Chrome’s multiprocessing sandbox, vulnerabilities, exploits and countermeasures that shape it Sonwabile Lutho Shumane University of Johannesburg, Johannesburg, South Africa 218085761@student.uj.ac.za Abstract. Focusing on vulnerabilities, exploits and countermeasures that target chromes multi-process sandbox architecture, using academic sources and a technical analysis the paper reviews the impact of V8 JavaScript engine vulnerabilities among others, specifically the just-in-time compilation and weaknesses in the inter-process communication mechanism that assist attackers in escaping chromes sandbox. Real world examples of common vulnerability exposure like the CVE-2019-5786 outline how malicious code has been used to manipulate and escape chromes sandbox. Then later dives into hardware specific vulnerabilities like the spectre and meltdown attacks, and how google has applied counter measures to mitigate these security issues like the rewards program for vulnerability reports and site isolation and how effective they have been in continuously protecting user sensitive information and other cyber threats. Keywords: sandbox, vulnerability, JavaScript, exploits, escape 1 Introduction Technology is ever evolving and with that so are the attacks that target it, whether it be software or hardware. Hence the need for security mechanisms that protect users and the system itself. A good example of such mechanisms is sandboxing, which uses a controlled environment to isolate applications and processes to prevent them from gaining unauthorized access to privileged information or resources thus maliciously affecting other applications in the system [1]. This mechanism is mostly used as a security measure in web browsers, operating systems and most mobile applications to prevent exploits and malware. Though developers utilize these there are always people looking to find vulnerabilities within software and exploit them [1]. This paper focuses on the vulnerabilities, exploits and countermeasures that target Google Chrome’s multi-process sandbox architecture 2 F. Author and S. Author 1.1 Background on Chrome multi-process sandbox Chrome’s security measure is built on sandboxing and isolating processes, which separates the rendering engine, plugins, extensions into multiple processes that interact with the operating system through an isolated interface [2]. Its multiprocess architecture is broken down into the browser process which manages user interfaces, tabs and security. The comes the render process where each tab runs on its own isolated sandboxed render process together with the plugin process which is dedicated to running 3rd party plugins [5].This way it prevents the underlying system from being compromised when one of the processes are attacked, mainly the sandbox model layers processes into rendering engine components like the JavaScript sandbox and the browser kernel which is a highly trusted process that is usually used to fetch the web pages, manages and stores cookies, while as the rendering engine focuses on the visual displays such as parsing HTML and decoded images for the users which has restricted privileges [3]. Such ensures that that if malicious activity occurs within a tab, it does not affect other tabs or access privileged system resources. Other mechanisms like least privilege and privilege separation which further add security by isolating components protect chrome from exploits that target common browser vulnerabilities [1,2]. Fig. 1. Browser kernel, rendering engine mechanism and IPC interaction Chromes sandboxing implementation is different on all operating systems, on windows, it uses mechanisms like Job Objects and restricted tokens together with low integrity levels to separate processes, while as on Linux it uses secure computing mode with Contribution Title (shortened if too long) 3 Berkeley packet filter and namespaces to isolate processes thus ensuring that the renderer processes do not elevate privileges an provide unauthorized access. Lastly macOS implements seatbelts which is a macOS specific sandbox framework to restrict unprivileged access [5]. This paper will focus on the windows implementation. 2 Software Vulnerabilities 2.1 V8 JavaScript Engine vulnerabilities As said Chrome aims to be fast and secure, to be fast a critical component for the browser’s performance and functionality is the V8 JavaScript engine which executes JavaScript code [3]. It’s one of the main targets for attackers because of its direct complex interaction with untrusted web pages. To start of the V8’s Just-in-Time (JIT) compilation feature houses most of the vulnerabilities found in chromes sandbox architecture. It dynamically compiles code into machine code for faster execution. This section covers some of the vulnerabilities of the JIT compilation of the V8’s engine and examples of past exploits that had affected chromes security. Exploits For optimizing performance, the V8’s JIT compilation process continuously converts code into machine code at runtime though it’s privy vulnerabilities that attackers exploit. Security flaws may be caused on the dynamic compilation process if the generated machine code has errors or behaves in an unexpected manner. These flaws are exploited by attackers to execute arbitrary code bypassing Chromes sandbox protection. Corruption of memory, such as use-after-free and buffer overflow vulnerabilities [2]. Here are some significant common vulnerability and exposure (CVE) examples. • CVE-2019-5786 One of chromes most famous vulnerabilities found in 2019, the use-after-free vulnerability in the V8 engine, which occurs when a process continues to use a memory pointer after the resources has been freed. So, if an attacker manipulated array handing in the JavaScript code to trigger the use-after-free condition, they could exploit the resulting memory corruption to escape the sandbox and