Lightnews — Scholar-powered news

Reposted by Samuel Groß

halvarflake.bsky.social @halvarflake.bsky.social · Sep 10

I have often stated that well-implemented memory tagging will be a game changer for memory corruptions. And it seems that with the next iPhone it's finally here: security.apple.com/blog/memory-...

Blog - Memory Integrity Enforcement: A complete vision for memory safety in Apple devices - Apple Security Research

Memory Integrity Enforcement (MIE) is the culmination of an unprecedented design and engineering effort spanning half a decade that combines the unique strengths of Apple silicon hardware with our adv...

security.apple.com

4 16 56

Samuel Groß @saelo.bsky.social · Aug 12

It's been a great pleasure being part of the core V8 team and I'll still be active in the V8 Security space in a (mostly) consulting role to help ensure the V8 Sandbox keeps progressing and becomes a strong security boundary! :)

4

Samuel Groß @saelo.bsky.social · Aug 12

Some personal news: I'm thrilled to be moving back to Project Zero! Specifically I'll be joining the Big Sleep project to find vulnerabilities in JavaScript engines. We've already found and reported our first vulnerability in V8 last week: issuetracker.google.com/issues/43621...

Google Issue Tracker

issuetracker.google.com

1 2 25

Samuel Groß @saelo.bsky.social · Aug 1

We released our Fuzzilli-based V8 Sandbox fuzzer: github.com/googleprojec...
It explores the heap to find interesting objects and corrupts them in a deterministic way using V8's memory corruption API. Happy fuzzing!

Add V8SandboxFuzzer · googleprojectzero/fuzzilli@675eccd

This is a basic fuzzer for the V8 Sandbox. It uses the memory corruption API to implement a random-but-deterministic (given a seed) traversal through the V8 heap object graph and corrupts some obje...

github.com

6 24

Samuel Groß @saelo.bsky.social · Jul 9

It's not (yet) meant for production use, but should offer a preliminary look at where things might be heading. See crbug.com/350324877 for more details.

Feedback welcome! :)

Chromium

crbug.com

7

Samuel Groß @saelo.bsky.social · Jul 9

If you have a machine with PKEY support and somewhat recent Linux kernel you can now play around with hardware support for the V8 sandbox. When active, JS + Wasm code has no write permissions outside the sandbox address space. To enable, simply set `v8_enable_sandbox_hardware_support = true`.

1 4 18

Samuel Groß @saelo.bsky.social · Jul 2

V8 Security is hiring in Munich, Germany: www.google.com/about/career...

Great opportunity to work on some really hard and interesting problems in the security space!

Software Engineer III, V8 Security — Google Careers

www.google.com

5 11

Samuel Groß @saelo.bsky.social · Jun 3

And I've also updated our V8 Exploit Tracker sheet now: docs.google.com/document/d/1... (see the 2025 tab) :)

V8 Exploit Tracker

2024 Issue First Exploited Description Exploit requires V8 Sandbox Bypass Exploit requires optimizing JITs (Turbofan & Maglev) Exploit requires any JITs (Liftoff, Sparkplug, Maglev & Turbofan) Varian...

docs.google.com

1 6

Samuel Groß @saelo.bsky.social · Jun 3

chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop.html

Some cool things to note though:
- the bug was mitigated via finch kill switch a day after the report from TAG
- we also fixed the V8 Sandbox bypass within 7 days even though it's not yet considered a security boundary

Stable Channel Update for Desktop

The Stable channel has been updated to 137.0.7151.68/.69 for Windows, Mac and 137.0.7151.68 for Linux which will roll out over the coming...

chromereleases.googleblog.com

1 7

Reposted by Samuel Groß

Carl Smith @rwx.page · Feb 4

I’m very excited to announce that we at V8 Security have finally published our first version of Fuzzilli that understands Wasm!
Go check it out at https://github.com/googleprojectzero/fuzzilli.
While we still have a way to go in improving it, we think it shows a promising approach!

1 16 31

Samuel Groß @saelo.bsky.social · Nov 13

Another big step towards becoming a security boundary: today we’re expanding the VRP for the V8 Sandbox

* No longer limited to d8

* Rewards for controlled writes increased to $20k

* Any memory corruption outside the sandbox is now in scope

bughunters.google.com/about/rules/...

Happy hacking!

Chrome Vulnerability Reward Program Rules | Google Bug Hunters

ATTENTION As of 4 February 2024, Chromium has migrated to a new issue tracker, please report security bugs to the new issue tracker using this form . Please see the Chrome VRP News and FAQ page for mo...

bughunters.google.com

1 10 27

Samuel Groß @saelo.bsky.social · Jun 7

This for example shows that the V8 Sandbox is pretty promising in terms of "bug coverage". Of course that also assumes that it'll become a strong security boundary (it's still pretty soft at the moment), see bsky.app/profile/sael...

