Hello,
Edge Vuln Research just dropped the amazing named "Super Duper Secure Mode" [1]---an interesting albeit slightly provocative statement they make in the announcement is that JITs may not be worth it for security-sensitive users, since they account for about half the bugs in V8 (Chromium's JS engine) and their new research shows that disabling JITs, despite the huge performance regressions in traditional JS benchmarks, is rarely noticeable in real-life. I don't think tbb is new to clamping down JS (for security-sensitive users), but this idea of disabling JITs might be interesting to look into*.
First, taking a step back, recall that modern browsers execute JS by converting it into bytecode and then using an interpreter to execute, and functions that are "hot" (executed many times) are recompiled using a JIT to produce faster code. This is super simplified, see [2] for a more technical overview of how this works in Firefox.
I think this idea can be used to improve the Tor Browser,
1. we can disable JITs in "Safer" mode which would reduce usability but improve security; and 2. we can enable JS and disable JITs in "Safest" mode which would reduce significantly improve usability but degrade security.
On a more meta note, this wouldn't be hard to implement, Firefox has prefs to enable and disable this stuff, and @freddyb's tweet [3] seems to confirm this intuition.
What do y'all think?
Best, Sanketh
*disabling JITs was discussed in the tor issue tracker 4 years ago [4] but most of the then concerns (like changing build settings) seem to have been resolved and JITs are now enabled across the browser (they were not enabled for content back then) and so this, I feel, can use fresh eyes.
[1]: https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/ [2]: https://hacks.mozilla.org/2020/11/warp-improved-js-performance-in-firefox-83... [3]: https://twitter.com/freddyb/status/1423020386560712705?s=20 [4]: https://gitlab.torproject.org/legacy/trac/-/issues/21011
On Thu, Aug 05, 2021 at 02:31:16AM +0000, sanketh wrote:
Hello,
Hi Sanketh!
Edge Vuln Research just dropped the amazing named "Super Duper Secure Mode" [1]---an interesting albeit slightly provocative statement they make in the announcement is that JITs may not be worth it for security-sensitive users, since they account for about half the bugs in V8 (Chromium's JS engine) and their new research shows that disabling JITs, despite the huge performance regressions in traditional JS benchmarks, is rarely noticeable in real-life. I don't think tbb is new to clamping down JS (for security-sensitive users), but this idea of disabling JITs might be interesting to look into*.
First, taking a step back, recall that modern browsers execute JS by converting it into bytecode and then using an interpreter to execute, and functions that are "hot" (executed many times) are recompiled using a JIT to produce faster code. This is super simplified, see [2] for a more technical overview of how this works in Firefox.
I think this idea can be used to improve the Tor Browser,
- we can disable JITs in "Safer" mode which would reduce usability but improve security; and
Indeed, this is a good idea. Currently on Safer we disable: - ion (optimizing JIT) - baselinejit (Baseline JIT) - wasm
// pref: Safest, Safer, Standard "javascript.options.ion" : [, false, false, true ], "javascript.options.baselinejit" : [, false, false, true ], "javascript.options.wasm" : [, false, false, true ],
- we can enable JS and disable JITs in "Safest" mode which would reduce significantly improve usability but degrade security.
On Safest, Javascript is disabled via NoScript (by injecting a CSP header that disallows scripts). The interpreter has vulnerabilities occasionally, but I don't remember any in recent history.
Some more details are in [5].
On a more meta note, this wouldn't be hard to implement, Firefox has prefs to enable and disable this stuff, and @freddyb's tweet [3] seems to confirm this intuition.
What do y'all think?
Best, Sanketh
*disabling JITs was discussed in the tor issue tracker 4 years ago [4] but most of the then concerns (like changing build settings) seem to have been resolved and JITs are now enabled across the browser (they were not enabled for content back then) and so this, I feel, can use fresh eyes.
[5] https://gitlab.torproject.org/tpo/applications/tor-launcher/-/issues/9387#no...
Inlined response.
