[tbb-dev] Disabling JITs in the Tor Browser

Matthew Finkel sysrqb at torproject.org
Thu Aug 5 03:54:52 UTC 2021 

On Thu, Aug 05, 2021 at 02:31:16AM +0000, sanketh wrote:
> Hello,

Hi Sanketh!

> 
> Edge Vuln Research just dropped the amazing named "Super Duper Secure Mode"
> [1]---an interesting albeit slightly provocative statement they make in the
> announcement is that JITs may not be worth it for security-sensitive users,
> since they account for about half the bugs in V8 (Chromium's JS engine) and
> their new research shows that disabling JITs, despite the huge performance
> regressions in traditional JS benchmarks, is rarely noticeable in real-life.
> I don't think tbb is new to clamping down JS (for security-sensitive users),
> but this idea of disabling JITs might be interesting to look into*.
> 
> First, taking a step back, recall that modern browsers execute JS by
> converting it into bytecode and then using an interpreter to execute, and
> functions that are "hot" (executed many times) are recompiled using a JIT to
> produce faster code. This is super simplified, see [2] for a more technical
> overview of how this works in Firefox.
> 
> I think this idea can be used to improve the Tor Browser,
> 
> 1. we can disable JITs in "Safer" mode which would reduce usability but
>    improve security; and

Indeed, this is a good idea. Currently on Safer we disable:
  - ion (optimizing JIT)
  - baselinejit (Baseline JIT)
  - wasm

// pref:                                       Safest, Safer, Standard
"javascript.options.ion" :                  [,  false, false, true ],
"javascript.options.baselinejit" :          [,  false, false, true ],
"javascript.options.wasm" :                 [,  false, false, true ],

> 2. we can enable JS and disable JITs in "Safest" mode which would
>    reduce significantly improve usability but degrade security.

On Safest, Javascript is disabled via NoScript (by injecting a CSP
header that disallows scripts). The interpreter has vulnerabilities
occasionally, but I don't remember any in recent history.

Some more details are in [5].

> 
> On a more meta note, this wouldn't be hard to implement, Firefox has prefs
> to enable and disable this stuff, and @freddyb's tweet [3] seems to confirm
> this intuition.
> 
> What do y'all think?
> 
> Best,
> Sanketh
> 
> *disabling JITs was discussed in the tor issue tracker 4 years ago [4] but
> most of the then concerns (like changing build settings) seem to have been
> resolved and JITs are now enabled across the browser (they were not enabled
> for content back then) and so this, I feel, can use fresh eyes.
> 
> [1]: https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/
> [2]:
> https://hacks.mozilla.org/2020/11/warp-improved-js-performance-in-firefox-83/
> [3]: https://twitter.com/freddyb/status/1423020386560712705?s=20
> [4]: https://gitlab.torproject.org/legacy/trac/-/issues/21011
[5] https://gitlab.torproject.org/tpo/applications/tor-launcher/-/issues/9387#note_2564351

More information about the tbb-dev mailing list