Attackers often exploit buffer overflows, which occur when code attempts to access memory outside of its allocated bounds, to compromise programs and sensitive information. These vulnerabilities pose a significant and pressing risk to customer safety.
Primarily based on a comprehensive evaluation of recent data, spatial security vulnerabilities account for approximately 40% of in-the-wild memory security exploits over the past decade, highlighting the need for enhanced mitigation strategies.
The breakdown of reminiscence security CVEs by vulnerability class reveals a concerning trend: **[75%]** Memory Corruption (34/45), followed by **[15%]** Authentication Bypass (7/9) and **[10%]** Input Validation (4/5).
Google is taking a . A crucial aspect of our method involves leveraging memory-safe languages in newly written code. This approach yields a substantial decrease in memory-related security weaknesses, subsequently enhancing the overall safety profile of a software ecosystem, as evidenced by our findings.
As we embark on this transformative journey, we recognize that integrating new growth strategies and infrastructure will require a multi-year effort to ensure a seamless evolution. To ensure the security of our vast customer base, we are taking further steps by retroactively incorporating secure-by-design principles into our existing C++ codebase where feasible.
As part of our ongoing effort to incorporate robust spatial memory safety into all of our C++ codebases, including those that power Chrome and our core services.
To bolster the foundation of our C++ knowledge structures, we’ve initiated the use of hardened libc++, a feature that incorporates bounds checking, thereby eradicating a significant category of spatial security vulnerabilities. While C++ cannot become completely memory-safe, these advancements significantly reduce the risk, as outlined in further detail within our documentation, thereby yielding more reliable and secure software applications.
This submission describes the successful integration of hardened libc++ across our codebases, highlighting its positive impact on security, reliability, and maintainability by mitigating exploits, reducing crashes, and enhancing overall code quality.
To enhance spatial security in C++, we employ a key approach: implementing bounds checking for common data structures, starting by fortifying the standard C++ library – specifically, LLVM’s libc++. Recently integrated by open-source contributors, the framework incorporates a suite of security safeguards that proactively identify and mitigate risks akin to out-of-bounds memory access vulnerabilities commonly found in industrial automation.
Hardened libc++ ensures that each entry into a container’s components stays within its allocated bounds, preventing attempts to read or write beyond the legitimate memory space. Similarly, the robust libc++ implementation ensures that an input array is not empty before allowing access, thereby preventing unintended memory access.
This approach aligns with established practices prevalent in numerous popular programming languages such as Java, Python, Go, and Rust, mirroring the norms that have become widespread in their respective ecosystems. All incorporated implementations ensure proper bounds checking, acknowledging its crucial role in preventing memory-related errors. While C++ has traditionally stood out as an exception, initiatives like the hardened libc++ aim to plug this vulnerability in our technological framework. C++’s standard libraries offer related hardening capabilities across various implementations.
Building upon the successful deployment of hardened libc++ in 2022, we have now made it the default library throughout all our server-side manufacturing programs. Our enhanced spatial remembrance capabilities significantly strengthen the security of our services, encompassing essential performance-critical components such as Search, Gmail, Drive, YouTube, and Maps. While a minority of elements remain exempt, we are proactively addressing this issue and making progress in areas with lower exploitation risk.
Despite being built on Google’s trendy C++ codebase heavily utilizing libc++, the surprising lack of efficiency impact from these modifications remained evident.
Because each compiler’s ability to eliminate redundant checks during optimization enables streamlined performance, and the eco-friendly design of hardened libc++ fosters reliability. In rare instances where performance is paramount, explicit access to unchecked memory regions is permitted under stringent scrutiny to ensure the highest level of security. Despite employing advanced methods for increased efficiency, the burden of bounds checking remains remarkably low.
We continuously scrutinize the impact of these checks on efficiency, striving to eliminate unnecessary burdens. We successfully eliminated a redundant verification step, resulting in a 15% reduction in overhead (decreased from 0.35% to 0.3%) and enabling us to share the benefits with the broader C++ community by contributing to its advancement.
