Untrusted code mitigations
Nothing changes if you execute only trustworthy code #
If you do execute untrusted code… #
Update to the latest V8 to benefit from mitigations and enable mitigations #
Mitigations for this class of attack are available in V8 itself starting with V8 v6.4.388.18, so updating your embedded copy of V8 to v6.4.388.18 or later is advised. Older versions of V8, including versions of V8 that still use FullCodeGen and/or CrankShaft, do not have mitigations for SSCA.
Starting in V8 v6.4.388.18, a new flag has been introduced to V8 to help provide protection against SSCA vulnerabilities. This flag, called
--untrusted-code-mitigations, is enabled by default at runtime through a build-time GN flag called
These mitigations are enabled by the
--untrusted-code-mitigations runtime flag:
- Masking of addresses before memory accesses in WebAssembly and asm.js to ensure that speculatively executed memory loads cannot access memory outside of the WebAssembly and asm.js heaps.
--no-untrusted-code-mitigations at runtime. The
v8_untrusted_code_mitigations GN flag can be used to enable or disable the mitigations at build time.
Note that V8 defaults to disabling these mitigations on platforms where it is assumed the embedder will use process isolation, such as platforms where Chromium uses site isolation.
Sandbox untrusted execution in a separate process #
Consider tuning your offered high-precision timers #