execute other code on the host system. Once outside the chrome sandbox performs instructions with privileges that could compromise the entire system. Reason this vulnerability is so significant is not only due to its technical characteristics but the level of exploitation as attackers targeted specific individuals, as chrome is globally used the impact of this affected millions of users which demonstrates the importance of sandboxing though it has its limitations and determined attackers can still gain access, although google released a patch in version 72.0.3626.121 of chrome soon after reports and encouraged users to update their browsers [2]. Mitigations of this and other vulnerabilities will be discussed in detail on a later section. Attackers use memory corruption to escape the sandbox and execute other code on the host system. Once outside the chrome sandbox performs instructions with privileges that could compromise the entire system. Reason this vulnerability is so 4 F. Author and S. Author significant is not only due to its technical characteristics but the level of exploitation as attackers targeted specific individuals, as chrome is globally used the impact of this affected millions of users which demonstrates the importance of sandboxing though it has its limitations and determined attackers can still gain access, although google released a patch in version 72.0.3626.121 of chrome soon after reports and encouraged users to update their browsers [2]. Mitigations of this and other vulnerabilities will be discussed in detail in a later section. • CVE-2020-16009 Another damaging vulnerability that targeted the V8 engine, specifically the Just-InTime (JIT) compilation process. Classified as an Object type confusion bug, where the engine misinterprets the type of an object during optimization which can also lead to memory corruption thus providing an access point for attackers to inject and execute malicious code. In this case attackers exploited chromes render process to escape the sandbox which allowed them to gain access to host system resources and sensitive data outside the browsers environment [2]. Attackers combined it with the CVE-2020-17087 which targeted the windows kernel privilege escalation vulnerability which allowed attackers to elevate their privileges and gain full administrative access on the system. This technic is known as chaining vulnerabilities where even if the sandbox presents limitations for access, vulnerabilities in the windows kernel of Chromes layered security attackers still find a way to escape these limitations and access the system. The combination of these vulnerabilities and how they were exploited not only alerted google but also Microsoft to release patches to secure both the browser environment and the underlying system [2]. • CVE-2023-3420 More recently another vulnerability in the V8’s JIT compiler was exploited allowing attackers to achieve remote control access because of incorrect code optimization. Attackers targeted users using malicious websites allowing them to execute code in the render process which operates with limited privileges but chained to other sandbox vulnerabilities they could escape the sandbox and access the underlaying system [5]. 2.2 Inter-Process communication (IPC) vulnerabilities Interactions between the sandboxed processes relay on the Inter-Process Communication (IPC). Damage caused by malicious code may be limited by the sandbox though vulnerabilities in the IPC also allow attackers to escape the sandbox. This section explains how IPC vulnerabilities aid attackers in escaping. Since chromes multi-process architecture separates components into different processes there needs to be some mechanism that facilitates communication between them, although it causes an overhead in the performance as in-process communication is much faster than IPC. Process based sandboxing comes with complexities in managing Contribution Title (shortened if too long) 5 shared data and attackers target IPC vulnerabilities to manipulate the communication between processes thus bypassing sandbox restrictions and performing malicious code in privileged processes [6]. Attackers create race conditions or exploit timing discrepancies in the IPC, for instance, manipulating the data being transmitted between processes in the message packets being sent through. Communication between the renderer and the browser kernel process, can introduce double fetch bugs, use-after-free vulnerabilities which together can allow attackers it intercept the network and break the sandbox [6]. 3 Hardware vulnerabilities Exploits and Attacks • Spectre and meltdown attack Vulnerabilities in the central process unit (CPU) exploit weaknesses in speculative execution such as spectre and meltdown. Speculative execution is a performance-enhancing feature that improves CPU performance by predicting the likely path of a program. Attackers access protected memory which should be kept separate within the sandbox [7]. These vulnerabilities can be used to bypass process isolation and the sandbox mechanism. During speculative execution, branch prediction logic is exploited to trick the processor into performing malicious instructions then accessing unprivileged memory this is known as Spectre. Attackers use this to get privileged information like passwords, identifying data and other sensitive information by monitoring the CPU’s cache timing thus breaking the isolation provided by the sandbox [7,8]. However, meltdown is bypassing privilege checks by exploiting out-of-order execution in the CPU which allows for userspace processes to read kernel memory thus breaking the isolation and accessing sensitive memory [8]. Together these cause serious damage to chromes sandbox • SpectreRewind Attack Traditional convert channels rely on speculative instruction timing, while as spectreRewind attacks target contention-based convert channels in speculative execution. It uses a floating-point division unit to create a covert channel without relying on simultaneous multithreading to bypass stateful defenses which are designed to stop speculative execution from leaking data [7]. • Rowhammer Attack Another hardware vulnerability, which affects DRAM chips, where continuous access to a row of memory cells causes bit flips in adjacent rows used to alter data in sandboxed applications or perform arbitrary code. Chrome’s sandbox isolates cross-process 6 F. Author and S. Author memory tempering but rowhammer can still manipulate memory directly thus compromising the security feature [5]. 