Lets chat V8 and perf. One of the most common exploit primitives is to abuse the fact that WASM jit pages are RWX. You ever wonder why? Ironically it's because of asm.js! (yes that old stuff) , you see asm.js code is translated to WebAssembly by V8.. Thread 1/?
https://twitter.com/thezdi/status/1379799037206016005
This code is compiled to WASM bytecode. In the past permissions were flipped on the W^X memory but this operation was expensive. So for performance reasons those pages are RWX. JS runs faster and exploits are easier. yay! 2/?
recently V8 introduced Sparkplug docs.google.com/document/d/13c…, another performance improvement that ran info the same problem. So it seems we're getting more RWX memory.. 3/?
Now you could argue well there is still ROP which is true. However CET is ready to go, the only blocker is.. (surprise) V8. Often, Chromium is willing to take a perf hit for security (MirclePtr, sandboxes etc) but V8 is different 4/?
JavaScript performance seems to be sacred and determined to be worth the cost. This raises the question, when is a performance improvement no longer worth it? Edge struggled with similar tradeoffs around Chakra... 5/?
It is hard to grow market share when you are slower according to some random benchmark. I've always wondered if some percentage of the market would be willing to accept a 20% reduction in "performance" for a solution that is more secure. 6/?
I am told the answer is no, but I hope those people are wrong. 7/7
• • •
Missing some Tweet in this thread? You can try to
force a refresh
