Q4 2021 Summary from Chrome Security

[Andrew R. Whalley]

Greetings,

As we enter the last month of the first quarter of 2022, here's a look back to what Chrome Security was doing in the last quarter of 2021.

Chrome is hiring for security positions! See g.co/chrome/hiring for more details.

For extension security, we are working on a telemetry framework that monitors suspicious extension activity and transmits associated signals to Safe Browsing, for users opt-ed into sharing these data. The signals are analyzed server-side (both manual and automated analysis) to detect and mitigate extension abuse patterns.

We proposed a redesigned downloads experience for Chrome on desktop platforms that moves downloads into the toolbar. This would be a better overall user experience and also allow us to build advanced downloads features in the future. We plan to launch the MVP in Q1 2022.

In preparation for an HTTPS-first world, we conducted Stable experiments to determine the impact of changing the lock icon (which has been shown to be misleading to users) to a more security-neutral and obviously-clickable icon, with 1% stable results from Chrome 96. Results from this experiment were positive, indicating that the new icon increased engagement with the Page Info surface without regressing user activity or security metrics.

We’re running an experiment to expand Certificate Transparency (CT) enforcement to Chrome for Android, improving our ability to detect malicious certificates and unifying certificate validation across platforms. This experiment is rolling out in Chrome 98.

We launched support for Control Flow Guard on Windows, and continue to make good progress with network process sandboxing on multiple platforms. We’ve also been involved in the “unseasoned PDF” project, which removes NaCl as a dependency from PDFium.

We’re experimenting with Rust in Chrome, to give easier options to write safe code. These experiments aren’t yet switched on in shipping code, but they help us learn what it would take to do so. For example, we’ve landed a memory-safe JSON parser which can save the overhead of creating a utility process.

We continued our progress towards increased isolation between websites and networks on the one hand, and cross-site scripting mitigation on the other. For isolation, we've started a Private Network Access experiment to ensure that preflights aren't going to cause problems for subresource requests, shipped COEP: credentialless, and reworked our document.domain deprecation plans based on feedback from the ecosystem. For injection, we've solidified the design and implementation of the Sanitizer API (you can poke at it with this handy Playground!) in coordination with our friends at Mozilla, whose implementation is also proceeding apace.

The Security Architecture team was honored to receive an IEEE Cybersecurity Award for Practice for Site Isolation's impact on browser security! We continued work on full Site Isolation on some Android devices, extension and citadel enforcements, ORB, and SiteInstanceGroups. We also started designing Site Isolation for the <webview> tags used in Chrome Apps and WebUI pages. We updated code to support new plans for turning on Origin-Agent-Cluster by default, which could allow isolating origins instead of sites. For memory safety, we updated several unsafe uses of RenderFrameHost pointers and continued local work with Rust and C++ lifetime annotations.

The Chrome VRP just achieved some new records as we closed out 2021 with close to $3.3 million in total rewards to 115 Chrome VRP researchers for 333 valid unique reports of Chrome browser and Chrome OS security bugs. Of that total, just under just over $3M was rewarded for Chrome browser bugs and $250,500 for Chrome OS bugs, with $45,000 being the highest reward for an individual Chrome OS report and $27,000 for a Chrome browser report. $58,000 was rewarded for security issues discovered by fuzzers contributed by VRP researchers to the Chrome Fuzzer program, the highest reward being $16,000 for an individual fuzzer-based report. To show our appreciation for helping us keep Chrome safe in 2021, in collaboration with Google VRP, we sent end of year gifts to our Top 20 researchers of 2021 and also celebrated their achievements publicly on Twitter. 

Cheers,

Andrew