Support Super Duper Secure Mode (disable V8 JIT)

[breiter]

Microsoft Edge has implemented a feature to disabled JIT in V8 completely or on a site-by-site basis. In their blog post describing the feature it was called Super Duper Secure Mode and they note that "roughly 45% of CVEs issued for V8 were related to the JIT engine".

When enabled, the default is to disable JIT (Turbofan and Sparkplug) for websites until they earn some trust. This feature is now in production in Microsoft Edge 96.0.1054.41.

In their research, the Edge team discovered that there were minimal impacts on performance for most sites. Some showed improvement.

Given the complexity of V8 and the empirical evidence that V8 JIT accounts for a significant portion of the CVEs in Chromium, I would like to see this feature to selectively disable V8 JIT imported into Brave as well.

[fmarier]

If you want to try this out, you can start Brave with brave-browser --js-flags=--jitless and that will disable the JIT entirely. One problem I ran into is that this disables support for WASM, which some sites and extensions use.

Being able to disable it on a site-by-site basis would make this much more practical.

[h4xor666]

I think this is an important feature for Android, where AFAIK it is not possible/very inconvenient to try and run Brave with parameters via a command line. Both Bromite and Vanadium for Android have implemented this feature. It it an important security feature.

[rusty-snake]

I did not tested it but it looks like you can do it on unrooted Andrpid via chrome://flags/#enable-command-line-on-non-rooted-devices

Although it does not feel good because

Enable reading command line file on non-rooted devices (DANGEROUS).

[ghost]

Is there anyway to Disable Java JIT on Android ? Will this feature be implemented in the future ? Any updates ? Seems no one is responding on this one.

[devgr]

@JohnBetaro

Is there anyway to Disable Java JIT on Android ? Will this feature be implemented in the future ? Any updates ? Seems no one is responding on this one.

I think you may be confusing the JVM (Java) JIT and the V8 (Brave Browser) JIT. The V8 JIT (the subject of this thread) generates machine code from JavaScript or WebAssembly code running in the browser. This is presently a feature of V8 https://v8.dev/blog/jitless so it would be desirable to be able to turn this on or off within Brave Browser. Disabling the JVM JIT is an option when developing your own Java application, but I don't believe that is possible within Android. That would be a question for the Android Open Source Project. Hope that helps!

[Fei1Yang]

Chromium now implemented a "V8 Optimizer" permission, however it only disables JavaScript JIT compilers (https://chromium-review.googlesource.com/c/chromium/src/+/5310561) since Chromium haven't implemented a WAsm interpreter yet. since this permission is enabled by default, would Brave team consider revert the change in Brave browser to make it disable all JIT compilers?

[rugabunda]

Microsoft Edge VS Brave JIT Security.

1) Microsoft's Super Duper Secure Mode (SDSM):

SDSM disables JIT entirely, including the JavaScript engine's JIT compiler. This significantly reduces the attack surface by eliminating JIT-related vulnerabilities. Since JIT compilation is a common target for exploits (as you mentioned, 45% of chromes java engine hacks are related to JIT), removing JIT can substantially improve security.

Additionally, SDSM includes other features like Control Flow Guard (CFG) and hardware-enforced Stack Protection, further enhancing security.

SDSM also introduces a WebAssembly (WASM) interpreter in place of the JIT compiler for WASM, which is slower but more secure.

2) Brave's "Disable V8 Optimizer" Option:

Brave's "Disable V8 Optimizer" option disables certain optimizations in the V8 JavaScript engine, which can make it harder for attackers to exploit JIT vulnerabilities. However, it doesn't disable JIT entirely; it just reduces the attack surface by making the engine less performant but potentially more secure.

Brave’s approach still allows some level of JIT compilation, which means that while it is more secure than a fully optimized JIT, it does not provide the same level of security as completely disabling JIT.

Theoretical Security Comparison:

Microsoft Edge with SDSM:

Pros: By fully disabling JIT, SDSM removes a significant portion of the attack surface that is exploited in 45% of V8 engine hacks. The additional security features like CFG and hardware-enforced protections further enhance its security posture.

Cons: Disabling JIT can lead to a noticeable performance impact, particularly in JavaScript-heavy applications.

Brave Browser with "Disable V8 Optimizer":

Pros: Disabling the V8 optimizer reduces the risk of certain JIT-related attacks while still retaining some performance benefits of JIT. Brave also has other privacy and security features that contribute to its overall security.

