The Dev channel has been updated to 104.0.5083.0 for Windows, Mac and Linux.
A partial list of changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
SrinivasSista
Memory safety in Chrome is an ever-ongoing effort to protect our users. We are constantly experimenting with different technologies to stay ahead of malicious actors. In this spirit, this post is about our journey of using heap scanning technologies to improve memory safety of C++.
Let’s start at the beginning though. Throughout the lifetime of an application its state is generally represented in memory. Temporal memory safety refers to the problem of guaranteeing that memory is always accessed with the most up to date information of its structure, its type. C++ unfortunately does not provide such guarantees. While there is appetite for different languages than C++ with stronger memory safety guarantees, large codebases such as Chromium will use C++ for the foreseeable future.
In the example above, foo is used after its memory has been returned to the underlying system. The out-of-date pointer is called a dangling pointer and any access through it results in a use-after-free (UAF) access. In the best case such errors result in well-defined crashes, in the worst case they cause subtle breakage that can be exploited by malicious actors.
UAFs are often hard to spot in larger codebases where ownership of objects is transferred between various components. The general problem is so widespread that to this date both industry and academia regularly come up with mitigation strategies. The examples are endless: C++ smart pointers of all kinds are used to better define and manage ownership on application level; static analysis in compilers is used to avoid compiling problematic code in the first place; where static analysis fails, dynamic tools such as C++ sanitizers can intercept accesses and catch problems on specific executions.
Chrome’s use of C++ is sadly no different here and the majority of high-severity security bugs are UAF issues. In order to catch issues before they reach production, all of the aforementioned techniques are used. In addition to regular tests, fuzzers ensure that there’s always new input to work with for dynamic tools. Chrome even goes further and employs a C++ garbage collector called Oilpan which deviates from regular C++ semantics but provides temporal memory safety where used. Where such deviation is unreasonable, a new kind of smart pointer called MiraclePtr was introduced recently to deterministically crash on accesses to dangling pointers when used. Oilpan, MiraclePtr, and smart-pointer-based solutions require significant adoptions of the application code.
Over the last years, another approach has seen some success: memory quarantine. The basic idea is to put explicitly freed memory into quarantine and only make it available when a certain safety condition is reached. In the Linux kernel a probabilistic approach was used where memory was eventually just recycled. A more elaborate approach uses heap scanning to avoid reusing memory that is still reachable from the application. This is similar to a garbage collected system in that it provides temporal memory safety by prohibiting reuse of memory that is still reachable. The rest of this article summarizes our journey of experimenting with quarantines and heap scanning in Chrome.
(At this point, one may ask where pointer authentication fits into this picture – keep on reading!)
The main idea behind assuring temporal safety with quarantining and heap scanning is to avoid reusing memory until it has been proven that there are no more (dangling) pointers referring to it. To avoid changing C++ user code or its semantics, the memory allocator providing new and delete is intercepted.
Upon invoking delete, the memory is actually put in a quarantine, where it is unavailable for being reused for subsequent new calls by the application. At some point a heap scan is triggered which scans the whole heap, much like a garbage collector, to find references to quarantined memory blocks. Blocks that have no incoming references from the regular application memory are transferred back to the allocator where they can be reused for subsequent allocations.
There are various hardening options which come with a performance cost:
Overwrite the quarantined memory with special values (e.g. zero);
Stop all application threads when the scan is running or scan the heap concurrently;
Intercept memory writes (e.g. by page protection) to catch pointer updates;
Scan memory word by word for possible pointers (conservative handling) or provide descriptors for objects (precise handling);
Segregation of application memory in safe and unsafe partitions to opt-out certain objects which are either performance sensitive or can be statically proven as being safe to skip;
Scan the execution stack in addition to just scanning heap memory;
We call the collection of different versions of these algorithms StarScan [stɑː skæn], or *Scan for short.
We apply *Scan to the unmanaged parts of the renderer process and use Speedometer2 to evaluate the performance impact.
We have experimented with different versions of *Scan. To minimize performance overhead as much as possible though, we evaluate a configuration that uses a separate thread to scan the heap and avoids clearing of quarantined memory eagerly on delete but rather clears quarantined memory when running *Scan. We opt in all memory allocated with new and don’t discriminate between allocation sites and types for simplicity in the first implementation.
Note that the proposed version of *Scan is not complete. Concretely, a malicious actor may exploit a race condition with the scanning thread by moving a dangling pointer from an unscanned to an already scanned memory region. Fixing this race condition requires keeping track of writes into blocks of already scanned memory, by e.g. using memory protection mechanisms to intercept those accesses, or stopping all application threads in safepoints from mutating the object graph altogether. Either way, solving this issue comes at a performance cost and exhibits an interesting performance and security trade-off. Note that this kind of attack is not generic and does not work for all UAF. Problems such as depicted in the introduction would not be prone to such attacks as the dangling pointer is not copied around.
