The V8 Sandbox
Status and deployment of the V8 Sandbox
- Sandbox has been enabled by default for 64‑bit Chrome on major platforms for ~2 years; Electron also uses sandboxed pointers.
- Node’s V8 build reportedly does not yet enable the sandbox by default.
Rust, memory safety, and accusations of “downplaying”
- Several comments argue the blog post dismisses Rust by focusing on JIT issues, then shows sandbox bugs that look like classic memory-safety problems (UAF, OOB) that Rust could prevent.
- Others counter that most serious JS engine bugs are in runtime logic that would live in
unsafeRust anyway, so simply switching languages wouldn’t materially change the security profile. - Disagreement on how much of the sandbox and runtime could be written in fully safe Rust (
#![forbid(unsafe_code)]) versus necessarily unsafe components like GC and low-level heap machinery.
JIT, runtimes, and sandbox escapes
- Consensus that memory-safe languages can’t directly protect against miscompiled JIT machine code that omits necessary checks.
- The sandbox mitigates this by ensuring JIT code can only corrupt in‑sandbox data; exploitation then requires a second bug in the sandbox or runtime.
- Debate over how much Rust would reduce these sandbox-escape bugs: some see a large benefit; others say these are fundamentally “runtime is wrong about metadata” problems that any language can still have.
Other runtimes and self-hosting
- Comparisons to JVM/.NET and WASM: one side suggests higher-level VMs reduce type confusion and bounds issues; the other argues this just shifts attacks to that VM’s unsafe implementation.
- GraalVM is cited as an example of memory-safe interpreter semantics plus partial evaluation to JIT, claimed to avoid some V8-style issues.
Language semantics and the fizzbuzz example
- Confusion clarified: JS array OOB from JS returns
undefined, but the example’s bug is in C++ code indexing a raw backing buffer. - JS’s pervasive side effects (e.g.,
Symbol.toPrimitivechanging array length mid-operation) are seen as making engines extremely complex and error‑prone.
Performance, configuration, and alternative isolation
- Disabling JIT is possible in Chromium settings and in Safari’s Lockdown Mode (which also disables many APIs), but with 1.5–10× slowdowns on some workloads.
- Some argue this slowdown is acceptable given typical web usage; others point to power and responsiveness costs.
- Node worker_threads use separate V8 isolates for in‑process sandboxing with timeouts; Cloudflare Workers rely on V8 isolation, while Fly uses micro‑VMs.