Improving Browser Security
A status update on Hexavalent.
Following up on my Twitter thread – I am excited to disclose some details of Hexavalent and discuss potential future plans.
About
Hexavalent is a security and privacy focused web browser based on the open source Chromium project. It seeks to develop meaningful security improvements focusing on mitigating classes of bugs rather than individual vulnerabilities and is currently an unfinished product.
Our Work
We’ve adopted platform-agnostic patches from GrapheneOS’s Vanadium subproject and are planning to document their functionality in the coming weeks for other developers to better understand the reasoning behind each change. Some of the hardening is also being done outside of the browser such as in their hardened bionic libc, hardened heap allocator, and various toolchain changes which will need to be evaluated and investigated for inclusion in Hexavalent.
Currently, we’re in the process of enabling security features that aren’t
enabled upstream due to their needs not being aligned with ours, such as
enabling the “HTTPS-only mode” that can’t be trivially enabled upstream due to
breaking compatibity with legacy sites. We’ve also enabled origin isolation due
to it being the only real mitigation against known speculative execution side
channels that can be used to steal data from sites that aren’t cross-origin
isolated. It’s something upstream is also looking into enabling by default but
won’t until document.domain
usage drops to a negligible level. The
development of V8’s Ubercage is something we’re also paying close attention to
and will enable by default once it is more mature.
Some of our current original work involving tightening the Linux sandbox to prevent dynamic code generation by placing PaX MPROTECT-inspired restrictions on processes that do not generate dynamic code is currently being tested and may be upstreamed in the future. We’re additionally looking into hardening the heap allocator based on past work by projects such as HardenedPartitionAlloc. It is still a work-in-progress but we expect to be able to enable random canaries in release builds to absorb overflows, zero allocations on free, and more. Some of the work in HardenedPartitionAlloc such as the delayed free implementation won’t be re-implemented here as it is actively being worked on upstream.
Work on redoing the privileged WebUI with a sane Content-Security-Policy won’t be done in Hexavalent either as Microsoft are currently landing patches upstream using Trusted Types to elimate XSS and any work we do would effectively be wasted time.
Future Work
We’re going to be looking into reducing the attack surface of the browser by disabling complex APIs, file formats/parsers, etc, that introduce large amounts of attack surface and are overly complicated. In addition, we may look into entirely replacing the heap allocator with one with one focused primarily on security such as GrapheneOS’s hardened_malloc or Chris Rolf’s isoalloc.