Microsoft wonders if disabling just-in-time compilation of JavaScript improves browser security

Edge is getting a 'Super Duper Security Mode' to test the idea. Yes, that is the actual name


Microsoft is conducting an experiment it hopes will improve browser security – by making its Edge offering worse at running JavaScript

As explained in a post by Johnathan Norman, the vulnerability research lead for Microsoft Edge, JavaScript is the juiciest target when trying to crack a browser – because engines like Google's V8 and the just-in-time compilation (JIT) techniques they employ use "a remarkably complex process that very few people understand" and have "a small margin for error" in the way they handles code.

We live with that because the likes of V8 mean JavaScript zips along very nicely when used with JIT, making all sorts of in-browser fun possible.

But it also means all sorts of in-browser evil is possible. Norman cites data suggesting 45 per cent of CVEs issued for V8 were related to its JIT engine.

Norman argues that these days JIT doesn't make a massive difference to browser performance. He also points out that the presence of V8's JIT prevents the use of alternative mitigations.

Microsoft is therefore going to try to build what it calls "Super Duper Security Mode" for Edge, by disabling JIT and eventually adding other security mitigations – namely Controlflow-Enforcement Technology (CET) and Arbitrary Code Guard and Control Flow Guard.

Superheroes stare at screen with MS Edge logo

Click to enlarge

"Super Duper Security Mode" is already available. Type edge://flags/#edge-enable-super-duper-secure-mode into Edge and the browser provides a long list of its security controls so you can see what you'll be missing if you decide to join Microsoft's experiment.

"This is of course just an experiment; things are subject to change, and we have quite a few technical challenges to overcome," Norman wrote. "Also, our tongue-in-cheek name will likely need to change to something more professional when we launch as a feature. For now, we are going to continue having fun with it."

A more "professional" (read: less goofy) name could be a good thing. Or maybe not.

Despite being baked into over a billion machines running Windows 10 – which includes rather insistent nagware encouraging use of the browser – Edge has just 3.41 per cent market share according to statcounter Global Stats. A fun name like "Super Duper Security Mode" might make more of a difference to users than hard-to-appreciate changes to security plumbing. ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2021