While the minimal overhead of hardened libc++ makes it suitable for individual uses, its deployment at Google’s scale necessitated a substantial allocation of computational resources. This significant investment solidifies our unwavering commitment to prioritizing the uncompromising security and unwavering safety of our products.
Enabling libc++ hardening proved to be a non-trivial undertaking. To implement seamlessly and minimize risk, the process necessitated a phased deployment strategy that deliberately avoided sudden changes or outages.
- Testing: We initially introduced hardened libc++ in our evaluations more than a year ago. This enabled us to identify and rectify numerous previously undetected errors in our code and evaluations.
- Baking: As we refined our hardened runtime through extensive testing and pre-production evaluation, we afforded developers sufficient opportunity to acclimate and address any emerging challenges or concerns. Additionally, we conducted thorough assessments of efficiency, ensuring that our actions had a negligible impact on our customers’ experience.
- Gradual Manufacturing Rollout: As we progressed, we deployed hardened libc++ to production in a phased manner, initially targeting a select group of providers before gradually expanding coverage to encompass our entire infrastructure. As we closely tracked the deployment’s progress, we swiftly responded to any issues that arose, including crashes and performance setbacks.
Since hardening libc++ was enabled by default, we’ve witnessed benefits within a few short months.
Stopping exploits:
The hardened libc++ has successfully prevented an insider attack on our purple workforce training program and also would have mitigated a previous incident that occurred before we implemented hardening, highlighting its efficacy in thwarting exploitation attempts. The comprehensive security audits have identified in excess of 1,000 vulnerabilities, effectively preventing a projected 1,000 to 2,000 new flaws from emerging annually, assuming the current rate of C++ development remains constant.
Improved reliability and correctness: The rigorous process of identifying and resolving issues uncovered by the robust libc++ library yielded a significant 30% reduction in our baseline rate of segmentation faults during production, substantiating enhanced code integrity and excellence. Past crashes, diligent checks had also uncovered errors that would have otherwise materialized as erratic behavior or data degradation.
Analyzing trends in segfault occurrences across our entire fleet before and after the implementation of a particular solution to identify potential correlations and insights?
Simpler debugging: With the introduction of hardened libc++, we were able to uncover and rectify numerous defects that had gone undetected in our codebase for over a decade, ultimately yielding significant improvements in software reliability. The checks rework numerous challenging-to-diagnose remittance corruption issues into swift and straightforwardly debuggable faults, thereby preserving developers a substantial amount of effort and time.
While libc++’s hardening features provide immediate benefits by introducing bounds checking to fundamental libraries, this represents only a single facet in the broader landscape of spatial security considerations.
We’re expanding bounds checking to various libraries, migrating our code to require all accesses to be thoroughly bounds-checked. To ensure robust spatial security, every fortified knowledge structure relies heavily on the collaboration of its designated controllers, alongside safeguarded data repositories.
By bolstering the security of our C++ compiler, we’re also focused on simplifying interoperability with languages that guarantee memory safety. Migrating our C++ codebase to use protected buffers significantly narrows the gap between the programming languages, thereby simplifying cross-language interoperability and potentially paving the way for a seamless .
Hardened libc++ proves a practical and resource-friendly method for bolstering the security, dependability, and testability of C++ applications with negligible performance impact. We urge organisations using C++ to enable the hardened mode of their commonplace libraries by default across all applications.
As we embark on a quest to secure our C++ codebase at Google, the first crucial step is to enable hardened libc++. Through enhanced bounds checking mechanisms and collaborative efforts within the C++ community, we aim to establish a future where robust spatial security becomes the standard.
Acknowledgements
We would like to express our gratitude to Emilia Kasper, Chandler Carruth, Duygu Isler, Matthew Riley, and Jeff VanderMeer for their valuable input. We expanded on our capabilities due to the collaboration with the libc++ community, enabling us to develop the hardening mode that rendered this feat achievable.
