Option to disable JIT compilation? I think AOT compilation is okay, don’t hear as many exploits using that.
It would also be nice if Scudo Hardened Allocator was used.
Option to disable JIT compilation? I think AOT compilation is okay, don’t hear as many exploits using that.
It would also be nice if Scudo Hardened Allocator was used.
Didn’t realize it wasn’t an option before for V8. Currently I’m using --js-flags="–jitless --clear-free-memory --single-threaded-gc" with brave-browser. Benchmarks are only a seventh, but everything runs fine on the desktop.
–clear-free-memory is potentially superfluous, but there is no statistically noticeable performance reduction according to benchmarks.
1+
Microsoft Edge is getting a “Super Duper Secure Mode” which runs Edge JIT-less, would be awesome if we could have an similar mode in Brave without the need for custom app args.
Need this. Microsoft Edge, Vanadium and Bromite (both on android) provide it already.
As a brave://flags ?
Any news on this? It seems like a pretty amazing security feature just sitting there, waiting to be implemented.
Hi there,
I’m a security researcher and would love to see this as an option, Edge now supports WASM emulation through Drumbrake[1] which allows WASM to work without any RWX pages being arbitrarily written to, this combined with SDSM[2] gives a super solid setup for basically any threat model, including nation state targeted individuals.
If this was implemented the Brave target threat model would move basically entirely to mainline Chromium/Chrome exploits which are extremely expensive and valuable or to Brave specific exploits targeting your Mojo IPC implementations or similar added features.
I’d love to see a flag to just disable JIT entirely, wasm, webassembly, the lot, maybe add it into the “Aggressive” shields mode, it will kill 99% of modern exploit chains.
Given brave is about to be quite heavily recommended once Chrome/Chromium kill manifest v2 this would be an amazing feature for the community, Edge has done a fantastic job and it’s a game changer for exploit mitigations.
As for scudo that allocator has it’s issues, I don’t think we need a secured/hardened allocator just for brave, seems easier to just do LD_PRELOAD or dylib injection to force your own allocator IF you need it.
Ahead of time is much safer than Just in time as it doesn’t rely as heavily on speculative optimisations.
I’d love to recommend Brave to my friends and colleagues however currently I cannot due to this feature not being present, so my recommendation will remain Edge, I also have some concerns about the length of time between mainline patch updates being applied to Brave but it seems to be much much faster than it was even a few years ago.
If you require any assistance or questions on how to implement it I’m happy to talk, also happy to make introductions on the Edge security team.
I will say one thing, I don’t think having it enabled/disabled on a per origin basis is a great idea for super hardened security, then you get the NoScript problem where to bypass noscript all you needed was an XSS on a trusted website from the NoScript global allow list (many moons ago)
[2] - https://microsoftedge.github.io/edgevr/posts/Introducing-Enhanced-Security-for-Microsoft-Edge/
Comment from Brave GitHub Issue Report below. Only comment since issue was opened on Dec 2, 2022.
fmarier commented Jul 25, 2022
If you want to try this out, you can start Brave with
brave-browser --js-flags=--jitless
and that will disable the JIT entirely. One problem I ran into is that this disables support for WASM, which some sites and extensions use.Being able to disable it on a site-by-site basis would make this much more practical.
Brave GitHub Issue Report:
Is there an update on this?
In Chromium one can disable JIT Javascript by placing such a config file to a system directory.
cat /usr/etc/chromium/chromium.conf
# system wide chromium flags
CHROMIUM_FLAGS=""
CHROMIUM_FLAGS+=" --ozone-platform=wayland"
CHROMIUM_FLAGS+=" --js-flags=--jitless"
Even though I have Brave installed, this directory does not exist. Would you just swap chromium
with brave
? Does “CHROMIUM” have to be replaced with “BRAVE” too? The URL is different in Brave.
This is really important
It looks like it’s going to be enabled in Chrome from the next version (122).
https://support.google.com/chrome/a/answer/7679408#upChromeBrsrE121
- V8 security setting
Add a setting on chrome://settings/security to disable the V8 JIT optimizers, in order to reduce the attack surface of Chrome. This behavior continues to be controlled by the DefaultJavaScriptJitSetting enterprise policy, and the associated JavaScriptJitAllowedForSites and JavaScriptJitBlockedForSites policies. The setting is integrated into Site Settings. The setting rolls out in Chrome 122. The enterprise policies have been available since Chrome 93.
- Chrome 122 on ChromeOS, LaCrOS, Linux, MacOS, Windows, Fuchsia
I presume this setting will be added to Chromium at the same time, but don’t know for sure.
However, really it needs a WebAssembly Interpreter implemented (like DrumBrake in Microsoft Edge) to allow websites using WebAssembly to still function with JIT disabled (including Brave’s own captcha for example).
You can already set a lot in Chromium Policies. It simply seems undocumented how Brave loads these, because it seems directories need to be reloaded. The policies and launch parameters load normally.