Google has announced support for what is called a Sandpit V8 in the Chrome web browser in an attempt to fix memory corruption issues.
The sandbox, according to Samuel Groß, technical lead at V8 Security, aims to prevent “memory corruption in V8 from spreading within the host process.”
The search giant described V8 Sandbox as a lightweight, in-process sandbox for the JavaScript and WebAssembly engine designed to mitigate common V8 vulnerabilities.
The idea is to limit the impact of V8 vulnerabilities by limiting the code executed by V8 to a subset of the process’s virtual address space (“the sandbox”) and isolating it from the rest of the process.
Deficiencies affecting V8 accounted for a significant portion of the zero-day vulnerabilities Google faced between 2021 and 2023, with as many as 16 security flaws discovered in the time period.
“The sandbox assumes that an attacker can arbitrarily and concurrently modify any memory within the sandbox address space as this primitive can be built from typical V8 vulnerabilities,” the Chromium team said.
“Furthermore, it is assumed that an attacker is able to read memory outside the sandbox, for example, through hardware side channels. The sandbox then aims to protect the rest of the process from such an attacker. Therefore, any corruption of memory outside the sandbox address space is considered a sandbox violation.”
Groß highlighted the challenges of addressing V8 vulnerabilities by switching to a memory-safe language like Rust or hardware memory safety approaches, such as memory tagging, given the “subtle logical problems” that can be exploited to corrupt memory, unlike classic memory safety bugs such as uses after frees, out-of-bounds accesses and others.
“Almost all vulnerabilities found and exploited today in V8 have one thing in common: any memory corruption necessarily occurs within the V8 heap because the compiler and runtime operate (almost) exclusively on V8 HeapObject instances,” he said. Gross stated.
Because these issues cannot be protected by the same techniques used for typical memory corruption vulnerabilities, V8 Sandbox is designed to isolate V8’s heap memory so that if memory corruption occurs, it cannot escape the boundaries of safety towards other parts of the process. memory.
This is achieved by replacing all data types that can access memory outside the sandbox with “sandbox-aware” alternatives, thus effectively preventing an attacker from accessing other memory. The sandbox can be enabled by setting “v8_enable_sandbox” to true in the gn arguments.
Speedometer and JetStream benchmark results show that the security feature adds approximately 1% overhead on typical workloads, allowing it to be enabled by default starting from Chrome version 123, on Android, ChromeOS, Linux , macOS and Windows.
“The Sandbox V8 requires a 64-bit system because it needs to reserve a large amount of virtual address space, currently one terabyte,” Groß said.
“The sandbox is motivated by the fact that current memory safety technologies are largely inapplicable for JavaScript engine optimization. While these technologies fail to prevent memory corruption in V8 itself, they can in fact protect the attack surface of the V8 sandbox. The sandbox is therefore a necessary step towards memory safety.”
The development comes as Google highlighted the role of Kernel Address Sanitizer (KASan) in detecting memory bugs in native code and helping strengthen the security of Android firmware, adding that it used the compiler-based tool to uncover more than 40 bugs .
“Using KASan-enabled builds during testing and/or fuzzing can help spot memory corruption vulnerabilities and stability issues before they hit user devices,” said Eugene Rodionov and Ivan Lozano of the Android team.