Does the term “Chrome V8 JavaScript engine” referenced in numerous Zero Day exploits since 2021 ring any alarm bells?

According to Google developers, nearly all vulnerabilities found and exploited in the Chrome browser (running on the open source JavaScript rendering engine named V8) have one thing in common: “The eventual memory corruption necessarily happens inside the V8 heap because the compiler and runtime (almost) exclusively operate on V8 HeapObject instances.”

Such memory corruption issues have in the past few years led to numerous Zero Day vulnerabilities, comprising up to 16 security flaws up to 2023.

On 8 Apr, Google has announced what it calls a V8 Sandbox in Chrome to put a stop to this insidious vulnerability.

The sandbox will isolate the JavaScript rendering engine’s  heap memory from the rest of the processes, thereby halting attackers from executing arbitrary code at will. To raise the ante, Google is also offering a rewards system to encourage security developers and ethical hackers to find ways to bypass the sandbox. According to one Google microsite: “While the sandbox is still under development, it is covered under a special reward structure with strict and very specific submission rules. It is expected that submission rules will be relaxed and evolve as the sandbox matures. Bypasses of the sandbox that meet eligibility criteria are eligible for a reward of up to US$5,000.”

So far, the White Hat hackers have been successful in detecting “trivial memory corruption bugs” compared to “the more severe flaws typically discovered in V8.” A spokesman has noted that, while the currently available data set of sandbox bugs is very limited, the bug bounty program “will hopefully help produce a clearer picture of the type of vulnerabilities encountered on the sandbox attack surface.”

In recent weeks starting from Chrome 123, the sandbox has been activated by default in 64-bit versions of the browser for the various operating systems, to kick off testing and monitoring.