Just over two months ago, Chrome sponsored the Pwnium browser hacking competition. We had two fantastic submissions, and successfully blocked both exploits within 24 hours of their unveiling. Today, we’d like to offer an inside look into the exploit submitted by Pinkie Pie.

So, how does one get full remote code execution in Chrome? In the case of Pinkie Pie’s exploit, it took a chain of six different bugs in order to successfully break out of the Chrome sandbox.

Pinkie’s first bug (117620) used Chrome’s prerendering feature to load a Native Client module on a web page. Prerendering is a performance optimization that lets a site provide hints for Chrome to fetch and render a page before the user navigates to it, making page loads seem instantaneous. To avoid sound and other nuisances from preloaded pages, the prerenderer blocks plug-ins from running until the user chooses to navigate to the page. Pinkie discovered that navigating to a pre-rendered page would inadvertently run all plug-ins—even Native Client plug-ins, which are otherwise permitted only for installed extensions and apps.

Of course, getting a Native Client plug-in to execute doesn’t buy much, because the Native Client process’ sandbox is even more restrictive than Chrome’s sandbox for HTML content. What Native Client does provide, however, is a low-level interface to the GPU command buffers, which are used to communicate accelerated graphics operations to the GPU process. This allowed Pinkie to craft a special command buffer to exploit the following integer underflow bug (117656) in the GPU command decoding:

The issue here is that if size_of_buffer is smaller than sizeof(uint32), the result would be a huge value, which was then used as input to the following function:

This calculation then overflowed and made the result of this function zero, instead of a value at least equal to sizeof(uint32). Using this, Pinkie was able to write eight bytes of his choice past the end of his buffer. The buffer in this case is one of the GPU transfer buffers, which are mapped in both processes’ address spaces and used to transfer data between the Native Client and GPU processes. The Windows allocator places the buffers at relatively predictable locations; and the Native Client process can directly control their size as well as certain object allocation ordering. So, this afforded quite a bit of control over exactly where an overwrite would occur in the GPU process.

The next thing Pinkie needed was a target that met two criteria: it had to be positioned within range of his overwrite, and the first eight bytes needed to be something worth changing. For this, he used the GPU buckets, which are another IPC primitive exposed from the GPU process to the Native Client process. The buckets are implemented as a tree structure, with the first eight bytes containing pointers to other nodes in the tree. By overwriting the first eight bytes of a bucket, Pinkie was able to point it to a fake tree structure he created in one of his transfer buffers. Using that fake tree, Pinkie could read and write arbitrary addresses in the GPU process. Combined with some predictable addresses in Windows, this allowed him to build a ROP chain and execute arbitrary code inside the GPU process.

The GPU process is still sandboxed well below a normal user, but it’s not as strongly sandboxed as the Native Client process or the HTML renderer. It has some rights, such as the ability to enumerate and connect to the named pipes used by Chrome’s IPC layer. Normally this wouldn’t be an issue, but Pinkie found that there’s a brief window after Chrome spawns a new renderer where the GPU process could see the renderer’s IPC channel and connect to it first, allowing the GPU process to impersonate the renderer (bug 117627).

Even though Chrome’s renderers execute inside a stricter sandbox than the GPU process, there is a special class of renderers that have IPC interfaces with elevated permissions. These renderers are not supposed to be navigable by web content, and are used for things like extensions and settings pages. However, Pinkie found another bug (117417) that allowed an unprivileged renderer to trigger a navigation to one of these privileged renderers, and used it to launch the extension manager. So, all he had to do was jump on the extension manager’s IPC channel before it had a chance to connect.

Once he was impersonating the extensions manager, Pinkie used two more bugs to finally break out of the sandbox. The first bug (117715) allowed him to specify a load path for an extension from the extension manager’s renderer, something only the browser should be allowed to do. The second bug (117736) was a failure to prompt for confirmation prior to installing an unpacked NPAPI plug-in extension. With these two bugs Pinkie was able to install and run his own NPAPI plug-in that executed outside the sandbox at full user privilege.

So, that’s the long and impressive path Pinkie Pie took to crack Chrome. All the referenced bugs were fixed some time ago, but some are still restricted to ensure our users and Chromium embedders have a chance to update. However, we’ve included links so when we do make the bugs public, anyone can investigate in more detail.

In an upcoming post, we’ll explain the details of Sergey Glazunov’s exploit, which relied on roughly 10 distinct bugs. While these issues are already fixed in Chrome, some of them impact a much broader array of products from a range of companies. So, we won’t be posting that part until we’re comfortable that all affected products have had an adequate time to push fixes to their users.

