This glossary explains the technical terms used in the context of the V8 Sandbox. For a general overview of the sandbox see the high-level design document.
Summary: A region of virtual address space (typically 1TB) containing all untrusted V8 objects.
Implementation: This is implemented as a large, contiguous virtual address space reservation using the appropriate operating system primitives. Address space reservations are cheap on all modern OSes.
Security Properties: It is assumed that an attacker can arbitrarily read and write memory inside the sandbox address space due to a typical security bug in V8. The mechanisms described in this document, in particular the various pointer types, then attempt to prevent an attacker from corrupting other memory inside the process running V8.
Design Document: V8 Sandbox - Address Space
This section gives an overview of the different object types related to the sandbox.
Summary: A V8 HeapObject containing sensitive data or code, located outside of the sandbox.
Implementation: These are regular HeapObjects with a special instance type and which are allocated in one of the trusted heap spaces, located outside of the sandbox.
Security Properties: As these objects live outside of the sandbox, it can be assumed that they have not been manipulated by an attacker. As such, they can safely be read from, but one must be particularly careful when writing to them to avoid any memory corruption in trusted space.
Design Document: V8 Sandbox - Trusted Space
Summary: A trusted object directly exposed to objects inside the sandbox.
Implementation: These objects own an entry in one of the trusted pointer tables and therefore can be referenced from inside the sandbox in a memory-safe way via a trusted pointer (see below).
Security Properties: Same as TrustedObject.
Design Document: V8 Sandbox - Trusted Space
This section gives an overview of the different pointer types used by the sandbox.
Summary: A pointer that is guaranteed to point into V8’s 4GB heap area, inside the sandbox.
Implementation: These are stored as 32-bit offsets from the start of the heap area. They were originally developed to reduce V8’s memory footprint.
Security Properties: As this pointer always points into the sandbox, it can always safely be written to, but when reading from it, it must be assumed that the data has been corrupted by an attacker.
Design Document: Compressed pointers in V8
Summary: A full (64-bit) pointer to a V8 HeapObject.
Implementation: These are regular (“raw”) pointers to HeapObjects. They appear for example after decompressing a compressed pointer when loading it into a register or onto the stack, or as fields in objects located outside of the sandbox, for example tracking data structures used by the GC or the compilers, or objects created by the Embedder.
Security Properties: As these are raw pointers, they must not be corrupted by an attacker and so must only be used outside of the sandbox. As they also point into the sandbox, the same considerations as for Compressed Pointers apply, namely that it must be assumed that what they point to has been corrupted.
Summary: A pointer that is guaranteed to point into the sandbox.
Implementation: A sandboxed pointer is a 40-bit offset (when the sandbox is 1TB large) that is added to the base of the sandbox when loaded. When the sandbox is disabled, they are regular full pointers.
Security Properties: As this pointer always points into the sandbox, it can always safely be written to, but when reading from it, it must be assumed that the data has been corrupted by an attacker.
Design Document: V8 Sandbox - Sandboxed Pointers
Summary: A pointer that cannot be modified by an attacker. Only used between TrustedObjects.
Implementation: These are implemented as compressed pointers but use the trusted space base instead of the in-sandbox heap base. It’s therefore guaranteed that they will always point into trusted space. As the pointer itself is also located in trusted space, it cannot directly be modified by an attacker. When the sandbox is disabled, they are regular tagged pointers.
Security Properties: Neither the pointer itself nor the pointed-to object can be modified by an attacker as both live in trusted space. These pointers therefore have the strongest security guarantees.
Design Document: V8 Sandbox - Trusted Space
Summary: A pointer to an object external to V8, outside of the sandbox and not managed by V8’s GC.
Implementation: These are implemented as indices into the ExternalPointerTable (EPT), which is located outside of the sandbox. The EPT performs type checks on every access to a pointer. Conceptually, they are very similar to file descriptors in Unix. When the sandbox is disabled, they are regular full pointers.
Security Properties: The pointer will point to a valid object of the expected type. However, an attacker can swap these pointers as long as the type of the referenced object is the same.
Design Document: V8 Sandbox - External Pointer Sandboxing
Summary: A pointer to a V8 HeapObject that goes through a pointer table indirection on access.
Implementation: The “under-the-hood” implementation of Trusted Pointers and Code Pointers (see below) when the sandbox is enabled. Similar to External Pointers, these are indices into a pointer table and perform type checks on access. These pointers are only available when the sandbox is enabled.
Security Properties: See Trusted Pointer.
Design Document: V8 Sandbox - Trusted Space
Summary: A pointer that is guaranteed to point to a valid TrustedObject in trusted space.
Implementation: These are implemented as Indirect Pointers using the TrustedPointerTable (TPT) when the sandbox is enabled. Otherwise they are regular tagged pointers.
Security Properties: The pointer will point to a TrustedObject in trusted space of the expected type. However, as with External Pointers an attacker can perform “pointer swap attacks” so it is not guaranteed that the pointer still points to the “original” object.
Design Document: V8 Sandbox - Trusted Space
Summary: A special kind of Trusted Pointer that always points to a Code object.
Implementation: Similar to Trusted Pointers, but these use the CodePointerTable (CPT) instead of the TPT. They are essentially a performance optimization as the CPT also directly points to the code’s entrypoint.
Security Properties: Same as Trusted Pointers, but will always point to a Code object.
Design Document: V8 Sandbox - Code Pointer Sandboxing