Cons: Since JIT is not entirely disabled, the browser is still vulnerable to some JIT-related exploits, albeit less so than with a fully optimized JIT.

When comparing the potential for exploits in Brave with the V8 optimizer disabled to Microsoft Edge running in Super Duper Secure Mode (SDSM), it’s important to understand how vulnerabilities in JIT (Just-In-Time) compilation can be exploited and how the different approaches impact the attack surface. Here are some theoretical scenarios:

1. Scenario: Exploiting JIT Spraying

Brave with V8 Optimizer Disabled:

Attack Vector: JIT spraying is a technique where an attacker generates a large amount of JIT-compiled code in predictable memory regions. Even with the V8 optimizer disabled, the JIT process still generates machine code, albeit less efficiently. An attacker could potentially craft specific JavaScript code that, when compiled by the JIT engine, places predictable patterns of bytes in memory. These patterns could be used to facilitate a memory corruption exploit, such as ROP (Return-Oriented Programming).

Outcome: Despite the optimizer being disabled, reducing the complexity of the generated code, the mere existence of JIT-compiled code in memory could be exploited to bypass ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention), leading to arbitrary code execution.

Edge with SDSM (JIT Disabled):

Attack Vector: In SDSM, since JIT is completely disabled, there is no JIT-generated code in memory. This eliminates the possibility of JIT spraying as an attack vector.

Outcome: The attacker would not be able to use JIT spraying techniques, significantly reducing the likelihood of a successful exploit using this method.

2. Scenario: Exploiting a JIT Compiler Bug

Brave with V8 Optimizer Disabled:

Attack Vector: If there is a bug in the JIT compiler (e.g., an out-of-bounds write or a type confusion vulnerability), an attacker could craft JavaScript that triggers this bug, potentially leading to memory corruption or arbitrary code execution. Even without the optimizer, the core JIT compilation process is still active and could be vulnerable to such bugs.

Outcome: The attacker could exploit the bug to gain control over the browser’s execution flow, leading to a potential compromise of the system.

Edge with SDSM (JIT Disabled):

Attack Vector: With JIT completely disabled, any bugs in the JIT compiler are irrelevant because the JIT compiler is not invoked. The browser instead interprets JavaScript, which is generally more secure as it avoids the complexities and potential vulnerabilities of JIT compilation.

Outcome: The attacker would not be able to exploit JIT compiler bugs, as the compiler is not in use. This substantially increases the browser’s resilience against such attacks.

3. Scenario: Memory Corruption via Optimized JIT Code

Brave with V8 Optimizer Disabled:

Attack Vector: Although the V8 optimizer is disabled, there is still some level of optimization and memory management involved in the JIT compilation process. An attacker could exploit a memory corruption vulnerability that arises from how the JIT engine handles objects or arrays in memory, potentially leading to a buffer overflow or use-after-free condition.

Outcome: The attacker might still find ways to manipulate memory through less optimized, but still vulnerable, JIT-generated code, leading to potential arbitrary code execution.

Edge with SDSM (JIT Disabled):

Attack Vector: Since JIT is disabled, the browser does not generate this type of optimized code, and the corresponding vulnerabilities are not present. Memory management is handled in a more traditional, less risky manner by the interpreter.

Outcome: The risk of memory corruption via JIT-generated code is eliminated, making the browser more secure against this type of exploit.

4. Scenario: Side-Channel Attacks on JIT-Compiled Code

Brave with V8 Optimizer Disabled:

Attack Vector: Side-channel attacks, such as Spectre or Meltdown, can sometimes exploit the behavior of JIT-compiled code, particularly if it involves speculative execution or other low-level CPU optimizations. Even with the V8 optimizer disabled, the JIT compiler might still produce code that could be susceptible to such attacks.

Outcome: While the risk might be lower due to the lack of aggressive optimization, the presence of JIT-compiled code still provides an attack surface for side-channel exploits.

Edge with SDSM (JIT Disabled):

Attack Vector: Without JIT, there is significantly less dynamic, speculative code generation. This greatly reduces the potential for side-channel attacks that target JIT-compiled code.

Outcome: The browser is more resilient to side-channel attacks related to JIT, as the interpreter does not involve the same speculative execution pathways.