Bugs in Chrome's JavaScript engine can lead to powerful exploits


Level 76
Content Creator
Malware Hunter
Aug 17, 2014
A new project hopes to beef up the security of V8, a part of the Chrome browser that most users aren't aware of but that hackers increasingly see as a juicy target.

Samuel Groß, a member of the Google Project Zero security researchers team, has detailed a V8 sandbox proposal to help protect its memory from nastier bugs in the engine using virtual machine and sandboxing technologies.

"V8 bugs typically allow for the construction of unusually powerful exploits. Furthermore, these bugs are unlikely to be mitigated by memory safe languages or upcoming hardware-assisted security features such as MTE or CFI," explains Groß, referring to security technologies like Microsoft's Control-flow integrity (CFI) and Intel's control-flow enforcement technologies (CET). "As a result, V8 is especially attractive for real-world attackers."
Samuel Groß explains the problem with V8 that stems from JIT compilers that can be used to trick a machine into emitting machine code that corrupts memory at runtime.

"Many V8 vulnerabilities exploited by real-world attackers are effectively 2nd order vulnerabilities: the root-cause is often a logic issue in one of the JIT compilers, which can then be exploited to generate vulnerable machine code (e.g. code that is missing a runtime safety check). The generated code can then in turn be exploited to cause memory corruption at runtime."

He also highlights the shortcomings of the latest security technologies, including hardware-based mitigations, that will make V8 an attractive target for years to come and hence is why V8 may need a sandbox approach. These include:
  • The attacker has a great amount of control over the memory corruption primitive and can often turn these bugs into highly reliable and fast exploits
  • Memory safe languages will not protect from these issues as they are fundamentally logic bugs
  • Due to CPU side-channels and the potency of V8 vulnerabilities, upcoming hardware security features such as memory tagging will likely be bypassable most of the time