Since the security benefits really depend on the granularity of such safepoints and we want to experiment with the fastest possible version, we disabled safepoints altogether.
Running our basic version on Speedometer2 regresses the total score by 8%. Bummer…
Where does all this overhead come from? Unsurprisingly, heap scanning is memory bound and quite expensive as the entire user memory must be walked and examined for references by the scanning thread.
To reduce the regression we implemented various optimizations that improve the raw scanning speed. Naturally, the fastest way to scan memory is to not scan it at all and so we partitioned the heap into two classes: memory that can contain pointers and memory that we can statically prove to not contain pointers, e.g. strings. We avoid scanning memory that cannot contain any pointers. Note that such memory is still part of the quarantine, it is just not scanned.
We extended this mechanism to also cover allocations that serve as backing memory for other allocators, e.g., zone memory that is managed by V8 for the optimizing JavaScript compiler. Such zones are always discarded at once (c.f. region-based memory management) and temporal safety is established through other means in V8.
On top, we applied several micro optimizations to speed up and eliminate computations: we use helper tables for pointer filtering; rely on SIMD for the memory-bound scanning loop; and minimize the number of fetches and lock-prefixed instructions.
We also improve upon the initial scheduling algorithm that just starts a heap scan when reaching a certain limit by adjusting how much time we spent in scanning compared to actually executing the application code (c.f. mutator utilization in garbage collection literature).
In the end, the algorithm is still memory bound and scanning remains a noticeably expensive procedure. The optimizations helped to reduce the Speedometer2 regression from 8% down to 2%.
While we improved raw scanning time, the fact that memory sits in a quarantine increases the overall working set of a process. To further quantify this overhead, we use a selected set of Chrome’s real-world browsing benchmarks to measure memory consumption. *Scan in the renderer process regresses memory consumption by about 12%. It’s this increase of the working set that leads to more memory being paged in which is noticeable on application fast paths.
MTE (Memory Tagging Extension) is a new extension on the ARM v8.5A architecture that helps with detecting errors in software memory use. These errors can be spatial errors (e.g. out-of-bounds accesses) or temporal errors (use-after-free). The extension works as follows. Every 16 bytes of memory are assigned a 4-bit tag. Pointers are also assigned a 4-bit tag. The allocator is responsible for returning a pointer with the same tag as the allocated memory. The load and store instructions verify that the pointer and memory tags match. In case the tags of the memory location and the pointer do not match a hardware exception is raised.
MTE doesn't offer a deterministic protection against use-after-free. Since the number of tag bits is finite there is a chance that the tag of the memory and the pointer match due to overflow. With 4 bits, only 16 reallocations are enough to have the tags match. A malicious actor may exploit the tag bit overflow to get a use-after-free by just waiting until the tag of a dangling pointer matches (again) the memory it is pointing to.
*Scan can be used to fix this problematic corner case. On each delete call the tag for the underlying memory block gets incremented by the MTE mechanism. Most of the time the block will be available for reallocation as the tag can be incremented within the 4-bit range. Stale pointers would refer to the old tag and thus reliably crash on dereference. Upon overflowing the tag, the object is then put into quarantine and processed by *Scan. Once the scan verifies that there are no more dangling pointers to this block of memory, it is returned back to the allocator. This reduces the number of scans and their accompanying cost by ~16x.
The following picture depicts this mechanism. The pointer to foo initially has a tag of 0x0E which allows it to be incremented once again for allocating bar. Upon invoking delete for bar the tag overflows and the memory is actually put into quarantine of *Scan.
We got our hands on some actual hardware supporting MTE and redid the experiments in the renderer process. The results are promising as the regression on Speedometer was within noise and we only regressed memory footprint by around 1% on Chrome’s real-world browsing stories.
Is this some actual free lunch? Turns out that MTE comes with some cost which has already been paid for. Specifically, PartitionAlloc, which is Chrome’s underlying allocator, already performs the tag management operations for all MTE-enabled devices by default. Also, for security reasons, memory should really be zeroed eagerly. To quantify these costs, we ran experiments on an early hardware prototype that supports MTE in several configurations:
MTE disabled and without zeroing memory;
MTE disabled but with zeroing memory;
MTE enabled without *Scan;
MTE enabled with *Scan;
(We are also aware that there’s synchronous and asynchronous MTE which also affects determinism and performance. For the sake of this experiment we kept using the asynchronous mode.)
