Add two specific callouts for the rule-of-2:

- Protobuf is similarly trusted for deserializing messages at high privilege (though it should be avoided if possible). - Many Android system APIs are Java facades around C++ and are not considered memory safe. Change-Id: Ia70520fc8b319a639b03cb78f1a664b478902528 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2486113 Commit-Queue: Robert Sesek <rsesek@chromium.org> Reviewed-by: Chris Palmer <palmer@chromium.org> Cr-Commit-Position: refs/heads/master@{#818667}

Add two specific callouts for the rule-of-2:
- Protobuf is similarly trusted for deserializing messages at high privilege (though it should be avoided if possible). - Many Android system APIs are Java facades around C++ and are not considered memory safe. Change-Id: Ia70520fc8b319a639b03cb78f1a664b478902528 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2486113 Commit-Queue: Robert Sesek <rsesek@chromium.org> Reviewed-by: Chris Palmer <palmer@chromium.org> Cr-Commit-Position: refs/heads/master@{#818667}
16cedb5b · Robert Sesek · Commit Bot · 75a3c8f0 · 16cedb5b
Commit 16cedb5b authored Oct 19, 2020 by Robert Sesek Committed by Commit Bot Oct 19, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 0 deletions

docs/security/rule-of-2.md docs/security/rule-of-2.md +16 -0

No files found.
--- a/docs/security/rule-of-2.md
+++ b/docs/security/rule-of-2.md
@@ -219,6 +219,14 @@ Ultimately this process results in parsing significantly simpler grammars. (PNG
 > language and still have such high performance, that'd be ideal. But that's
 > unlikely to happen soon.)
+While less preferable to Mojo, we also similarly trust Protobuf for
+deserializing messages at high privilege from potentially untrustworthy senders.
+For example, Protobufs are sometimes embedded in Mojo IPC messages. It is
+always preferable to use a Mojo message where possible, though sometimes
+external constraints require the use of Protobuf. Note that this only applies to
+Protobuf as a container format; the data contained within a Protobuf must be
+handled according to this rule as well.
 ### Safe Languages
 Where possible, it's great to use a memory-safe language. Of the currently
@@ -238,6 +246,14 @@ formats can be a great approach. We do a similar thing with the pure-Java
 to 'vet' incoming JSON in a memory-safe way before passing the input to the C++
 JSON implementation.
+On Android, many system APIs that are exposed via Java are not actually
+implemented in a safe language, and are instead just facades around an unsafe
+implementation. A canonical example of this is the
+[BitmapFactory](https://developer.android.com/reference/android/graphics/BitmapFactory)
+class, which is a Java wrapper [around C++
+Skia](https://cs.android.com/android/platform/superproject/+/master:frameworks/base/libs/hwui/jni/BitmapFactory.cpp;l=586;drc=864d304156d1ef8985ee39c3c1858349b133b365).
+These APIs are therefore not considered memory-safe under the rule.
 ## Existing Code That Violates The Rule
 We still have a lot of code that violates this rule. For example, until very