Security News > 2021 > February > Google looks at bypass in Chromium's ASLR security defense, throws hands up, won't patch garbage issue

In early November, a developer contributing to Google's open-source Chromium project reported a problem with Oilpan, the garbage collector for the browser's Blink rendering engine: it can be used to break a memory defense known as address space layout randomization.
About two weeks later, Google software security engineer Chris Palmer marked the bug "WontFix" because Google has resigned itself to the fact that ASLR can't be saved - Spectre and Spectre-like processor-level flaws can defeat it anyway, whether or not Oilpan can be exploited.
Garbage collection in the context of software refers to automatic memory management - the process of identifying data in memory that is no longer in use, and allowing that occupied memory to be reused for other things.
As a garbage collector, Oilpan performs this task by scanning memory for references to other data in memory.
The technique for doing so involves allocating an object - which is placed in memory at a location we don't know - putting an address to query into an area of memory called the stack, removing all references to the object, and triggering garbage collection.
An industry security professional who asked not to be identified told The Register that ASLR has been trivial to bypass for some time and anyone who writes exploits understands that.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/02/26/chrome_aslr_bypass/
Related news
- Hackers Use CAPTCHA Trick on Webflow CDN PDFs to Bypass Security Scanners (source)
- Google Chrome's AI-powered security feature rolls out to everyone (source)
- Google's March 2025 Android Security Update Fixes Two Actively Exploited Vulnerabilities (source)
- Why The Modern Google Workspace Needs Unified Security (source)
- Google paid $12 million in bug bounties last year to security researchers (source)
- Patch Tuesday: Microsoft Fixes 57 Security Flaws – Including Active Zero-Days (source)
- Google Acquires Wiz for $32 Billion in Its Biggest Deal Ever to Boost Cloud Security (source)
- Google to purchase Wiz for $32 billion in cloud security play (source)
- Google fixes exploited Chrome sandbox bypass zero-day (CVE-2025-2783) (source)
- Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks (source)