The results show that MTE and memory zeroing come with some cost which is around 2% on Speedometer2. Note that neither PartitionAlloc, nor hardware has been optimized for these scenarios yet. The experiment also shows that adding *Scan on top of MTE comes without measurable cost.
C++ allows for writing high-performance applications but this comes at a price, security. Hardware memory tagging may fix some security pitfalls of C++, while still allowing high performance. We are looking forward to see a more broad adoption of hardware memory tagging in the future and suggest using *Scan on top of hardware memory tagging to fix temporary memory safety for C++. Both the used MTE hardware and the implementation of *Scan are prototypes and we expect that there is still room for performance optimizations.
Hi everyone! We've just released Chrome Dev 104 (104.0.5082.0) for Android. It's now available on Google Play.
You can see a partial list of the changes in the Git log. For details on new features, check out the Chromium blog, and for details on web platform updates, check here.
If you find a new issue, please let us know by filing a bug.
Erhu Akpobaro
Google Chrome
With the latest update to your Chromebook, we’re introducing a note-taking app, features that improve screen magnification and more. Whether you’re using your laptop for work or fun, these handy features will help you get things done your way.
Say goodbye to taking notes with pen and paper. Last year, we launched Cursive on select devices and now we’re excited to roll it out to all Chromebooks that work with a stylus.
The Cursive app makes it easy to capture, edit and organize handwritten notes on your Chromebook. Beyond just handwriting, you can also sketch out drawings, or paste images within your notes. And you can keep related content together by sorting notes into custom notebooks for different projects. When it's time to share your idea with others, you can quickly copy and paste it into another app or send a PDF.
If you write a sentence that fits better on a different part of the page, that’s not a problem – easily move it by circling the content on the page and dragging it to wherever you like. Didn’t quite perfect your drawing the first time? Erase it by scribbling over it with your stylus. And if you need to add more notes to the top of the page, just draw a horizontal line and drag your content down to free up more space. Try doing that with a pen and piece of paper!
In the coming months we’ll also introduce features for more personalization, like more easily changing the thickness, style and color of the stylus stroke.
Cursive will be preinstalled on all eligible Chromebooks – just tap the Everything Button and search for the app – or you can download it by going to cursive.apps.chrome and tap “install” in the toolbar. Check out this list of most stylus-enabled Chromebooks and see if you can try out Cursive.
The Cursive app makes taking and editing notes easy.
We zoomed in on your feedback and are rolling out magnification customization on Chromebooks. Currently, the docked magnifier feature creates a split screen: the bottom half is your standard screen, and the top half is the zoomed in version of your screen. This is especially helpful if you have a vision impairment and want to zoom in on just part of your screen.
With our new update, you can control the size of the magnified portion of the screen. You can make it larger if you want to see more zoomed in content, or smaller if you want to see more of the standard screen. You can adapt it to fit your preferences, or adjust based on the content you’re looking at.
Now you can resize the docked the magnifier so you can see just the part you want.
Recently, we also made updates to the panning experience. With continuous panning, when you move your cursor the rest of the screen will follow it. And if it’s more convenient, you can also use your keyboard to control panning by pressing ctrl + alt + arrow keys.
We’ve all been there before. You try to use a spare USB-C cable to connect a docking station or monitor to your laptop and it just doesn’t seem to work. But that doesn’t necessarily mean you have a faulty cable. Many USB-C cables look identical, but function differently.
Now you can get your extra monitor up and running with less headache. Eligible Chromebooks will notify you if the USB-C cable you're using won’t support displays, or isn’t performing ideally for your laptop. You’ll also get a notification if the cable you’re using doesn’t support the high performance USB4/Thunderbolt 3 standards that your Chromebook does.
To kick things off, this feature is available on Chromebooks with 11th or 12th generation Intel Core CPUs with USB4 or Thunderbolt capability, with more devices to come. You can learn more about the best cables to use with your device in the support center.
You’ll now get a notification if the USB-C cable you’re using doesn’t support your displays.
We hope you like using these new features as much as we do. We’ll be back soon with more updates.
Irene Jay Liu leads Google News Lab, part of the Google News Initiative, in the Asia Pacific region. An experienced political, investigative and data journalist, she was a 2017 finalist for the Pulitzer Prize in national reporting as part of the Reuters team that documented widespread cheating in U.S. college admissions.
Now, with News Lab, Irene promotes innovation and the use of technology in newsrooms. We talked to her about the dizzying pace of change in Asia, building a united front against misinformation and why journalists in the region are so willing to experiment.
