Stop JIT ~ Microsoft tests "Mt -Great Security Mode" in "Edge"

　On August 4 (local time), Microsoft announced the new security function of "Microsoft Edge" "SUPER DUPER Secure Mode".Although it is still an experimental stage, the name is not official, but it is likely to be anxious for users who value security rather than performance.

　According to the company, there are various attacks that pierce the JavaScript engine defect, but the basics have not changed for a long time, and are being performed in the following patterns.

　The defects discovered by the security team can be proven simply by copying and paste this template, and the attacker has a system that can immediately abuse it using a framework like "PWNJS".

　But this is a nightmare for the defense side.When a defect is found, it must be dealt with quickly and encourage users to update.As a result, web browser vendors, such as Microsoft, Google, and Mozilla, make large -scale investments in the development of techniques for finding defects, and have prepared large -scale sweepstakes programs to promote hackers to report problems.Nevertheless, the current situation is that the JavaScript engine has been a security issue for Web browsers.

　The company's security team proposes a solution to stop the performance technology of the JavaScript engine called "Just in Time Compilation" (JIT).

　According to a survey of CVE (recognition number assigned to vulnerabilities) after 2019, about 45 % of the vulnerabilities found in the JavaScript engine V8 are related to the JIT engine.Furthermore, more than half of the cases that were misused before the correction in "Chrome", were abusing JIT bugs, according to Mozilla.

　JIT is becoming more complicated year by year to raise the performance of the Web browser, but has created half of the security defects that require corrections.Is it worth the speed up?

"Google Chrome 91" has a maximum performance improved -two major improvements on the "V8" engine

　The advantage of JIT disabling is not only reducing the attack surface (that is, vulnerability).The JIT of "V8" cannot be used in the renderer process of some powerful security easing measures due to its mechanism.For example, Intel's new hardware-based Exploit easing (ControlFlow-enforcement Technology) has not been used in the renderer process.Also, because the RWX memory page is used, the "ACG" (ArbitRary Code Guard) is also disabled.If these technologies can be applied to the renderer process, security will be dramatically improved.

"Google Chrome 90" Windows version introduces stack protection with hardware -Skinth attacks are also shut out!

　However, there are no concerns that disabling JIT will significantly reduce performance.So I tested how much the performance of the web browser changes depending on the presence or absence of JIT, but it certainly said that some tests had improved, but in most cases there was no significant change in performance.

　In addition, although the power consumption was average 15 % improvement in power consumption, which increased by about 11 %, but rather increased by about 11 %.In some cases.In other tests, it seems that there are some improvements and worsening.

　So far, JIT has been promoted as a trump card to improve performance.For example, on the "Speedometer 2.0" benchmark, if JIT is disabled, the score will be reduced by 58 %.But can the user feel the invalidation of JIT in the actual use case?

　Either way, you won't be able to answer if you don't actually compare two versions of web browsers.In the coming months, the company plans to implement CET, ACG, and CFG (Control Flow Guard, control flow guard) in the Rendar process in the "Super Duper Secure Mode" project.If you want to actually try it, try to enable the "SUPER DUPER Secure Mode" flag in the preview version "Edge" (Beta/Dev/CANARY) in the test stage (edge: // flags/).At present, JIT (Turbofan/Sparkplug) is disabled and CET can be tested.However, please note that webassembly has not been supported yet.