Microsoft Edge vulnerability research lead Johnathan Norman revealed that the team is experimenting with a new feature in Edge that disables the JavaScript JIT compiler to enable some additional security protection. They also gave the experiment an interesting and slightly provocative name, “Super Duper Secure Mode (SDSM)”.
According to Norman, JIT compilation is a “very complex process that few people understand, with very small errors. But while JIT improves browser performance, it also introduces vulnerabilities, and “performance and complexity usually come at a cost, which we usually bear in the form of security vulnerabilities and subsequent patches.”
Post-2019 CVE data shows that about 45 percent of CVEs issued for V8 are related to the JIT engine. In addition, attackers weaponize and abuse these vulnerabilities; an analysis by Mozilla shows that more than half of Chrome vulnerabilities “in the wild” exploit JIT vulnerabilities.
Norman notes that this reduction in attack surface has the potential to significantly improve user security with the simple disabling of JIT; it will eliminate about half of the V8 vulnerabilities that must be fixed. For users, this means fewer security updates and less need for emergency patches. Also, by disabling JIT, two mitigations can be enabled and make it more difficult to exploit security vulnerabilities in any renderer process component.
“The reduction in attack surface eliminates half of the vulnerabilities we see in exploits and also makes each remaining vulnerability more difficult to exploit. In other words, we’ve reduced the cost to the user, but increased the cost to the attacker.”
In terms of performance impact, Norman said that when testing Edge with JIT disabled, users rarely notice a difference in day-to-day browsing; however, in benchmark tests, Edge performance without JIT dropped by a whopping 58 percent.
Currently, SDSM disables JIT (TurboFan/Sparkplug) and enables CET, but is not compatible with WebAssembly at this time. The team plans to slowly enable the new mitigations and add support for Web Assembly over the next few months. Users can now find this feature in Edge Canary, Dev and Beta under edge://flags.
Norman also revealed that he is planning to bring the feature to MacOS and Android.