Memory management has been a critical and severe problem for a long time. The Chromium Security team published 912 highly critical severe bugs going back to 2015. The result states that around 70% of these bugs are memory management and safety problems that allow access to attackers to attack Chrome’s private components.
According to ZDnet, Microsoft put forward the same results as that of Windows. Google says that since March 2019, 125 out of 130 vulnerabilities were memory corruption-related issues, concluding that although these companies have tried to advance their system, memory management remains a major issue.
Both companies, Microsoft and Google, are pointing towards C and C++ as the source for these bugs and some other problems. They have declared these two predominant programming languages in their code base as “unsafe” languages. This is because these programming languages do not warn or stop their users about any problem, which results in corrupt coding including bugs.
The Use of Sandboxing
The Chromium security suggests that this problem has been and can be dealt with through the application of sandboxing. Chromium security architecture is built in a way to help detect the bugs and then sandbox the codes to restrict them from gaining control over the host machine.
Nevertheless, the team further adds that they are reaching the limits of sandboxing, and are looking for other alternative strategies to tackle the issue of memory management.
Alternative approaches to Sandboxing
Development of C++ Libraries
One technique to deal with this problem is to use C++ libraries since they are less permitting to memory management bugs.
Google is said to be working on developing C++ libraries to make them work with Chrome’s codebase, these libraries are said to have good protection against bugs.
Switching Languages
Another possible approach can be to use simpler and adaptive to memory management programming language.
Rust, developed by Mozilla and used in Firefox was specifically designed to reconcile the memory management issue. It is reported that Microsoft has been putting Rust to trial to create their memory safe programming language, this experiment is known as Project Verona.
In the future, Google says that they also plan on using safe languages such as Rust, Swift, JavaScript, Kotlin, and Java. But for the moment, since all the other browsers are on Chromium, Firefox becomes the only web browser free from memory management bugs. It is the only browser to make enough advancements by sponsoring, promoting and adopting Rust by far, whereas others are still trying to fix the problems in C and C++ language.
The MITRE Corporation, the organization managing the US government database, reported that buffer overflow was the most dangerous vulnerability along with two other memory-related problems. Although with time and advancement of technology and engineering, the developers are trying to seek out most of the security-related issues; memory management vulnerabilities remain the most difficult to figure. Through these vulnerabilities, the attackers find their way into the memory of the device and execute and exploit the user’s private data.