Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Adds V8 Sandbox to Chrome

Google fights Chrome V8 engine memory safety bugs with a new sandbox and adds it to the bug bounty program.

In an effort to improve Chrome’s resilience against memory safety bugs, Google is adding a V8 sandbox to the browser, and is now allowing security researchers to hunt for vulnerabilities in this sandbox.

Over the past three years, Chrome has been plagued by numerous exploited memory safety issues, most of which were identified in the V8 JavaScript rendering engine.

Because such flaws in V8 are not the usual type of memory safety bugs – they’re subtle logic issues – existing protections are not applicable to the rendering engine, and using hardware security mechanisms or switching to a memory safe language, such as Rust, cannot help.

“Nearly all vulnerabilities found and exploited in V8 today have one thing in common: the eventual memory corruption necessarily happens inside the V8 heap because the compiler and runtime (almost) exclusively operate on V8 HeapObject instances,” Google says.

The new V8 sandbox isolates the engine’s heap memory to prevent memory corruption from affecting other parts of the process’ memory. Because there is no suitable hardware feature to support the sandbox’s implementation, Google opted for implementing it purely in software.

“The basic idea behind the software-based sandbox is to replace all data types that can access out-of-sandbox memory with ‘sandbox-compatible’ alternatives. In particular, all pointers (both to objects on the V8 heap or elsewhere in memory) and 64-bit sizes must be removed as an attacker could corrupt them to subsequently access other memory in the process,” Google notes.

In real-world attack scenarios, the internet giant says, an attacker would not be able to escape the sandbox and reach other parts of the process’ memory, and will require a V8 sandbox bypass instead.

Initially proposed in 2021, the sandbox for V8 is now considered a viable security feature and Google has introduced it in Chrome 123, for testing purposes. It also added the sandbox to Chrome’s VRP, so that security developers and white hat hackers can identify flaws in it.

Advertisement. Scroll to continue reading.

According to Google, sandbox violations identified to date in the sandbox are trivial memory corruption bugs that can be prevented or mitigated, unlike the more severe flaws typically discovered in V8.

“As such, the hope is that in the long run, the sandbox becomes a more defensible security boundary than V8 itself. While the currently available data set of sandbox bugs is very limited, the VRP integration launching today will hopefully help produce a clearer picture of the type of vulnerabilities encountered on the sandbox attack surface,” the internet giant says.

The V8 sandbox, Google notes, has an overhead of only 1% or less on typical workloads, meaning that it can be enabled by default on compatible platforms.

For the past two weeks, the V8 sandbox has been enabled by default in the 64-bit versions of Chrome for Android, ChromeOS, Linux, macOS, and Windows, mainly to test for stability issues and to collect performance statistics.

Related: Google Patches Chrome Flaw That Earned Hackers $42,500 at Pwn2Own

Related: Google Report: Despite Surge in Zero-Day Attacks, Exploit Mitigations Are Working

Related: Google Warns of Chrome Browser Zero-Day Being Exploited

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights