Q3 Summary from Chrome Security

[Andrew R. Whalley]

Greetings,

Here's an update on what the teams in Chrome Security have been up to in the third quarter of 2020.

The Chrome Safe Browsing team continued the roll-out of Enhanced Safe Browsing by launching it on Android in Chrome 86, and releasing a video with background on the feature. We also launched deep scanning of suspicious downloads, initially for users of Google’s Advanced Protection program, which received positive coverage.

This quarter the Usable Security team vanquished a longtime foe: http:// subresources on https:// pages. Mixed content is either upgraded to https:// or blocked. We also built new warnings for mixed forms and continued rolling out mixed download blocking. These launches protect users’ privacy and security by decreasing plaintext content that attackers can spy on or manipulate.

In Chrome 86, we are beginning a gradual rollout of a new low-confidence warning for lookalike domains. We also expanded our existing lookalike interstitial.

Finally, we rolled out a 1% Chrome 86 experiment to explore how simplifying the URL in the address bar can improve security outcomes.

The Platform Security team continued to move forward on memory safety: With Rust currently not approved for use in Chromium, we must try to improve C++. Toward that end, the PDFium Oilpan and MiraclePtr/*Scan projects are moving forward quickly and ready to try in Q4 and Q1 2021.

In Sandboxing news, we made changes to Linux and our calling code to handle coming glibc changes, servicifying the Certificate Verifier (unblocking work to isolate the network service), and getting a better grip on Mojo. 

Bugs-- has started encouraging Chrome developers to submit vulnerability analysis after the bug is fixed (example). This guides our future work on eliminating common bug patterns. We cross-collaborated with fuzzing teams across Google to host 50 summer interns, with strong impact across Chrome and other critical open source software (see blog post). We have added automated regression testing of past fixed crashes for engine-based fuzzers (e.g. libFuzzer, AFL). We have made several changes to our underlying fuzzing and build infrastructures - UI improvements, Syzkaller support, OSS-Fuzz builder rewrite, etc. Lastly, we continue to push fuzzing research across the industry using our FuzzBench benchmarking platform and have led to improvements in AFL++, libFuzzer and Honggfuzz fuzzing engines.

The Open Web Platform security team continues to focus on two problems: injection attacks, and isolation primitives.

Regarding injection, we're polishing our Trusted Types implementation, supporting Google's security team with bug fixes as they continue to roll it out across Google properties. We're following that up with experimental work on a Sanitizer API that's making good progress, and some hardening work around policy inheritance to fix a class of bugs that have cropped up recently.

For isolation, we're continuing to focus on COOP deployment. We shipped COOP's report-only mode as an origin trial, and we're aiming to re-enable SharedArrayBuffers behind COOP+COEP in Chrome 88 after shipping some changes to the process model in Chrome 87 to enable `crossOriginIsolated`.

In Q3, Chrome's Security Architecture team has enabled CORS for extension content scripts in Chrome 85, moving to a more secure model against compromised renderers. We made further progress on opt-in origin isolation, and we took the first steps towards several improved process model abstractions for Chrome. MiraclePtr work is progressing towards experiments, and we wrapped up the test infrastructure improvements from last quarter.

The CA/Browser Forum guidelines got big updates, with ballots to overhaul the guidelines to better match browser requirements, including certificate lifetimes, and long overdue cleanups and clarifications. One good revamp deserves another, and the Chrome Root Certificate Policy got a big facelift, as part of transitioning to a Chrome Root Store.

CT Days 2020 was held in September, including the big announcement that Chrome was working to remove the One Google Log requirement by implementing SCT auditing.

This summer, we also hosted an intern who worked on structure-aware ASN.1 fuzzing, and began integration with BoringSSL.

Cheers,

Andrew, on behalf of the Chrome security team