Security News > 2021 > February > Google looks at bypass in Chromium's ASLR security defense, throws hands up, won't patch garbage issue
![Google looks at bypass in Chromium's ASLR security defense, throws hands up, won't patch garbage issue](/static/build/img/news/alt/Data-Cybersecurity-Predictions-2-medium.jpg)
In early November, a developer contributing to Google's open-source Chromium project reported a problem with Oilpan, the garbage collector for the browser's Blink rendering engine: it can be used to break a memory defense known as address space layout randomization.
About two weeks later, Google software security engineer Chris Palmer marked the bug "WontFix" because Google has resigned itself to the fact that ASLR can't be saved - Spectre and Spectre-like processor-level flaws can defeat it anyway, whether or not Oilpan can be exploited.
Garbage collection in the context of software refers to automatic memory management - the process of identifying data in memory that is no longer in use, and allowing that occupied memory to be reused for other things.
As a garbage collector, Oilpan performs this task by scanning memory for references to other data in memory.
The technique for doing so involves allocating an object - which is placed in memory at a location we don't know - putting an address to query into an area of memory called the stack, removing all references to the object, and triggering garbage collection.
An industry security professional who asked not to be identified told The Register that ASLR has been trivial to bypass for some time and anyone who writes exploits understands that.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/02/26/chrome_aslr_bypass/
Related news
- Exploit for critical Progress Telerik auth bypass released, patch now (source)
- Exploit for critical Veeam auth bypass available, patch now (source)
- Google Warns of Pixel Firmware Security Flaw Exploited as Zero-Day (source)
- Exploit for Veeam Recovery Orchestrator auth bypass available, patch now (source)
- Arm security defense shattered by speculative execution 95% of the time (source)
- How to create your cybersecurity “Google Maps”: A step-by-step guide for security teams (source)
- Snowblind malware abuses Android security feature to bypass security (source)
- Netgear warns users to patch auth bypass, XSS router flaws (source)
- Forget security – Google's reCAPTCHA v2 is exploiting users for profit (source)