The V8 Sandbox

Status and deployment of the V8 Sandbox

  • Sandbox has been enabled by default for 64‑bit Chrome on major platforms for ~2 years; Electron also uses sandboxed pointers.
  • Node’s V8 build reportedly does not yet enable the sandbox by default.

Rust, memory safety, and accusations of “downplaying”

  • Several comments argue the blog post dismisses Rust by focusing on JIT issues, then shows sandbox bugs that look like classic memory-safety problems (UAF, OOB) that Rust could prevent.
  • Others counter that most serious JS engine bugs are in runtime logic that would live in unsafe Rust anyway, so simply switching languages wouldn’t materially change the security profile.
  • Disagreement on how much of the sandbox and runtime could be written in fully safe Rust (#![forbid(unsafe_code)]) versus necessarily unsafe components like GC and low-level heap machinery.

JIT, runtimes, and sandbox escapes

  • Consensus that memory-safe languages can’t directly protect against miscompiled JIT machine code that omits necessary checks.
  • The sandbox mitigates this by ensuring JIT code can only corrupt in‑sandbox data; exploitation then requires a second bug in the sandbox or runtime.
  • Debate over how much Rust would reduce these sandbox-escape bugs: some see a large benefit; others say these are fundamentally “runtime is wrong about metadata” problems that any language can still have.

Other runtimes and self-hosting

  • Comparisons to JVM/.NET and WASM: one side suggests higher-level VMs reduce type confusion and bounds issues; the other argues this just shifts attacks to that VM’s unsafe implementation.
  • GraalVM is cited as an example of memory-safe interpreter semantics plus partial evaluation to JIT, claimed to avoid some V8-style issues.

Language semantics and the fizzbuzz example

  • Confusion clarified: JS array OOB from JS returns undefined, but the example’s bug is in C++ code indexing a raw backing buffer.
  • JS’s pervasive side effects (e.g., Symbol.toPrimitive changing array length mid-operation) are seen as making engines extremely complex and error‑prone.

Performance, configuration, and alternative isolation

  • Disabling JIT is possible in Chromium settings and in Safari’s Lockdown Mode (which also disables many APIs), but with 1.5–10× slowdowns on some workloads.
  • Some argue this slowdown is acceptable given typical web usage; others point to power and responsiveness costs.
  • Node worker_threads use separate V8 isolates for in‑process sandboxing with timeouts; Cloudflare Workers rely on V8 isolation, while Fly uses micro‑VMs.