Google has announced a new security feature called the V8 Sandbox for its Chrome web browser. This move aims to address the persistent issue of memory corruption vulnerabilities in the V8 JavaScript and WebAssembly engine.
According to Samuel Groß, the technical lead for V8 Security, the sandbox is designed to prevent “memory corruption in V8 from spreading within the host process.” In other words, it aims to isolate the impact of V8 vulnerabilities by restricting the code executed by V8 to a specific virtual address space, effectively containing any potential damage.
A Specialized Solution for Vulnerabilities
Google has described the V8 Sandbox as a lightweight, in-process solution that is tailored to mitigate common V8-related vulnerabilities. The rationale behind this approach is that while typical memory-corruption bugs can be addressed using techniques like memory safety, the “subtle logic issues” that plague V8 require a more specialized solution.
Containing Memory Corruption Within the Sandbox
Assumptions and Protective Measures
The Chromium team explained that the sandbox assumes an attacker can arbitrarily modify any memory within the sandbox, and can also read memory outside of it. The sandbox, therefore, aims to protect the rest of the process from such an attacker, ensuring that any memory corruption is confined within the sandbox.
Addressing the Challenges of V8 Vulnerabilities
Interestingly, Groß highlighted the challenges of addressing V8 vulnerabilities by switching to a memory-safe language like Rust or relying on hardware-based memory safety approaches. He noted that nearly all V8 vulnerabilities involve memory corruption within the V8 heap, which cannot be adequately protected by traditional techniques.
To mitigate this, the V8 Sandbox replaces data types that can access out-of-sandbox memory with “sandbox-compatible” alternatives, effectively preventing an attacker from accessing other parts of the process’ memory. Benchmark results indicate that the V8 Sandbox adds an overhead of around 1% on typical workloads, allowing it to be enabled by default starting with Chrome version 123, across various platforms. However, the sandbox does require a 64-bit system due to its need for a large virtual address space.
Complementary Security Efforts
The announcement also mentioned Google’s use of Kernel Address Sanitizer (KASan) to detect memory bugs in native code and harden Android firmware security, with the tool helping to uncover more than 40 bugs.
“Using KASan-enabled builds during testing and/or fuzzing can help catch memory corruption vulnerabilities and stability issues before they land on user devices,” the Android team said.