What did you do before you came to Google?
My first full-time reporting job, in 2007, was eliminated by budget cuts before my first day. That was my introduction to the industry. Luckily, I landed a job in Albany, New York covering politics. It was a perfect introduction to modern reporting: I filed for the newspaper, ran the political blog, did radio bits for NPR and was an on-air reporter for the local PBS station.
Covering New York state politics for the Albany Times Union
In 2010, I moved to Hong Kong to work for the South China Morning Post. There was something about Asia, and Hong Kong in particular, that drew me to the region — we didn’t know how the story would end. The intervening 12 years have proved that out. History took a very different turn than anyone could have predicted. So it’s really been an education.
Later I moved to Reuters, where I led development of Connected China, an immersive data-driven app, and then worked as an investigative reporter on their enterprise team. So I’ve also had the luxury of being part of ambitious, innovative data projects.
What are some challenges journalists face in the Asia Pacific region?
Change is the only constant in Asia Pacific. We're seeing more and more pressure on journalists and the erosion of press freedom, not only in Asia, but globally. Despite this, there's a strong sense of mission and purpose — that the work needs to be done. What has always amazed me is how newsrooms here are willing to collaborate with Google — and each other — to problem-solve and innovate. There’s this agility that’s really inspiring.
What do you think fuels that willingness to experiment?
I think it’s that history is moving at such a fast clip here. Journalists in the field can see the connection between freedom of expression, freedom of the press and the stability of their democracies and societies, because they remember a time when things were very, very different. They’ve seen the threat of misinformation and how it can be a matter of life and death, especially in the pandemic.
So there’s this visceral need to make it work, a sense that “we don't have a choice, we have to figure it out as an industry.” Otherwise, the trajectory of history can change very quickly.
Can you give an example?
CekFakta in Indonesia launched ahead of the presidential election in 2019. It was really just a few journalists and folks from the nonprofit sector who came together and said, “We have an election coming, misinformation really affected thelast one. We need to take a stand.”
Because of their hard work, on top of everything else they're doing, they convinced 24 news organizations — top publications that are constantly competing — to work out of the same room, collaboratively fact-checking presidential debates, and again on election day, to counter misinformation as it appeared.
What are some other ways News Lab works with journalists in the region to address misinformation?
Misinformation is top of mind almost everywhere in the region, and journalists feel as if it’s their cross to bear.
One project we recently supported in the Philippines is #FactsFirstPH, a project to connect journalism with the rest of the society ahead of their national elections. A coalition of news organizations came together to collaborate on fact-checking, working in tandem with researchers who analyzed patterns of misinformation, and then partnering with civil society organizations to amplify those fact checks, and with the legal community to hold candidates accountable.
We're seeing more of this multi-sector collaboration. That's what’s encouraging: experimentation, collaboration and the embrace of technology to tackle these issues.
Are we better equipped to address misinformation than we were a few years ago?
There's greater awareness, but it hasn’t translated into institutions gaining trust. People are just more skeptical. That’s the challenge newsrooms face.
What’s interesting in Asia is that you have people coming online for the first time, so there’s an opportunity to develop awareness and resistance to misinformation from the start.
In India, we’ve piloted this approach through FactShala, which teaches news and information literacy to first-time internet users. Employing a curriculum designed from a baseline study of first-time internet users, Factshala partners with trusted sources — civil society organizations, nonprofits, community workers, educators, journalists — to get the word out in multiple languages.
Are you optimistic about the future of journalism?
I am. I miss being a reporter every day, and I’m constantly humbled and inspired by the journalists I have the privilege to work with here. Their ingenuity and tenacity, in the face of sometimes overwhelming adversity, is the reason I believe journalism will thrive.
And there's so much that we at Google can do to support this work. As long as we listen to the journalism community and respond to what they need, there's a lot we can achieve together.
Welcome to the latest edition of “My Path to Google,” where we talk to Googlers, interns, apprentices and alumni about how they got to Google, what they do in their roles and how they prepared for their interviews.
In celebration of Asian Pacific American Heritage Month, today’s post features Unni Nair, a senior research strategist on Google’s Responsible Innovation team. As a second-generation Indian American, Unni’s background has helped shape his passion for sustainability and responsible artificial intelligence (AI).
What’s your role at Google?
I’m a senior research strategist on the Responsible Innovation team. In this role, I use Google’s AI Principles to help our teams build products that are both helpful and socially responsible. More specifically, I’m passionate about how we can proactively incorporate responsible AI into emerging technologies to drive sustainable development priorities. For example, I’ve been working with the Google Earth Engine team to align their work with our AI Principles, which we spoke about in a workshop at Google I/O. I helped the team develop a data set — used by governments, companies and researchers — to efficiently display information related to conservation, biodiversity, agriculture and forest management efforts.
