Google looks at bypass in Chromium\'s ASLR security defense, throws hands up, won\'t patch garbage issue

[chain]

In early November, a developer contributing to Google's open-source Chromium project reported a problem with Oilpan, the garbage collector for the browser's Blink rendering engine: it can be used to break a memory defense known as address space layout randomization (ASLR).

About two weeks later, Google software security engineer Chris Palmer marked the bug "WontFix" because Google has resigned itself to the fact that ASLR can't be saved – Spectre and Spectre-like processor-level flaws can defeat it anyway, whether or not Oilpan can be exploited.

Or as Palmer put it, "we already have to plan for a world in which ASLR is bypassable."

On Wednesday, Chromium's bug tracking bot lifted the curtain on the previously private discussion and made it publicly accessible.

Security researchers have been warning about the shortcomings of ASLR for years. The defense mechanism works by placing parts of software in randomly selected regions of the code's memory address space, and these positions change every time the software is started. This makes life hard for those writing malware that exploits vulnerabilities in applications and operating systems: the miscreants can't be sure where components needed to attack the code are located in memory, and their exploits will fail to work.

But, as we said, ASLR is not bombproof. It simply increases the barrier miscreants have to jump over before they can hack a victim's system. In a 2017 paper, Vrije Universiteit Amsterdam researchers wrote, "ASLR is fundamentally flawed in sandboxed environments such as JavaScript and future defenses should not rely on randomized virtual addresses as a building block."