched out a concept for a Clear Site Data feature which we hope will make it possible for sites to reset their storage, and we're hard at work on the next iteration of Content Security Policy. Both of these will hopefully start seeing some implementation in Q4.

We see migration to HTTPS as foundational to any security whatsoever (and we're not the only ones), so we're actively working to drive #MOARTLS across Google and the Internet at large. We shipped Upgrade Insecure Requests, which eases the transition to HTTPS by transparently correcting a page's spelling from `http://` to `https://` for all resources before any requests are triggered. We've also continued our effort to deprecate powerful features on insecure origins by solidifying the definition of a "Secure Context", and applying that definition to block insecure usage of getUserMedia().

For more thrilling security updates and feisty rants, subscribe to security-dev@chromium.org.

Happy Hacking,

Q2 2015

Hello from the Chrome Security Team!

For those that don’t know us already, we do stuff to help make Chrome the most secure platform to browse the Internet. Here’s a recap of some work from last quarter:

The Bugs-- effort aims to find (and exterminate) security bugs. At the start of the quarter, we initiated a Security FixIt to trim back the fat backlog of open issues. With the help of dozens of engineers across Chrome, we fixed over 40 Medium+ severity security bugs in 2 weeks and brought the count of issues down to 15! We also collaborated with Android Security Attacks Team and added native platform fuzzing support to ClusterFuzz (and imported their fuzzers), which resulted in ~30 new bugs discovered. ClusterFuzz now supports fuzzing on all devices of the Nexus family (5,6,7,9) and Android One and is running on a few dozen devices in the Android Lab. On top of this, we have doubled our fuzzing capacity in Compute Engine to ~8000 cores by leveraging Preemptible VMs. Lastly, we have upgraded all of our sanitizer builds on Linux (ASan, MSan, TSan and UBSan) to report edge-level coverage data, which is now aggregated in the ClusterFuzz dashboard. We’re using this coverage information to expand data bundles by existing fuzzers and improve our corpus distillation.

Bugs still happen, so our Guts effort builds in multiple layers of defense.  Our Site Isolation project is getting closer to its first stage of launch: using out-of-process iframes (OOPIFs) for web pages inside extension processes.  We've made substantial progress (with lots of help from others on the Chrome team!) on core Chrome features when using --site-per-process: OOPIFs now work with back/forward, DevTools, and extensions, and they use Surfaces for efficient painting (and soon input event hit-testing).  We've collected some preliminary performance data using Telemetry, we've fixed lots of crashes, and we've started enforcing cross-site security restrictions on cookies and passwords.  Much work remains, but we're looking forward to turning on these protections for real users!

On Linux and Chrome OS, we’ve made changes to restrict one PID namespace per renderer process, which strengthens and cleans-up our sandbox (shipping in Chrome 45). We also finished up a major cleanup necessary toward deprecating the setuid sandbox, which should be happening soon. Work continued to prepare for the launch of Windows 10, which offers some opportunities for new security mitigations; the new version looks like the most secure Windows yet, so be sure to upgrade when it comes out!

Not all security problems can be solved in Chrome’s guts, so we work on making security more user-friendly too. We’ve continued our efforts to avoid showing unnecessary TLS/SSL warnings: decisions are now remembered for a week instead of a session, and a new checkbox on TLS/SSL warnings allows users to send us invalid certificate chains that help us root out false-positive warnings. Since developers and power users have been asking for more tools to debug TLS/SSL issues, we’ve started building more security information into DevTools and plan to launch a first version in Q3!

Another large focus for the team has been improving how users are asked for permissions, like camera and geolocation. We’ve finalized a redesign of the fullscreen permission flow that we hope to launch by the end of the year, fixed a number of bugs relating to permission prompts, and launched another round of updates to PageInfo and Website Settings on Android.

Beyond the browser, our web platform efforts foster cross-vendor cooperation on developer-facing security features. The W3C's WebAppSec working group continues to be a fairly productive venue for a number of important features: we've polished the Subresource Integrity spec and shipped an implementation in Chrome 46, published first drafts of Credential Management and Entry Point Regulation, continue to push Content Security Policy Level 2 and Mixed Content towards "Recommendation" status, and fixed some longstanding bugs with our Referrer Policy implementation.