Readers offer their best tips for taking steady pictures on your smartphone's camera, quickly accessing Chrome Bookmarks from the Omnibar, and calling invisible users on Skype.

Chrome: Our favorite alternative search engine, DuckDuckGo, has a cool feature called "zero click info" that gives you Wikipedia articles, Yelp pages, and more at the top of relevant searches. Now, their Zero-Click Info Chrome extension will put those relevant links at the top of your Google search results, so you don't have to sift through results to find what you're looking for. More »

Chrome: One of the best features in the search engine DuckDuckGo is the instant answers shown at the top of the results page. If you find yourself more attached to Google for web searches, but want the instant answer feature, DuckDuckGo Zero-Click Info is a Chrome extension that stuffs those results right in your Google searches.More »

According to digital analytics site StatCounter, Google Chrome has passed Internet Explorer as the most popular web browser with 31.88% of the world's web traffic. Internet Explorer wasn't far behind coming in at a close second with 31.47%.More »

Chrome: Prefer Google's search but wish you had Bing's beautiful daily images? With the "Bing wallpaper for Google homepage" Chrome extension, you can set Bing's wallpaper to automatically load on your Google homepage. The extension offers different themes and loading settings. More »

Last year we proposed the Web Intents API to help web applications integrate with one another with minimal effort. We've now enabled an experimental version of the API in the most recent stable version of Chrome, to gather feedback from the web community and shape the future of the Web Intents API.

This prototype version of Web Intents makes it easier for developers to try out the API and experience its benefits first hand:

• Developers who build client apps will be able to easily include functionality from other web services (e.g., photo editing). 
• Developers creating those services will no longer need to invest time and resources to negotiate and build hardcoded integrations - they can just focus on offering a great quality product with the integration facilitated by the API. 

In addition, this implementation of Web Intents can help the design discussions in the W3C web intents open standards list. After all, it's impossible to build a complex API—especially one that requires an ecosystem of apps—without feedback from web developers using it in the wild.

We expect that Web Intents will evolve significantly, potentially in backwards-incompatible ways, as feedback from real world usage trickles in. Because of its experimental status, the current live version is prefixed and only allows applications to register as services in their Chrome Web Store app manifest.

Once the API is stable, we plan to remove this restriction.

To learn more on how to use the experimental Web Intents API check out the Web Developers' Guide to Web Intents in Chrome. If you choose to experiment with Web Intents, be sure to follow our discussion group, where we'll announce any impending breaking changes in Chrome's implementation.

Macquarie Equities Research released a report stating that Google’s Chrome browser might be coming to iOS device. The report does not state when it might arrive on the Apple’s app store, however, it states that  it could be as soon as Q2 of 2012 and if it doesn’t land on the app store by that time, it is definitely arriving by the end of this year.

As much as we would like to see the Chrome browser on iOS devices — iPhone, iPad, and iPod Touch, Apple doesn’t allow third party browser app to be set as a default app for the device which limits the usability of the app. For example, any links within an email, text messages will open on default browser (Safari) on any iOS devices.

Chrome browser on desktop is highly successful browser with about 18.57% of browser market share falling only slightly behind Mozilla Firefox. Google, also, recently released Chrome Beta for its own mobile operating system, Android. With the release of Chrome on iOS Google also might be able to get away with the huge chunk of money it spends on Apple for Google search on Safari browser. With Chrome browser, all the money that it will earn from the search, Google will be able to keep them with themselves.

However, we do not think Chrome for iOS will make it big for a simple reason that Apple does not allow third party apps to be set as default browser.

According to a note published by Macquarie Equities Research, Google is working on an iPhone and iPad version of its Chrome browser, slated for launch sometime this year.More »

Readers offer their best tips for speeding up Google Chrome, mounting your router on the wall,

Red Hat today outlined how it will evolve its OpenShift Platform-as-a-Service to better focus on the needs of the enterprise.

First, the Linux giant said it expected to launch its fee-based version of OpenShift with support later this year.

The developer preview has been available since May of 2011. Last month,  Red Hat announced an open source project — OpenShift Origin —  to grow and evolve the core PaaS platform.

To date, the core focus has been on serving developers needs including the demand to quickly build and deploy applications in automated fashion. The next step, Red Hat said today, is to develop the platform to better serve enterprise needs.

As part of that, the Linux company will deliver a number of integrated solutions built on the company’s software stack beginning this summer that will allow customers to deploy PaaS on premise and deploy it on a variety of cloud and virtualization providers.

These include:

a DevOps model for developers to deploy application on OpenShift.com, another Public PaaS or a private Paas with OpenShift on premise.

an ITOps model that allows IT administrators and operations specialists to extend the PaaS to developers while also maintaining control of applications and infrastructure via Red Hat’s CloudForms offering.

