The JIT compiler requires violating the standard w^x policy. Therefore, memory can be both writable and executable at the same time. This a very security concern because an attacker could inject and execute their own malicious code from the JIT region during exploitation of a vulnerability. Disabling this results in enormous attack surface reduction and will kill off a huge amount of browser exploits.

Looking at CVE (Common Vulnerabilities and Exposures) data after 2019 shows that roughly 45% of CVEs issued for V8 were related to the JIT engine.

Moreover, we know that attackers weaponize and abuse these bugs as well; an analysis from Mozilla shows that over half of the “in the wild” Chrome exploits abused a JIT bug.

Source.

Disabling JIT is quite simple.

Firefox

On Firefox you can go in the about:config page and change those settings:

javascript.options.ion to false javascript.options.baselinejit to false

This approach works both on desktop and mobile. (Although, the stable version of Firefox on android doesn’t allow about:config page)

Chromium

On chromium based browsers you have to add this command line.

--js-flags="--jitless"

This approach works only on desktop browsers.

On android, the only browsers who enabled this feature are bromite and Vanadium.

  • Lunacy@lemmy.mlOP
    link
    fedilink
    arrow-up
    8
    ·
    3 years ago

    Not really noticeable. I’m using vanadium in jitless mode right now and I can’t tell the difference beside a few exceptions. Bromite should work fine as well.