Can you tell us a bit about yourself?
I was born in Scranton, Pennsylvania, but I lived in many different parts of the U.S., and often traveled internationally, throughout my childhood. Looking back, I realize how fortunate I was to live in and learn from so many different communities at such a young age. As a child of Indian immigrants, I was exposed to diverse ways of life and various forms of inequity. These experiences gave me a unique perspective on the world, helping me see the potential in every human being and nurturing a sense of duty to uplift others. It took dabbling in fields from social work to philosophy, and making lots of mistakes along the way, to figure out how to turn this passion into impact.
In honor of Asian Pacific American Heritage Month, how else has your background influenced your work?
I’m grateful for having roots in the 5,000+ year-old Indian civilization and am constantly reminded of its value working in Silicon Valley. One notable example that’s influenced my professional life is the concept of Ahimsa — the ethical principle of not causing harm to other living things. While its historical definition has been more spiritually related, in modern day practice I’ve found it’s nurtured a respect for nature and a passion for sustainability and human rights in business. This contemporary interpretation of Ahimsa also encourages me to consider the far-reaching impacts — for better or for worse — that technology can have on people, the environment or society at large.
How did you ultimately end up at Google?
I was itching to work on more technology-driven solutions to global sustainability issues. I started to see that many of the world’s challenges are in part driven by macro forces like rapid globalization and technology growth. However, the sustainability field and development sector were slow to adapt from analog problem solving. I wanted to explore unconventional solutions like artificial intelligence, which is why I taught myself the Python programming language and learned more about AI. I started hearing about Google’s AI-first approach to help users and society, with an emphasis on the need to develop that technology responsibly. So I applied to the Responsible Innovation team for the chance to create helpful technology with social benefit in mind.
Any advice for aspiring Googlers?
Google is one of those rare places where the impact you’re making isn’t just on a narrow band of users — it’s on society at large. So, take the time to reflect on what sort of impact you want to make in the world. Knowing your answer to that question will allow you to weave your past experiences into a cohesive narrative during the interview process. And more importantly, it will also serve as your personal guide when making important decisions throughout your career.
I remember clearly the palpable sense of excitement at the Google for Startups Campus in London’s ‘Silicon Roundabout’ when I first visited in 2012. My first startup, back in Krakow Poland, had shut down after three years of solid early traction, and I moved to London in pursuit of bigger opportunities, a community and capital to fuel growth. The UK quickly became home, and my London Campus experience was so positive I ended up joining Google six years later.
As we celebrate the 10 year anniversary of Google for Startups UK, we’re taking a moment to celebrate the entrepreneurs and teams who have blazed a trail, and looking ahead to ensure we’re helping create the right conditions for future founders.
The industry has grown exponentially since Google for Startups UK launched 10 years ago – this year, we’ve already seen UK tech startups and scaleups cumulatively valued at more than $1 trillion (£794bn); up from $53.6 billion (£46bn), ten years ago.
One area of the UK tech startup community that has flourished in particular is impact tech - defined as . companies founded to help address global challenges like climate change and help transform health, education and financial inclusion. Our new report created in partnership with Tech Nation, A Decade of UK Tech, shows that funding for impact tech startups has soared. In fact, since 2011, funding for impact tech companies addressing UN Sustainable Development Goals has risen 43-fold from just $74 million (£59 million) to $3.5 billion (£2.8 billion).
Graph: Investment into impact tech scaleups (2011-2021)
Source: Tech Nation, Dealroom, 2022
Startups are helping to solve global challenges, like climate change, education, health, food and sanitation, with agility, innovation and determination. And at Google for Startups, we’re proud to be supporting these businesses along the way by connecting founders with the right people, products and practices to help them grow. Because their continued success is vital not just for the UK’s future, but that of the world.
Enduring market barriers and perceptions of high risk can slow private sector investment. But even such challenges create a multitude of new opportunities for tech startups to leverage the UK's position as a financial services powerhouse.
Google for Startups was launched in the UK with a mission to support a thriving, diverse and inclusive startup community. Here’s where we are a decade later:
Our work at Google for Startups is far from over. We’re committed to levelling the playing field for all founders, and closing the disproportionate gap in access to capital and support networks for underrepresented communities. For the impact tech sector to continue to grow and succeed, we must ensure funding is channeled towards the most innovative startups - no matter their valuation, funding stage or background.
Find out more at Google for Startups.
