Google Chrome has a new tool to help protect against memory corruption

News
By Sead Fadilpašić
published

After three years in the lab, Chrome is getting V8 Sandbox

Google Chrome browser app on iPhone
(Image credit: Shutterstock)

Google just introduced a new feature for its Chrome browser, which should eliminate, or at least minimize, memory corruption vulnerabilities.

It is called V8 Sandbox and described as a “lightweight, in-process sandbox for V8.”

For those who are unaware, V8 is a JavaScript and WebAssembly engine that Google developed for the Chrome browser. It is free and open source, and part of the Chromium project. It is also used in other, non-browser related projects, such as the Node.js runtime system.

Fundamentally cheap approach

In a technical write up published recently, Google said that all Chrome exploits caught in the wild in the last three years (2021 - 2023) started out with a memory corruption vulnerability in a Chrome renderer process that was exploited for remote code execution. The majority of those vulnerabilities (60%) were found in V8.

This motivated the team to look for a solution, and after almost three years building, they came out with the V8 Sandbox, a tool that is “no longer considered an experimental security feature”. The tool is already included in Chrome’s Vulnerability Reward Program (VRP), and in Chrome 123 - which could be considered “a sort of ‘beta’ release for the sandbox,” they said. 

The idea behind V8 Sandbox is not unlike any other sandbox - all the code V8 executes gets restricted to a subset of the process’ virtual address space, and isolated from the rest of the process. 

On the V8 blog, security technical lead Samuel Groß said that the approach is “fundamentally cheap” - the overhead caused by the sandbox is around 1% or less, according to results from Speedometer and JetStream. That means V8 Sandbox can be enabled by default on compatible platforms, meaning Android, ChromeOS, Linux, macOS, and Windows. 

"The V8 Sandbox requires a 64-bit system as it needs to reserve a large amount of virtual address space, currently one terabyte," Groß said.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.