Samuel Groß

The V8 Heap Sandbox

Abstract

The V8 JavaScript engine is investing in a new architecture based on a lightweight, in-process sandbox. This talk will discuss the motivation behind this sandbox, explore its current design and implementation, and finally look at the sandbox from an attacker’s perspective.

The V8 Sandbox is a new, lightweight sandbox currently being developed for the V8 JavaScript engine. In contrast to Chrome’s more heavy-weight process-based sandbox, it is an in-process sandbox that limits V8 to a subset of the process’ virtual address space. It assumes that an attacker can corrupt memory inside the V8 sandbox due to a bug in V8 and then attempts to prevent memory corruption elsewhere in the process’ address space.

In this talk, we will first explore the motivation behind the sandbox as well as its goals. We will then examine the current software-based design and implementation, also reviewing how the sandbox design has evolved since the initial prototype. Finally, we will look at the sandbox from an attacker’s point of view, discussing what kind of bugs can be (and have been) found on the sandbox attack surface, and how a sandbox escape might look like.

 

BIO

After working at Google Project Zero since 2019 and researching browser-based and 0-click attacks, Samuel now leads the V8 Security Team inside Google where he develops innovative security features for the V8 JavaScript Engine together with his team. Before joining Google, Samuel worked as an independent security researcher, during which he participated in pwn2own and published two Phrack articles on JavaScript engine exploitation.