Education

Security is a core principle and shared responsibility for everyone contributing to Chromium. Here are some docs that can help an engineer get ramped up to Chrome-specific security best practices, pitfalls, or relevant background. Send your comments, questions, or additional security education needs to security-dev@chromium.org

• IPC Security Tips, a thrilling read about how to avoid introducing an IPC vulnerability and feature in the next Pwnium contest.
• Security tips for avoiding common vulnerabilities and abuse vectors when developing extensions and apps.
• Everything you wanted to know about TLS/SSL in Chrome
• If you are implementing a Chrome Extension/App API, read the security guidelines for Chrome Extension & App API developers.
• Do not implement your own allocator. Custom allocators are a major source of security vulnerabilities. Chrome's existing allocators (e.g. Tcmalloc, PartitionAlloc) and resillient to security issues. If you absolutely need to implement some form of custom allocator, make sure to get a thorough review from the security team.
• When manipulating buffers in trusted memory, do not implement your own code for handling integer overflows, truncations, or other integral boundary conditions. Instead use base/numerics templates which are already used in several parts of Chrome. The following refernces are also good resources on integer security issues:
  • CERT C++ Secure Coding Standard.
  • Mark Dowd, John McDonald, Justin Schuh, The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities.
  • Robert C. Seacord, Secure Coding in C and C++.