Browser goes further to protect against bugs by disabling JIT
Microsoft has unveiled a ‘Super Duper Secure Mode’ in the latest version of Edge browser, offering users greater protection against common vulnerabilities.
The feature was first mentioned back in August, in a blog post by Edge’s vulnerability research lead, Johnathan Norman.
Norman revealed on Twitter last night (November 22) that the feature has been rolled out “secretly” in the latest version, 96.0.1054.29.
Read more of the latest browser security news
Super Duper Secure Mode – also known as SDSM – helps to mitigate against browser attacks by disabling the Just-In-Time component in V8, a technology linked a large number of security vulnerabilities in recent years.
V8 is an open source JavaScript engine which was developed by the Chromium Project for Google Chrome and Chromium web browser (the code base for recent versions of Edge).
JavaScript engines are “a remarkably difficult security challenge for browsers”, explained Norman, partly due to the use of the Just-In-Time (JIT) compilation, also known as speculative optimization.
This technology enables engines to convert JavaScript into machine code just before it is executed, resulting in huge gains in speed and usability, but losses for security.
JIT engines are commonly found to be vulnerable to security bugs, though Norman says that developers are willing to accept this cost because users want their browsers to be “fast”.
JIT do it
In order to defend against the plethora of bugs bundled with JIT, Super Duper Secure Mode disables the engine, removing “roughly half” of the issues present.
Norman also noted that performance times are not significantly affected by disabling the engine, for example tests that measured improvements in power showed a 15% improvement on average. Regressions showed an 11% increase in power consumption.
Page load times, however, showed regressions [negative performance drops] averaging around 17%.
The SDSM feature also enables users to toggle between Balanced and Strict modes, giving them greater control over what is and isn’t enabled.
“Balanced learns what sites you use often and trusts those, strict is well… strict,” Norman tweeted, adding that Edge users can also add their own exceptions.
JITstream
Norman noted that there are benefits beyond attack surface reduction – due to how the V8 JIT works, several impactful mitigation technologies do not work during the rendering process.
With JIT disabled, these technologies can also be utilized – for example Controlflow-Enforcement Technology (CET), a new hardware-based exploit mitigation from Intel, and Arbitrary Code Guard (ACG), which cannot be used with JIT engines.
“By disabling JIT, we can enable both mitigations and make exploitation of security bugs in any renderer process component more difficult,” wrote Norman.
More information on other features bundled with the latest version of Edge is available in the release notes.
RELATED Security researcher Artur Janc on the state of XS-Leaks