Мануал/Книга [OffensiveCon 2024] The V8 Heap Sandbox

[weaver]

Description

The V8 JavaScript engine is investing in a new architecture based on a lightweight, in-process sandbox. This talk will discuss the motivation behind this sandbox, explore its current design and implementation, and finally look at the sandbox from an attacker’s perspective.

The V8 Sandbox is a new, lightweight sandbox currently being developed for the V8 JavaScript engine. In contrast to Chrome’s more heavy-weight process-based sandbox, it is an in-process sandbox that limits V8 to a subset of the process’ virtual address space. It assumes that an attacker can corrupt memory inside the V8 sandbox due to a bug in V8 and then attempts to prevent memory corruption elsewhere in the process’ address space.

In this talk, we will first explore the motivation behind the sandbox as well as its goals. We will then examine the current software-based design and implementation, also reviewing how the sandbox design has evolved since the initial prototype. Finally, we will look at the sandbox from an attacker’s point of view, discussing what kind of bugs can be (and have been) found on the sandbox attack surface, and how a sandbox escape might look like.

slides:
saelo.github.io/presentations/offensivecon_24_the_v8_heap_sandbox.pdf

video:
youtube.com/watch?v=5otAw81AHQ0