Google just introduced a new feature for its Chrome browser, which should eliminate, or at least minimize, memory corruption vulnerabilities.
It is called V8 Sandbox and described as a “lightweight, in-process sandbox for V8.”
For those who are unaware, V8 is a JavaScript and WebAssembly engine that Google developed for the Chrome browser. It is free and open source, and part of the Chromium project. It is also used in other, non-browser related projects, such as the Node.js runtime system.
Fundamentally cheap approach
In a technical write up published recently, Google said that all Chrome exploits caught in the wild in the last three years (2021 - 2023) started out with a memory corruption vulnerability in a Chrome renderer process that was exploited for remote code execution. The majority of those vulnerabilities (60%) were found in V8.
This motivated the team to look for a solution, and after almost three years building, they came out with the V8 Sandbox, a tool that is “no longer considered an experimental security feature”. The tool is already included in Chrome’s Vulnerability Reward Program (VRP), and in Chrome 123 - which could be considered “a sort of ‘beta’ release for the sandbox,” they said.
The idea behind V8 Sandbox is not unlike any other sandbox - all the code V8 executes gets restricted to a subset of the process’ virtual address space, and isolated from the rest of the process.
On the V8 blog, security technical lead Samuel Groß said that the approach is “fundamentally cheap” - the overhead caused by the sandbox is around 1% or less, according to results from Speedometer and JetStream. That means V8 Sandbox can be enabled by default on compatible platforms, meaning Android, ChromeOS, Linux, macOS, and Windows.
"The V8 Sandbox requires a 64-bit system as it needs to reserve a large amount of virtual address space, currently one terabyte," Groß said.
More from TechRadar Pro
- Google scrambles to fix another round of Chrome vulnerabilities
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now