4 Countermeasures and mitigation Given that vulnerabilities are ever exploited google, Microsoft and other companies involved have come up with mitigation and countermeasures that limit attacks on chromes sandbox. This section, as said earlier in the paper, will discuss some of these technics to limit sandbox escapes. • Zero-Day vulnerability response Firstly, google has created a vulnerability rewards program, which pays hackers and researchers to try and find vulnerabilities in chrome and report them before they are exploited. This way they can provide patches to new versions for many critical vulnerabilities especially on the V8 engine [2]. This has also allowed google to rapidly patch the system through the auto-update mechanism which ensures that users receive patches quickly and limit exploitation by attackers [1,3]. • Improved render process isolation To limit potential damage of cross-origin data leaks google has implemented site isolation for vulnerabilities like the meltdown and spectre which exploits speculative execution in the CPU. This ensures that each tab not only runs in its own sandboxed render process but also own site [2]. • IPC vulnerabilities Since vulnerabilities in the inter-process communication can affect or rather assist attackers in escaping the sandbox, chrome has enhanced memory safety within the IPC mechanisms by using safe languages like Rust and improvements in Chromes C++ code [6] This lowers the risk of corruption bugs, which are exploited in IPC sandbox escapes [2]. Also by strengthening the communication channels between sandboxed processes and the kernel is important as strict validation and sanitization processes for data exchange over the IPC [6]. Fuzzing of IPC channels, fuzzing techniques that test and identify potential vulnerabilities in the IPC channels are utilized by chrome and are critical for communication between browser processes. Fuzzing helps detect, when malformed or arbitrary inputs are sent from one process to another which could be exploited to escape the sandbox [6]. • Control Flow Integrity lastly with regards to software countermeasures google implements multiple defensesagainst JIT compilation in the V8 engine including control flow integrity (CFI) which ensures that execution flow of processes follow valid parts. CFI enhances Contribution Title (shortened if too long) 7 protection against type confusion exploits and use-after-free vulnerabilities that happen when the JIT compiler interoperates data types incorrectly thus leading to escapes that can cause memory corruption [3]. • Hardware specific mitigations Moving on to hardware counter measures, as said that spectre and meltdown exploit speculative execution and out-of-order execution in the CPU thus allowing attackers to break chrome’s sandbox to mitigate this google has disabled or rather restricts the use of sheard resources like JavaScript timers that attackers use during side-channel attacks [1]. CPU vendors like Intel and AMD release frequent microcode updates which patches browser level defenses in the processor architecture that mitigate speculative execution attacks like spectre and meltdown [ 6]. Operating systems have improved kernel page table isolation (KPTI) to prevent attacks that exploit the CPU’s ability to access kernel memory from user space by isolating the kernels memory from user applications like browsers. 5 Conclusion To conclude, as sandboxing mechanisms improve so do attackers that exploit vulnerabilities, it be directly on the sandbox or other components that interact with the chrome browser. The paper outlined vulnerabilities in the V8 JavaScript engine, like the useafter-free and the just-in-time compilation and their flaws which allowed for exploits such as the CVE-2019-5786 which shaped googles response to sandbox vulnerability exploits. Continues with weaknesses in the IPC mechanism which allow attackers to escape the multi process sandbox and what google has done as countermeasures to mitigate this. And lastly dives into how hardware-based vulnerabilities chained with software vulnerabilities are utilized to break the security sandbox and perform malicious activities on the underlying system. Though google chromes sandbox architecture might be effective they must constantly update patches to improve security against attackers to continue being one of the world’s best sandboxed web browser. 8 F. Author and S. Author References 1. Md. Mesbahul Islam, An Evaluation of Extension Vulnerabilities of Google Chrome. University of Helsinki (2012) 2. A. N. Narvekar, Prof. K .K Joshi, Security Sandbox model for modern web environment (2017) 3. Shravan Ravi Narayan, Retrofitting Fast and Secure Sandboxing in Real Systems. PhD Dissertation, University of California San Diego (2022) 4. P. S. Satish, R. K Chavan, Web Browser Security: Different Attacks Detection 5. and Prevention Techniques 6. Google Chrome Documentation https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs accessed 03/09/2024 7. A Fajar, S. Yazid, Web Browser Vulnerabilities and Weakness Descriptive Analysis (2018) 8. J. Fustos, M. Bechtel, H. Yun, A Framework for Leaking Secrets to Past Instructions. Journal of Cryptographic Engineering (2022).