- we can disable JITs in "Safer" mode which would reduce usability but improve security; and
Indeed, this is a good idea. Currently on Safer we disable:
- ion (optimizing JIT)
- baselinejit (Baseline JIT)
- wasm
// pref: Safest, Safer, Standard "javascript.options.ion" : [, false, false, true ], "javascript.options.baselinejit" : [, false, false, true ], "javascript.options.wasm" : [, false, false, true ],
Gah, nice catch, I checked the settings for Standard and thought that Safer would use the same settings đ , this makes more sense đ.
On a sidenote, now that wasm is relatively stable, I think it would be nice to enable wasm (and disable javascript.options.wasm_baselinejit and javascript.options.wasm_optimizingjit) like we do for JS.
- we can enable JS and disable JITs in "Safest" mode which would reduce significantly improve usability but degrade security.
On Safest, Javascript is disabled via NoScript (by injecting a CSP header that disallows scripts). The interpreter has vulnerabilities occasionally, but I don't remember any in recent history.
I guess this is implied but since "Safer" already disables JITs, there doesn't seem to be value in enabling JS and disabling JITs in "Safest". The interpreter seems to have vulns, like the sec-moderate CVE-2021-23954 [1] but the bigger issue is the other half of JS vulns ("logic bugs") like CVE-2020-15676 [2].
Some more details are in [5].
Thanks for the link. It is kinda surreal to see discussions very similar to the ones happening on twitter right now in these threads from 7 years ago!
Best, Sanketh
[1]: https://bugzilla.mozilla.org/show_bug.cgi?id=1684020 [2]: https://bugzilla.mozilla.org/show_bug.cgi?id=1646140
On Wed.-Aug.-04-2021 11:54 p.m., Matthew Finkel wrote:
On Thu, Aug 05, 2021 at 02:31:16AM +0000, sanketh wrote:
Hello,
Hi Sanketh!
Edge Vuln Research just dropped the amazing named "Super Duper Secure Mode" [1]---an interesting albeit slightly provocative statement they make in the announcement is that JITs may not be worth it for security-sensitive users, since they account for about half the bugs in V8 (Chromium's JS engine) and their new research shows that disabling JITs, despite the huge performance regressions in traditional JS benchmarks, is rarely noticeable in real-life. I don't think tbb is new to clamping down JS (for security-sensitive users), but this idea of disabling JITs might be interesting to look into*.
First, taking a step back, recall that modern browsers execute JS by converting it into bytecode and then using an interpreter to execute, and functions that are "hot" (executed many times) are recompiled using a JIT to produce faster code. This is super simplified, see [2] for a more technical overview of how this works in Firefox.
I think this idea can be used to improve the Tor Browser,
- we can disable JITs in "Safer" mode which would reduce usability but improve security; and
Indeed, this is a good idea. Currently on Safer we disable:
- ion (optimizing JIT)
- baselinejit (Baseline JIT)
- wasm
// pref: Safest, Safer, Standard "javascript.options.ion" : [, false, false, true ], "javascript.options.baselinejit" : [, false, false, true ], "javascript.options.wasm" : [, false, false, true ],
- we can enable JS and disable JITs in "Safest" mode which would reduce significantly improve usability but degrade security.
On Safest, Javascript is disabled via NoScript (by injecting a CSP header that disallows scripts). The interpreter has vulnerabilities occasionally, but I don't remember any in recent history.
Some more details are in [5].
On a more meta note, this wouldn't be hard to implement, Firefox has prefs to enable and disable this stuff, and @freddyb's tweet [3] seems to confirm this intuition.
What do y'all think?
Best, Sanketh
*disabling JITs was discussed in the tor issue tracker 4 years ago [4] but most of the then concerns (like changing build settings) seem to have been resolved and JITs are now enabled across the browser (they were not enabled for content back then) and so this, I feel, can use fresh eyes.
[5] https://gitlab.torproject.org/tpo/applications/tor-launcher/-/issues/9387#no... _______________________________________________ tbb-dev mailing list tbb-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev