Google has announced support for V8 Sandbox in the Chrome web browser to address memory corruption issues.
The sandbox, as explained by V8 Security technical lead Samuel Groß, aims to prevent memory corruption from spreading within the host process.
Google has described V8 Sandbox as a lightweight, in-process sandbox for the JavaScript and WebAssembly engine designed to mitigate common V8 vulnerabilities.
The concept is to limit the impact of V8 vulnerabilities by restricting the code executed by V8 to a subset of the process’ virtual address space (“the sandbox”) and isolating it from the rest of the process.
V8 vulnerabilities have contributed significantly to zero-day vulnerabilities addressed by Google between 2021 and 2023, with 16 security flaws discovered during this period.
“The sandbox assumes that an attacker can modify any memory inside the sandbox address space at any time, as this is possible due to typical V8 vulnerabilities,” said the Chromium team clarifying.
Groß highlighted the challenges in addressing V8 vulnerabilities by considering a switch to a memory-safe language like Rust or hardware memory safety approaches, such as memory tagging, due to the “subtle logic issues” that can be exploited for memory corruption, unlike traditional memory safety bugs.
“Most vulnerabilities found and exploited in V8 today involve memory corruption inside the V8 heap because the compiler and runtime mostly work on V8 HeapObject instances,” Groß noted.
Since these issues differ from typical memory-corruption vulnerabilities, the V8 Sandbox isolates V8’s heap memory to prevent any memory corruption from affecting other parts of the process’ memory.
This is achieved by replacing data types that can access out-of-sandbox memory with “sandbox-compatible” alternatives, effectively blocking attackers from accessing other memory. Enabling the sandbox can be done by setting “v8_enable_sandbox” to true in the gn args.
Benchmark tests show that the security feature adds around 1% overhead on typical workloads, making it possible to enable it by default in Chrome version 123 on Android, ChromeOS, Linux, macOS, and Windows.
“The V8 Sandbox requires a 64-bit system as it needs a large virtual address space, currently one terabyte,” Groß added.
“Current memory safety technologies are not effective in optimizing JavaScript engines. While they may not prevent memory corruption in V8 itself, they can safeguard the V8 Sandbox attack surface. Therefore, the sandbox is a crucial step towards memory safety.”
Google also highlighted the role of Kernel Address Sanitizer (KASan) in detecting memory bugs in native code and enhancing Android firmware security, using the tool to find over 40 bugs.
“Using KASan during testing and fuzzing can help identify memory corruption vulnerabilities and stability issues before they impact user devices,” stated Eugene Rodionov and Ivan Lozano from the Android team emphasizing.
