In an effort to improve Chrome’s resilience against memory safety bugs, Google is adding a V8 sandbox to the browser, and is now allowing security researchers to hunt for vulnerabilities in this sandbox.
Over the past three years, Chrome has been plagued by numerous exploited memory safety issues, most of which were identified in the V8 JavaScript rendering engine.
Because such flaws in V8 are not the usual type of memory safety bugs – they’re subtle logic issues – existing protections are not applicable to the rendering engine, and using hardware security mechanisms or switching to a memory safe language, such as Rust, cannot help.
“Nearly all vulnerabilities found and exploited in V8 today have one thing in common: the eventual memory corruption necessarily happens inside the V8 heap because the compiler and runtime (almost) exclusively operate on V8 HeapObject instances,” Google says.
The new V8 sandbox isolates the engine’s heap memory to prevent memory corruption from affecting other parts of the process’ memory. Because there is no suitable hardware feature to support the sandbox’s implementation, Google opted for implementing it purely in software.
“The basic idea behind the software-based sandbox is to replace all data types that can access out-of-sandbox memory with ‘sandbox-compatible’ alternatives. In particular, all pointers (both to objects on the V8 heap or elsewhere in memory) and 64-bit sizes must be removed as an attacker could corrupt them to subsequently access other memory in the process,” Google notes.
In real-world attack scenarios, the internet giant says, an attacker would not be able to escape the sandbox and reach other parts of the process’ memory, and will require a V8 sandbox bypass instead.
Initially proposed in 2021, the sandbox for V8 is now considered a viable security feature and Google has introduced it in Chrome 123, for testing purposes. It also added the sandbox to Chrome’s VRP, so that security developers and white hat hackers can identify flaws in it.
According to Google, sandbox violations identified to date in the sandbox are trivial memory corruption bugs that can be prevented or mitigated, unlike the more severe flaws typically discovered in V8.
“As such, the hope is that in the long run, the sandbox becomes a more defensible security boundary than V8 itself. While the currently available data set of sandbox bugs is very limited, the VRP integration launching today will hopefully help produce a clearer picture of the type of vulnerabilities encountered on the sandbox attack surface,” the internet giant says.
The V8 sandbox, Google notes, has an overhead of only 1% or less on typical workloads, meaning that it can be enabled by default on compatible platforms.
For the past two weeks, the V8 sandbox has been enabled by default in the 64-bit versions of Chrome for Android, ChromeOS, Linux, macOS, and Windows, mainly to test for stability issues and to collect performance statistics.
Related: Google Patches Chrome Flaw That Earned Hackers $42,500 at Pwn2Own
Related: Google Report: Despite Surge in Zero-Day Attacks, Exploit Mitigations Are Working
Related: Google Warns of Chrome Browser Zero-Day Being Exploited
