Google has introduced a V8 Fortress within the Chrome web browser as a strategic move to counter memory corruption challenges.
This fortress, as explained by Samuel Groß, the technical lead for V8 Security, aims to contain “memory corruption within the V8 engine from spreading across the host process.”
The internet giant has depicted the V8 Fortress as a lightweight, internal shield for the JavaScript and WebAssembly engine, devised to mitigate prevalent V8 susceptibilities.
The intention is to minimize the impact of V8 vulnerabilities by confining the execution of V8 code to a limited portion of the process’ virtual memory space (termed “the fortress”) and segregating it from the remainder of the process.
In the domain of cybersecurity, deficiencies within V8 have contributed significantly to the zero-day vulnerabilities addressed by Google from 2021 to 2023, with up to 16 security flaws identified during this period.
“The fortress operates under the assumption that an assailant could freely and concurrently manipulate any memory within the fortress’s address space, as this scenario can arise from typical V8 vulnerabilities,” stated the Chromium team.
“Furthermore, it is assumed that an attacker may read memory beyond the fortress, potentially through hardware-based side channels. Consequently, the fortress endeavors to shield the rest of the process from such malevolent activities. Hence, any memory corruption beyond the fortress’s address space is deemed a violation.”
Groß underscored the complexities in addressing V8 vulnerabilities through transitions to memory-safe languages like Rust or hardware-oriented memory safety mechanisms, such as memory tagging. This is due to the intricate logic defects exploitable for memory corruption, unlike conventional memory safety issues like use-after-frees or out-of-bounds accesses.
Chrome’s V8 Fortress
“Almost all vulnerabilities detected and exploited in V8 to date share a common trait: the eventual memory corruption invariably occurs within the V8 heap because the compiler and runtime (almost exclusively) manipulate V8 HeapObject instances,” Groß remarked.
Considering that these issues cannot be shielded by conventional methods for memory-corruption vulnerabilities, the V8 Fortress is devised to insulate V8’s heap memory. Thus, any memory corruption is contained within the security boundaries and cannot propagate to other regions of the process’s memory.
This is achieved by substituting all data types capable of accessing memory outside the fortress with “fortress-compatible” alternatives, effectively thwarting unauthorized memory access. Enabling the fortress can be done by configuring “v8_enable_sandbox” to true in the gn args.
Benchmark evaluations from Speedometer and JetStream demonstrate that this security feature imposes a roughly 1% overhead on typical workloads, thereby justifying its default activation commencing with Chrome version 123, across Android, ChromeOS, Linux, macOS, and Windows platforms.
“The V8 Fortress necessitates a 64-bit system as it requires a substantial virtual address space reservation, presently one terabyte,” Groß clarified.
“The fortress is inspired by the realization that prevailing memory safety technologies are largely unsuitable for optimizing JavaScript engines. While these technologies may fail to prevent memory corruption within V8 itself, they can indeed safeguard the V8 Fortress from attack. Thus, the fortress represents a crucial stride towards memory safety.”
This development coincides with Google’s spotlight on the contribution of Kernel Address Sanitizer (KASan) in identifying memory flaws in native code and bolstering the security of Android firmware. Google’s Android team highlighted its use of the compiler-based tool for uncovering over 40 bugs.
“Employing KASan-enabled builds during testing and/or fuzzing endeavors can aid in detecting memory corruption vulnerabilities and stability issues before they manifest on user devices,” noted Eugene Rodionov and Ivan Lozano from the Android team.
