[tor-bugs] #21011 [Applications/Tor Browser Sandbox]: Disable JavaScript JIT
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Dec 17 09:56:07 UTC 2016
#21011: Disable JavaScript JIT
--------------------------------------------------+---------------------
Reporter: cypherpunks | Owner: yawning
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser Sandbox | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
--------------------------------------------------+---------------------
JIT (Just-In-Time compilation) is an optimization applied to some
interpreted languages which allows them to be compiled into bytecode just
before being run. JavaScript is one of those languages. The sandbox should
disable JIT to improve security. I've attached a solution (just appending
the config changes to the autoconfig file).
Problems caused by JIT:
* Increased susceptibility to ROP
* A type of heap spraying called JIT-spraying (used for bypassing ASLR and
NX)
* High speed loops leading to efficient rowhammer.js implementations
* Side-channel attacks against other tabs and other processes
* Improved accuracy for keystroke dynamics (biometric fingerprinting)
* Mandatory RWX mappings (Firefox 46 may fix this, making W!^X and maybe
PAX_MPROTECT finally work)
* Increased attack surface by passing code through a compiler
Problems solved by JIT:
* Improved performance on extremely JavaScript-heavy pages
Given that the priority is assumed to be security rather than performance,
I hope the negligible trade-off is acceptable.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21011>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list