Elsewhere, we've started prototyping Per-Page Suborigins with the intent of bringing a concrete proposal to WebAppSec, published a new draft of First-Party-Only cookies (and are working through some infrastructure improvements so we can ship them), and poked at sandboxed iframes to make it possible to sandbox ads.

We see migration to HTTPS as foundational to any security whatsoever (and we're not the only ones), so we're actively working to drive #MOARTLS across Google and the Internet at large. As a small practical step on top of the HTTPS webmasters fundamentals section, we’ve added some functionality to Webmaster Tools to provide better assistance to webmasters when dealing with common errors in managing a site over TLS (launching soon!). Also, we're now measuring the usage of pre-existing, powerful features on non-secure origins, and are now printing deprecation warnings in the JavaScript console. Our ultimate goal is to make all powerful features, such as Geolocation and getUserMedia, available only to secure origins.

For more thrilling security updates and feisty rants, subscribe to security-dev@chromium.org.

Happy Hacking,

Parisa, on behalf of Chrome Security

Q1 2015

Hello from the Chrome Security Team!

For those that don’t know us already, we do stuff to help make Chrome the most secure platform to browse the Internet. Here’s a recap of some work from last quarter:

The Bugs-- effort aims to find (and exterminate) security bugs. Last quarter, we rewrote our IPC fuzzer, which resulted in lots more bugs discovered by ClusterFuzz! We also expanded fuzzing platform support (Android Lollipop, Linux with Nvidia GPU), added archived builds for proprietary media codecs testing on all platforms, and used more code annotations to find bugs (like this or this). We auto-add previous crash tests to our data corpus, which helps to catch regressions even if a developer forgets to add a test (example). We’ve also started experimenting with enabling and leveraging code coverage information from fuzzing. Contrary to what some reports may imply, we don’t think vulnerability counting is a good standalone metric for security, and more bugs discovered internally (653 bugs in 2014 vs. 380 bugs in 2013), means more bugs fixed, means safer software! Outside of engineering, inferno@ gave a talk at nullcon about Chrome fuzzing (slides) and we launched never-ending Pwnium with a rewards pool up to $∞ million!

Bugs still happen, so our Guts effort builds in multiple layers of defense. On Linux and Chrome OS, we did some work to improve the seccomp-BPF compiler and infrastructure. On modern kernels, we finally completed the switch from the setuid sandbox to a new design using unprivileged namespaces. We’re also working on a generic, re-usable sandbox API on Linux, which we hope can be useful to other Linux projects that want to employ sandboxing. On Android, we’ve been experimenting with single-threaded renderer execution, which can yield performance and security benefits for Chrome. We’ve also been involved with the ambitious Mojo effort. On OSX, we shipped crashpad (which was a necessary project to investigate those sometimes-security-relevant crashes!). Finally, on Windows, the support to block Win32k system calls from renderers on Windows 8 and above is now enabled on Stable - and renderers on these systems are also running within App Containers on Chrome Beta, which blocks their access to the network. We also ensured all Chrome allocations are safe - and use less memory (!) - by moving to the Windows heap.

On our Site Isolation project, we’ve made progress on the underlying architecture so that complex pages are correct and stable (e.g. rendering any combination of iframes, evaluating renderer-side security checks, sending postMessage between subframes, keeping script references alive). Great progress has also been made on session history, DevTools, and test/performance infrastructure, and other teams have started updating their features for out-of-process iframes after our Site Isolation Summit.

Not all security problems can be solved in Chrome’s guts, so we work on making security more user-friendly too. In an effort to determine the causes of SSL errors, we’ve added a new checkbox on SSL warnings that allows users to send us invalid certificate chains for analysis. We’ve started looking at the data, and in the coming months we plan to introduce new warnings that provide specific troubleshooting steps for common causes of spurious warnings. We also recently launched the new permissions bubble UI, which solves some of the problems we had with permissions infobars (like better coalescing of multiple permission requests). And for our Android users, we recently revamped PageInfo and Site Settings, making it easier than ever for people to manage their permissions. Desktop updates to PageInfo and Site Settings are in progress, too. Finally, we just launched a new extension, Chrome User Experience Surveys, which asks people for in-the-moment feedback after they use certain Chrome features. If you’re interested in helping improve Chrome, you should try it out!