Dell is working on an Ubuntu laptop just for developers.

Dell has been on good-terms with Linux vendors for ages. The Austin, Texas-based company was the first major original equipment manufacturer (OEM) to ship an Ubuntu Linux PC. Long before that, Dell was shipping Red Hat Enterprise Linux (RHEL) and SUSE Linux Enterprise Server (SLES) on its server lines. Now, Dell is renewing its Linux ties with a new Ubuntu Linux-based developer laptop.

Chrome: If you do a lot of shopping online from a bunch of different store then you know its easy to get lose an item now and again unless you hit the buy button right away. Impulse is a Chrome extension that allows you to drop any product image from any store into a personalized shopping cart.More »

Windows 8 Metro vs. Ubuntu 12.04 Unity

2012 has already seen a major update of what’s arguably the most important Linux desktop: Ubuntu 12.04 and we’re also seeing the most radical update of Windows with Windows 8 Metro coming since Windows 95 replaced Windows 3.1. So, which will end up the better for its change?

1. Desktop interface

Following on the debut of its OpenShift Platform-as-a-Service (PaaS) a year ago, Red Hat has released all of the OpenShift components as part of the OpenShift Origins open source project.

The Origin project will serve as the upstream for code and improvements to OpenShift, Red Hat’s PaaS, which today runs on Amazon Web Services cloud and competes against VMware’s open source Cloud Foundry.

One Red Hat PaaS Evangelist defines a PaaS as an application platform with operating system and middleware included to run applications on the cloud. PaaS allows developers to quickly deploy and scale their applications on the cloud.

The Origin open source code made available today will allow developers to run OpenShift on a laptop, or on a server inside an intranet or in the datacenter, Red Hat notes. Origin will be accessible at GitHub.

As of current dev and beta channel releases, V8 uses a new algorithm based on counters to decide which functions to optimize. This greatly increases performance for small JavaScript programs. For example, on the SunSpider benchmark, which focuses on extremely short-running tests, V8's speed improved by about 25%.

When executing JavaScript, V8 at first compiles it to machine code with a very fast compiler that doesn't optimize the code it produces. V8 has a second, optimizing compiler that generates much faster machine code, but takes much more time to do so, so it has to be used selectively. That's why V8 must try to predict which functions will benefit most from optimization, and carefully decide when to optimize them.

In the past, V8 stopped once every millisecond to look at currently running functions, and eventually optimized them. For long-running programs, this worked great, but short-running programs often finished before they could benefit much from the optimizing compiler -- a single millisecond can be a long time to wait before optimizing! In addition, V8 often made different optimization decisions each time a JavaScript program ran, sometimes overlooking small but performance-critical functions.

The new version of V8 makes earlier and more repeatable optimization decisions by analyzing the running program in more detail. It uses counters to keep track of how often JavaScript functions are called and loops are executed in a program, approximating the time spent inside each function. That way V8 is able to quickly gather fine-grained information about performance bottlenecks in a JavaScript program, and to make sure that the optimizing compiler's efforts are spent on those functions that deserve it most.

Chrome: Twitter is a great source for news, articles, and a good way to stay in touch with friends, but if your friends are obsessed with some annoying celebrity that you have no desire to read about, Purge Twitter Trends is a Chrome extension that strips specific celebrity trending topics from your feed so you can read in peace without being forced to unfollow them. More »

Like with other multithreaded applications, debugging Web Workers may be a tricky task and having good instruments makes this process much easier. Chrome Developer Tools provides full debugging support for scripts running in both dedicated and shared workers.

You can now use the powerful Scripts, Timeline, Profiles and Console panels to develop Web Workers:

All dedicated workers running in the inspected page are listed in the Scripts panel, under the Workers section. Clicking on a worker URL will open a new Developer Tools window attached to the worker. If you need to debug a dedicated worker’s initialization, there is also an option to pause workers on start. This will suspend the execution in all starting dedicated workers at the very first statement.

Shared workers are more independent than dedicated ones as they can be used concurrently by several pages. All running shared workers can be discovered through the chrome://inspect page. Each shared worker listed there has inspect and terminate links next to its URL. These links allow you to launch a Developer Tools window attached to that worker or terminate the worker respectively.

When you need to debug a shared worker initialization, it is enough to terminate the current instance of the worker leaving the Developer Tools window open and reload one of the worker clients. The worker will restart and Developer Tools window will automatically re-attach to the new instance.

To learn more on Developer Tools check out our documentation or ask us a question on Google+ and our discussion group.