Google has announced support for so-called V8 sandbox Memory corruption issue in the Chrome web browser.
Samuel Groß, V8’s technical lead for security, said the sandbox is designed to prevent “memory corruption in V8 from propagating within the host process.”
The search giant describes V8 Sandbox as a lightweight in-process sandbox for the JavaScript and WebAssembly engines designed to mitigate common V8 vulnerabilities.
The idea is to limit the impact of V8 vulnerabilities by restricting the code executed by V8 to a subset of the process’s virtual address space (“sandbox”) and isolating it from the rest of the process.
Flaws affecting V8 accounted for a large portion of the zero-day vulnerabilities Google addressed between 2021 and 2023, with as many as 16 security vulnerabilities discovered during this period.
“The sandbox assumes that an attacker can modify any memory within the sandbox address space simultaneously, as this primitive can be built from typical V8 vulnerabilities,” the Chromium team said.
“Furthermore, assume that an attacker is able to read memory outside the sandbox, for example via a hardware side channel. The sandbox is then designed to protect the rest of the process from such an attacker. Therefore, any damage to the sandbox address space Memory outside of this is considered a sandbox violation.”
Groß highlighted the challenge of addressing V8 vulnerabilities by switching to a memory-safe language like Rust or a hardware memory-safe approach such as memory tags, as “subtle logic issues” can be exploited to corrupt the memory, unlike classic memory Body security errors (such as use after free, out-of-bounds access, etc.)
“Almost all vulnerabilities discovered and exploited in V8 today have one thing in common: the final memory corruption must occur within the V8 heap, because the compiler and runtime run (almost) exclusively on V8 HeapObject instances,” Groß said .
Given that these issues cannot be protected by the same techniques used for typical memory corruption vulnerabilities, the V8 sandbox is designed to isolate V8’s heap memory so that if any memory corruption occurs, it cannot escape the security restrictions of other parts of the process. memory.
This is accomplished by replacing all data types that can access memory outside the sandbox with “sandbox-compatible” alternatives, effectively preventing attackers from accessing other memory. The sandbox can be enabled by setting “v8_enable_sandbox” to true in the gn parameter.
Benchmark results from Speedometer and JetStream show that this security feature adds about 1% overhead on typical workloads, so it is enabled by default starting in Chrome version 123, covering Android, ChromeOS, Linux, macOS, and Windows.
“The V8 sandbox requires a 64-bit system because it needs to reserve a large amount of virtual address space, currently 1 TB,” Groß said.
“The motivation for the sandbox is that current memory security techniques are largely unsuitable for optimizing JavaScript engines. While these techniques cannot prevent memory corruption in V8 itself, they can actually protect the attack surface of the V8 sandbox. Therefore , sandboxing is a necessary step toward memory safety.”
Google highlighted the role of Kernel Address Sanitizer (KASan) in detecting memory errors in native code and helping to harden Android firmware security, adding that it found more than 40 bugs using the compiler-based tool.
“Using KASan-enabled builds during testing and/or fuzzing can help catch memory corruption vulnerabilities and stability issues before they land on user devices,” said Eugene Rodionov and Ivan Lozano of the Android team.