Samuel Groß @saelo.bsky.social · Jun 5

And the recording is now also public: youtu.be/5otAw81AHQ0?... thanks @offensivecon.bsky.social!

3

Samuel Groß @saelo.bsky.social · Jun 7

Thanks to events like Pwn2Own or our V8CTF (~= exploit bounty program), we now have more data about the types of bugs exploited in V8. Based on that, we've gathered some basic statistics: docs.google.com/document/d/1...

Exploited V8 Bugs in 2024

Exploited V8 Bugs in 2024 Issue First Exploited Description Exploit requires V8 Sandbox Bypass Exploit requires JIT compilation Variant JavaScript or WebAssembly Introduced by Introduced in b/4149033...

docs.google.com

1 3

Samuel Groß @saelo.bsky.social · Jun 5

And the recording is now also public: youtu.be/5otAw81AHQ0?... thanks @offensivecon.bsky.social!

Samuel Groß @saelo.bsky.social · May 22

Finally got around to publishing the slides of my talk @offensivecon.bsky.social from ~two weeks ago. Sorry for the delay!

The V8 Heap Sandbox: saelo.github.io/presentation...

Fantastic conference, as usual! :)

5 4

Samuel Groß @saelo.bsky.social · Apr 4

Thanks Justin!

1

Samuel Groß @saelo.bsky.social · Apr 4

Big day for the V8 Sandbox:
* Now included in the Chrome VRP: g.co/chrome/vrp/#...
* Motivation & goals discussed in a new technical blog post: v8.dev/blog/sandbox

If there is ever a Sandbox "beta" release, this is it!

3 6

Samuel Groß @saelo.bsky.social · Feb 15

New V8 Sandbox design document is out: docs.google.com/document/d/1...

This discusses how a hardware-based sandbox instead of the currently purely software-based one might look like in a somewhat distant future (if at all)

Samuel Groß @saelo.bsky.social · Jan 19

Some early performance numbers for the V8 Sandbox: looks like with most of the performance critical parts in place now, the overall performance cost of this future security boundary is only around 1% on popular benchmarks \o/

More results linked from chromium-review.googlesource.com/c/v8/v8/+/52...

Benchmark results on Speedometer2 showing that the overall performance impact of the V8 sandbox is only around 1% total

1 2

Samuel Groß @saelo.bsky.social · Dec 8

I've been meaning to write this for some time now and finally got around to it: a "V8 Sandbox Glossary" document that briefly explains the most important terms/concepts used for the sandbox and links to the respective design documents: docs.google.com/document/d/1...

V8 Sandbox - Glossary

docs.google.com

Samuel Groß @saelo.bsky.social · Nov 30

Trusted space design doc: docs.google.com/document/d/1...

V8 Sandbox - Trusted Space

V8 Sandbox - Trusted Space Author: saelo@ First Published: October 2023 Last Updated: October 2023 Status: Living Doc Visibility: PUBLIC This document is part of the V8 Sandbox Project and discusses...

docs.google.com

1

Samuel Groß @saelo.bsky.social · Nov 30

Another exciting step for the V8 sandbox: with crrev.com/c/5007733 BytecodeArrays are now the first objects to move into the new trusted heap space! Still a number of remaining issues around bytecode execution, but this fixes the long-standing issue that an attacker could directly corrupt bytecode

Gerrit Code Review

crrev.com

1 2 3

Samuel Groß @saelo.bsky.social · Oct 20

I've also updated the high-level design document (in particular the summary diagram) to better reflect the current design: docs.google.com/document/d/1...

V8 Sandbox - High-Level Design Doc

V8 Sandbox Aka. “Ubercage” Author: saelo@ First Published: July 2021 Last Updated: October 2023 Status: Living Doc Visibility: PUBLIC This document is part of the V8 Sandbox Project and covers th...

docs.google.com

1

Samuel Groß @saelo.bsky.social · Oct 20

Here's another V8 sandbox design document, this time discussing how sensitive ("trusted") V8-internal objects (such as BytecodeArrays) can be protected: docs.google.com/document/d/1...
This should be one of the last pieces of infrastructure required for the sandbox.

V8 Sandbox - Trusted Space

V8 Sandbox - Trusted Space Author: saelo@ First Published: October 2023 Last Updated: October 2023 Status: Living Doc Visibility: PUBLIC This document is part of the V8 Sandbox Project and discusses...

docs.google.com

1 2 7