Appropriate use of Context and Isolate

[Chris Dumoulin]

In the Embedder's Guide, Contexts are described as allowing "separate, unrelated, JavaScript applications to run in a single instance of V8".  Also, the section on Security Model says that "In V8 an 'origin' is defined as a context." However, I'm pretty sure that Chrome uses separate Isolates within separate processes to isolate different browser tabs.

My questions are about running untrusted Javascript code, and the appropriate use of Isolates and Contexts, with respect to security and isolation of separate, unrelated, Javascript.

- What safeties are in place that prevent Javascript from breaking out of a Context?

- What safeties are in place that prevent Javascript from breaking out of an Isolate?

- From a security perspective, is there a benefit to using separate Isolates within a single OS process, or would separate Contexts be just as good? I'm aware that Isolates don't support concurrent, multithreaded access.

I expect that sandboxing separate OS processes for unrelated, untrusted Javascript files/applications is the most secure solution, but I'm trying to figure out how much better that is than multiple Contexts or Isolates within a single process.

Thanks,

Chris

[Ben Noordhuis]

On Wed, Feb 21, 2018 at 9:05 PM, Chris Dumoulin <crdu...@gmail.com> wrote:
> In the Embedder's Guide, Contexts are described as allowing "separate,
> unrelated, JavaScript applications to run in a single instance of V8".
> Also, the section on Security Model says that "In V8 an 'origin' is defined
> as a context." However, I'm pretty sure that Chrome uses separate Isolates
> within separate processes to isolate different browser tabs.

Tabs use different isolates.

Iframes in the same tab use different contexts but the same isolate.

Workers in the same tab use different isolates. I don't know if
Chromium puts them in separate processes but I expect it does.

> My questions are about running untrusted Javascript code, and the
> appropriate use of Isolates and Contexts, with respect to security and
> isolation of separate, unrelated, Javascript.
> - What safeties are in place that prevent Javascript from breaking out of a
> Context?

Context::SetSecurityToken() - contexts with different tokens can't
access each other's objects; that includes arrays and functions.

> - What safeties are in place that prevent Javascript from breaking out of an
> Isolate?

The observation that the V8 team would panic if that was possible. :-)

It would be a pretty serious security vulnerability and Google takes
those seriously. Report one or two good ones through the bug bounty
program and you could take the rest of the year off.

> - From a security perspective, is there a benefit to using separate Isolates
> within a single OS process, or would separate Contexts be just as good? I'm
> aware that Isolates don't support concurrent, multithreaded access.

They are functionally equivalent. The moat might be marginally deeper
in case of security breach with isolates. If you had to pick one or
the other, pick isolates (and process isolation.)

> I expect that sandboxing separate OS processes for unrelated, untrusted
> Javascript files/applications is the most secure solution, but I'm trying to
> figure out how much better that is than multiple Contexts or Isolates within
> a single process.

The single process approach doesn't protect against out-of-memory
conditions in a context or isolate. V8 doesn't handle OOMs except by
terminating. It's not difficult for JS code to trigger an OOM: `for
(let a = [];;) a.push(a)` will do it.

Infinite loops are another issue a single process won't protect you
against, at least not without coding your own watchdog functionality
from scratch.

[Chris Dumoulin]

Ben, thanks a lot for your answers. This is helpful information.