Google Git
Sign in
chromium / v8 / v8 / refs/heads/canary / . / src / sandbox
tree: 8a2f157843ca5e2606fe4b2aa958c34c133fbdfa [path history] [tgz]
  1. bounded-size-inl.h
  2. bounded-size.h
  3. check.h
  4. code-entrypoint-tag.h
  5. code-pointer-inl.h
  6. code-pointer-table-inl.h
  7. code-pointer-table.cc
  8. code-pointer-table.h
  9. code-pointer.h
  10. compactible-external-entity-table-inl.h
  11. compactible-external-entity-table.h
  12. cppheap-pointer-inl.h
  13. cppheap-pointer-table-inl.h
  14. cppheap-pointer-table.cc
  15. cppheap-pointer-table.h
  16. cppheap-pointer.h
  17. external-entity-table-inl.h
  18. external-entity-table.h
  19. external-pointer-inl.h
  20. external-pointer-table-inl.h
  21. external-pointer-table.cc
  22. external-pointer-table.h
  23. external-pointer.h
  24. GLOSSARY.md
  25. hardware-support.cc
  26. hardware-support.h
  27. indirect-pointer-inl.h
  28. indirect-pointer-tag.h
  29. indirect-pointer.h
  30. isolate-inl.h
  31. isolate.h
  32. js-dispatch-table-inl.h
  33. js-dispatch-table.cc
  34. js-dispatch-table.h
  35. OWNERS
  36. README.md
  37. sandbox.cc
  38. sandbox.h
  39. sandboxed-pointer-inl.h
  40. sandboxed-pointer.h
  41. tagged-payload.h
  42. testing.cc
  43. testing.h
  44. trusted-pointer-scope.cc
  45. trusted-pointer-scope.h
  46. trusted-pointer-table-inl.h
  47. trusted-pointer-table.cc
  48. trusted-pointer-table.h
src/sandbox/README.md

V8 Sandbox - Readme

A low-overhead, in-process sandbox for V8.

The sandbox limits the impact of typical V8 vulnerabilities by restricting the code executed by V8 to a subset of the process' virtual address space (“the sandbox”), thereby isolating it from the rest of the process. This works purely in software (with options for hardware support, see the respective design document linked below) by effectively converting raw pointers either into offsets from the base of the sandbox or into indices into out-of-sandbox pointer tables. In principle, these mechanisms are very similar to the userland/kernel separation used by modern operating systems (e.g. the unix file descriptor table).

The sandbox assumes that an attacker can arbitrarily and concurrently modify any memory inside the sandbox address space as this primitive can be constructed from typical V8 vulnerabilities. Further, it is assumed that an attacker will be able to read memory outside of the sandbox, for example through hardware side channels. The sandbox then aims to protect the rest of the process from such an attacker. As such, any corruption of memory outside of the sandbox address space is considered a sandbox violation.

Usage

To enable the sandbox, simply use v8_enable_sandbox = true in the gn args. The sandbox is only available in 64-bit configurations as it requires large amounts of virtual address space. The sandbox is enabled by default on supported configurations.

Testing

The sandbox is designed to be testable, both manually and automatically.

To use a “sandbox testing” configurations, two steps are required:

  1. V8 needs to be build with v8_enable_memory_corruption_api = true. This will, when sandbox testing mode is enabled, expose a JavaScript Sandbox object through which memory inside the sandbox can be arbitrarily modified. This API effectively emulates common exploit primitives that can be constructed from a typical V8 vulnerability.
  2. The sandbox testing mode needs to be enabled at runtime via either --sandbox-testing or --sandbox-fuzzing. This will expose the memory corruption API to JavaScript code and enable the sandbox crash filter, which will filter out uninteresting (for the sandbox) crashes such as access violations inside the sandbox or other unexploitable crashes. Note that the sandbox crash filter is currently only available on Linux.

The following example demonstrates these two parts:

// Create a DataView that can read and write inside the sandbox.
let memory = new DataView(new Sandbox.MemoryView(0, 0x100000000));

// Create an object to corrupt and obtain its address inside the sandbox.
let corruptMe = {};
let addr = Sandbox.getAddressOf(corruptMe);

// Corrupt the object.
memory.setUint32(addr, 0x41414141, true);
memory.setUint32(addr + 4, 0x41414141, true);
memory.setUint32(addr + 8, 0x41414141, true);

// Trigger a crash. The sandbox crash filter will catch it and determine that
// this is _not_ a sandbox violation as it crashes inside the sandbox.
corruptMe.crash();

// The process will now terminate cleanly with a message such as:
// "Caught harmless memory access violation (inside sandbox address space). Exiting process..."

The --sandbox-testing and --sandbox-fuzzing flags are mostly identical. However, with --sandbox-testing, the process will terminate with exit status zero when detecting a harmless crash. As such, tests will be treated as passing if they crash safely such as for example through a CHECK failure. With --sandbox-fuzzing on the other hand, the process instead exits with a non-zero status so that fuzzers can determine that the execution terminated prematurely. Furthermore, the --sandbox-fuzzing requires the memory corruption API to be compiled in while --sandbox-testing can be enabled on any (sandbox-enabled) build. As such, --sandbox-fuzzing should generally be used for fuzzers while --sandbox-testing should be used for most other purposes.

Note that both --sandbox-testing and --sandbox-fuzzing will also report reads outside the sandbox as “sandbox violations”. This is not technically true as the sandbox only attempts to prevent writes. However it is both difficult and undesirable to filter out reads, for example because in some cases, the underlying issue may also allow an attacker to perform a write instead.

Resources

The following list contains further resources about the sandbox, in particular various design documents related to it.

  • Sandbox Blog Post: Discusses the motivation behind the sandbox and its goals while also briefly covering the high-level design, performance characteristics, and testability aspects of the sandbox.
  • High-Level Design Document: Discusses the attacker model, goal, and basic design of the sandbox, while linking to the more specific design documents below where appropriate.
  • Sandbox Address Space: Contains additional details about the address space reservation backing the sandbox and how it is allocated.
  • Sandboxed Pointers: Discusses the design of sandboxed pointers, which are pointers that are always guaranteed to point into the sandbox and are for example used to reference ArrayBuffer backing stores.
  • External Pointer Table: The external pointer table is used to securely reference non-V8 (“external”) objects, for example objects owned by the Embedder, from inside the sandbox. This document discusses its design in more detail.
  • Code Pointer Sandboxing: Similar to external objects, pointers to executable machine code also needs to be protected. This is done with the help of a dedicated code pointer table, which is discussed in this document.
  • Trusted Space: Certain V8 objects are considered trusted and must not be corrupted by an attacker. Examples of such objects include bytecode containers and metadata for JIT-generated code. These objects are protected by allocating them outside of the sandbox in the trusted heap space, then referencing them through another pointer table indirection to ensure memory safe access. This document discusses both of these mechanisms.
  • Hardware Support: Instead of the purely software-based sandbox described by the preceeding documents, the sandbox could also be implemented (or augmented) with special hardware support. This document discusses various options for how that may work in practice, what the implications would be, and which requirements the hardware would have to fulfill.