Traditional memory-safety approaches (such as memory-safe languages) offer robust protection against implementation vulnerabilities, but they cannot guarantee the safety of Just-In-Time (JIT) compilers, where the compiler itself is a direct attack surface. For example, in a JavaScript engine, the input is attacker-controlled code, and a single logic bug in the optimization pipeline can trick the JIT into emitting unsafe machine code, regardless of the host language’s guarantees.

In this talk, we present the V8 Sandbox, a practical defense mechanism deployed in the Chromium browser engine. Rather than attempting to formally verify the correctness of the entire V8 optimization pipeline, we shift the security goal from compiler correctness to runtime containment. This in essence allows us to decouple the JIT’s complexity from its security properties. We will discuss the design principles and performance characteristics of this lightweight, in-process sandbox, detail the complexities of retrofitting a new security boundary into an existing and complex codebase, and provide an outlook for future hardening of the sandbox such as hardware support or code validation.