Serious Discussion Microsoft Edge Stable (Chromium) Now Available for Download

Last edited:
  • Like
  • +Reputation
Reactions: Sampei.Nihira, Sorrento, SeriousHoax and 2 others
Here is part of the reply from an GOS developer explaining why it's used in Vanadium.
[Drumbrake] substantially reduces attack surface compared to the JIT. DrumBrake is an alternative to JIT compilation for WebAssembly. Vanadium isn't adding functionality not present in Chromium but rather is using a more secure and lower attack surface implementation by default. DrumBrake provides a far more secure implementation of WebAssembly compared to having the baseline JIT or all 3 JIT tiers enabled for it. In Vanadium, the JIT toggle is supposed to be a performance vs. security toggle and shouldn't lose functionality such as WebAssembly. ... DrumBrake is clearly the lesser evil by far. DrumBrake is very clearly a more secure approach. That doesn't mean it won't have security vulnerabilities. The point is having fewer vulnerabilities along with being able to have more hardening enabled that's incompatible with JIT compilation. If we didn't have DrumBrake, then the JIT disabled default in Vanadium would become increasingly impractical until the point we had to switch it back to being enabled by default.
Click to expand...
Offensivecon: Drumbrake adds massive attack surface (applies to Vanadium) - GrapheneOS Discussion Forum
 
  • Like
  • +Reputation
Reactions: Sampei.Nihira, Sorrento, SeriousHoax and 3 others
Additionally, Chrome implements DrumBrake according to Gemini.
DrumBrake was developed to provide a "JIT-less" way to run WebAssembly. It is a bytecode interpreter that allows Chrome to execute Wasm code without needing to compile it into machine code on the fly. This provides two major benefits:

  • Security: By avoiding JIT compilation, it reduces the "attack surface" that hackers can use to take control of a process.
  • Memory Efficiency: It allows WebAssembly to run on devices with very low memory where a full JIT compiler would be too heavy.

Why is it used?​

You’ll mostly see DrumBrake active when you are using Chrome's Enhanced Security Mode (or "Super Duper Secure Mode" in Edge). When you disable the V8 optimizer for extra safety, the browser normally wouldn't be able to run WebAssembly at all. DrumBrake steps in as the "backup engine," allowing sites that rely on Wasm (like Google Meet or certain web games) to keep functioning—albeit more slowly—without the risks of JIT.
Click to expand...
 
  • +Reputation
  • Like
Reactions: Sorrento, SeriousHoax, simmerskool and 1 other person
oldschool said:
Additionally, Chrome implements DrumBrake according to Gemini.
Click to expand...
I asked this to both Gemini and ChatGPT when you posted the info. Gemini says Chrome uses it while ChatGPT says it doesn't. I gave each other's answer to each other, and they just kept arguing and disagreeing. Both had good logic behind their answers. Since there is no official info on whether Chrome uses DrumBrake or not, I'm not sure who's right and I didn't do any more research by myself.
Anyway, I am not using Edge's enhanced security mode. For me, sacrificing speed while worrying about JIT vulnerability falls under paranoia.
 
  • +Reputation
  • Like
  • Applause
Reactions: Sampei.Nihira, Sorrento, oldschool and 2 others
SeriousHoax said:
Anyway, I am not using Edge's enhanced security mode. For me, sacrificing speed while worrying about JIT vulnerability falls under paranoia.
Click to expand...
Speed seems very good to me with JIT disabled but I can't say I've compared them both. And I tend to trust GOS developers' info regarding DrumBrake.
 
  • Like
  • +Reputation
Reactions: Sampei.Nihira, Sorrento, simmerskool and 2 others
oldschool said:
Speed seems very good to me with JIT disabled but I can't say I've compared them both. And I tend to trust GOS developers' info regarding DrumBrake.
Click to expand...
The comment from GrapheneOS makes it seem like DrumBrake is not present by default in Chromium. They adopted it in their own browser for security benefits.
It's not 100% clear from the comment.
 
  • Like
  • +Reputation
Reactions: Sampei.Nihira, Khushal, Sorrento and 3 others
SeriousHoax said:
The comment from GrapheneOS makes it seem like DrumBrake is not present by default in Chromium. They adopted it in their own browser for security benefits.
It's not 100% clear from the comment.
Click to expand...
You may be right.
 
  • Like
Reactions: Khushal, Sampei.Nihira, Sorrento and 2 others
@oldschool

My research is a bit outdated, but I’m sticking with my hypothesis (unfortunately, it’s not a thesis ;)).
In any case, I’ve enabled JIT in Chrome, so I’m not affected by this potential future vulnerability.
If there have been past vulnerabilities in DrumBrake, there are certainly current vulnerabilities,and therefore future ones,that haven’t been detected yet.(y)
 
  • +Reputation
  • Applause
  • Like
Reactions: Sorrento, simmerskool and Khushal
SeriousHoax said:
The comment from GrapheneOS makes it seem like DrumBrake is not present by default in Chromium. They adopted it in their own browser for security benefits.
It's not 100% clear from the comment.
Click to expand...
I asked Claude AI to analyze all the browser codes listed in the online table, focusing only on the two most recent versions released.
To do this, I enabled this feature in my Claude AI account.
Here is the result:

1.png

So I’m 99% certain that I was right about what I said yesterday.
;) (y)
 
Last edited:
  • Like
  • +Reputation
  • Applause
Reactions: SeriousHoax, Sorrento, simmerskool and 1 other person
  • Like
  • Wow
  • +Reputation
Reactions: Zartarra, SeriousHoax, Sorrento and 5 others

You may also like...