Google Announces V8 Sandbox Support to Boost Chrome User Security

Google recently announced support for the V8 Sandbox, a security feature in the Chrome web browser designed to mitigate Javascript memory corruption issues.

According to the feature’s official page, it will be implemented in Chrome 123; this version should be deemed a “sort of ‘beta’ release for the sandbox.”

Most Corruption Issues Linked to the V8 Javascript Engine

In the past few years, most Chrome web browser exploits have been spotted triggering memory corruption issues in a process exploited for remote code execution (RCE). Roughly 60% of these issues directly affect the V8 Javascript engine.

“However, there is a catch: V8 vulnerabilities are rarely "classic" memory corruption bugs (use-after-frees, out-of-bounds accesses, etc.) but instead subtle logic issues which can in turn be exploited to corrupt memory,” reads the announcement. “As such, existing memory safety solutions are, for the most part, not applicable to V8.”

Isolating V8’s Heap Memory to Mitigate Vulnerabilities

Researchers highlighted that most V8 vulnerabilities share a common trait: memory corruption often occurs within the V8 heap. Researchers developed a method to segregate the heap memory of V8 to stop the spread of memory corruption to different areas of the process's memory, aiming to mitigate such vulnerabilities.

“The V8 Sandbox must be enabled/disabled at build time using the v8_enable_sandbox build flag,” reads the announcement. “It is (for technical reasons) not possible to enable/disable the sandbox at runtime. The V8 Sandbox requires a 64-bit system as it needs to reserve a large amount of virtual address space, currently one terabyte.”

Sandbox Dormant for Roughly Two Years

Furthermore, the feature has been present for roughly the last two years on 64-bit versions of Chrome on Windows, Linux, macOS, Android, and ChromeOS. Despite the sandbox’s non-feature-complete state, this decision was made to ensure the absence of stability issues and collect relevant performance statistics.

The feature was included in the company’s Vulnerability Reward Program (VRP); bounty hunters can demonstrate their ability to bypass the mechanism following strict, specific submission rules.