Beyond the browser, our web platform efforts foster cross-vendor cooperation on developer-facing security features. We're working hard with the good folks in the W3C's WebAppSec working group to make progress on a number of specifications: CSP 2 and Mixed Content have been published as Candidate Recommendations, Subresource Integrity is implemented behind a flag and the spec is coming together nicely, and we've fixed a number of Referrer Policy issues. First-Party-Only Cookies are just about ready to go, and Origin Cookies are on deck.

We see migration to HTTPS as foundational to any security whatsoever (and we're not the only ones), so we're actively working to define the properties of secure contexts, deprecate powerful features on insecure origins, and to make it simpler for developers to Upgrade Insecure Requests on existing sites.

For more thrilling security updates and feisty rants, subscribe to security-dev@chromium.org.

Happy Hacking,

Parisa, on behalf of Chrome Security

P.S. Go here to travel back in time and view previous Chrome security quarterly updates.

Q4 2014

Hello from the Chrome Security Team!

For those that don’t know us already, we do stuff to help make Chrome the most secure platform to browse the Internet. Here’s a recap of some work from last quarter:

The Bugs-- effort aims to find (and exterminate) security bugs. Last quarter, we incorporated more coverage data into our ClusterFuzz dashboard, especially for Android. With this, we hope to optimize our test cases and improve fuzzing efficiency. We also incorporated 5 new fuzzers from the external research community as part of the fuzzer reward program. This has resulted in 33 new security vulnerabilities. Finally, we wrote a multi-threaded test case minimizer from scratch based on delta debugging (a long-standing request from blink devs!) which produces clean, small, reproducible test cases. In reward program news, we've paid over $1.6 million for externally reported Chrome bugs since 2010 ($4 million total across Google). In 2014, over 50% of reward program bugs were found and fixed before they hit the stable channel, protecting our main user population. Oh, and in case you didn’t notice, the rewards we’re paying out for vulnerabilities went up again.

Bugs still happen, so our Guts effort builds in multiple layers of defense. We’re most excited about progress toward a tighter sandbox for Chrome on Android (via seccomp-bpf), which required landing seccomp-bpf support in Android and enabling TSYNC on all Chrome OS and Nexus kernels. We’ve continued to improve our Linux / Chrome OS sandboxing by (1) adding full cross-process interaction restrictions at the BPF sandbox level, (2) making API improvements and some code refactoring of //sandbox/linux, and (3) implementing a more powerful policy system for the GPU sandbox.

After ~2 years of work on Site Isolation, we’re happy to announce that out-of-process iframes are working well enough that some Chrome features have started updating to support them! These include autofill (done), accessibility (nearly done), <webview> (prototyping), devtools, and extensions. We know how complex a rollout this will be, and we’re ready with testing infrastructure and FYI bots. As we announced at our recent Site Isolation Summit (video, slides), our goal for Q1 is to finish up OOPIF support with the help of all of Chrome.

Not all security problems can be solved in Chrome’s Guts, so we work on making security more user-friendly too. For the past few months, we’ve been looking deeper into the causes of SSL errors by looking at UMA stats and monitoring user help forums. One source of SSL errors is system clocks with the wrong time, so we landed a more informative error message in Chrome 40 to let users know they need to fix their clock. We’ve also started working on a warning interstitial for captive portals to distinguish those SSL errors from the rest. Finally, we proposed a plan for browsers to migrate their user interface from marking insecure origins (i.e. HTTP) as explicitly insecure; the initial discussion and external attention has been generally positive.

Over the past few years, we’ve worked on a bunch of isolated projects to push security on the Open Web Platform forward and make it possible for developers to write more secure apps. We recognized we can move faster if we get some of the team fully dedicated to this work, so we formed a new group that will focus on web platform efforts.

As usual, for more thrilling security updates and feisty rants, subscribe to security-dev@chromium.org.

To a safer web in 2015!

Parisa, on behalf of Chrome Security