Man
Professional
- Messages
- 3,087
- Reaction score
- 627
- Points
- 113
Spatial code security is becoming a reality for complex systems.
Google is actively improving the security of C++ code by fixing vulnerabilities related to spatial memory security. Such vulnerabilities occur when code accesses data outside of allocated memory, which attackers can exploit to compromise systems and steal data.
According to Google's Project Zero, spatial vulnerabilities account for 40% of all exploits found "in the wild" over the past 10 years. To improve the security of its products, Google is implementing secure programming practices and the use of memory-protected languages for new code. However, given the sheer volume of C++ code already in place, it will take years for the company to make the full transition.
To address these problems, Google began modifying its C++ code using the improved libc++ library. This update includes data boundary validation in standard structures such as std::vector and std:
ptional, preventing out-of-bounds and access to uninitialized data.
The security check was originally introduced in the Chrome browser in 2022, and now its implementation has been expanded to Google's server systems. This covers the company's key services, including Search, Mail, Maps, and YouTube. While a small number of critical components temporarily remain outside the new system, Google is already working a complete transition.
Despite expectations of significant performance delays, the boundary check caused only a 0.3% slowdown in Google services. Thanks to compiler optimization and the use of profiling techniques, such a low rate has little to no impact on the user experience.
The transition to a secure version of libc++ was carried out in three stages: testing, adaptation, and gradual launch on real systems. As a result, more than a thousand bugs were identified and fixed, which reduced the number of failures by 30%. In addition, the scan helped prevent several insider attacks and accelerated the diagnosis of outdated errors in the code.
In the future, Google plans to expand the checks to other libraries and switch to using Safe Buffers to further improve security. This will make it easier to interact with languages that natively support memory protection and speed up automated code translation.
Source
Google is actively improving the security of C++ code by fixing vulnerabilities related to spatial memory security. Such vulnerabilities occur when code accesses data outside of allocated memory, which attackers can exploit to compromise systems and steal data.
According to Google's Project Zero, spatial vulnerabilities account for 40% of all exploits found "in the wild" over the past 10 years. To improve the security of its products, Google is implementing secure programming practices and the use of memory-protected languages for new code. However, given the sheer volume of C++ code already in place, it will take years for the company to make the full transition.
To address these problems, Google began modifying its C++ code using the improved libc++ library. This update includes data boundary validation in standard structures such as std::vector and std:
ptional, preventing out-of-bounds and access to uninitialized data.The security check was originally introduced in the Chrome browser in 2022, and now its implementation has been expanded to Google's server systems. This covers the company's key services, including Search, Mail, Maps, and YouTube. While a small number of critical components temporarily remain outside the new system, Google is already working a complete transition.
Despite expectations of significant performance delays, the boundary check caused only a 0.3% slowdown in Google services. Thanks to compiler optimization and the use of profiling techniques, such a low rate has little to no impact on the user experience.
The transition to a secure version of libc++ was carried out in three stages: testing, adaptation, and gradual launch on real systems. As a result, more than a thousand bugs were identified and fixed, which reduced the number of failures by 30%. In addition, the scan helped prevent several insider attacks and accelerated the diagnosis of outdated errors in the code.
In the future, Google plans to expand the checks to other libraries and switch to using Safe Buffers to further improve security. This will make it easier to interact with languages that natively support memory protection and speed up automated code translation.
Source
