Mozilla enables W^X in Firefox 46 to improve security - gHacks Tech News

Mozilla enables W^X in Firefox 46 to improve security

Mozilla enabled the security feature W^X in Firefox Nightly (currently version 46) and plans to make it available to other versions of its web browser once they are upgraded to version 46.

W^X, spoken Write XOR Execute, is a security policy for memory that defines memory pages as either writable or executable, but not both. The feature is present in the OpenBSD operating system since 2003.

The OpenBSD base system has been modified to comply with it. This alleviates some buffer overflow attacks, including the most common stack-based attack: by ensuring that the stack is not executable, arbitrary code injected into it will not execute but instead cause the program to terminate

Most JIT (Just in Time) compilers use RWX (read-write-execute) permissions for memory pages which allows the compiler to patch code without performance overhead. This is the case for Firefox's current JIT compiler, but also for Chrome's or Safari's compiler.

While that is beneficial to the browser's performance while executing and running JavaScript code, it introduces issues at the same time.

RWX Security

firefox 46 rwx

While most modern operating systems store code in executable but non-writable memory, RWX JIT code is an exception to this which makes it a target for attacks. In addition, memory corruption can be an issue as well.

Mozilla's implementation of W^X makes all JIT code pages non-writable by default. If the browser needs to write to pages, a function needs to be called to explicitly make the page writable and remove the execute flag at the same time.

Once the write operation has been run, its permissions are changed to read and execute once again.

The developer responsible for the implementation notes that the introduction of the feature impacts performance while executing JavaScript code.

According to benchmark tests, Firefox loses less than 1% on modern benchmarks such as Kraken or Octane, and less than 4% on older benchmarks such as SunSpider. While a performance drop is measurable, it is not noticeable to users of the browser when JavaScript code is executed by it. (via Sören Hentzschel)

Summary
Mozilla enables W^X in Firefox 46 to improve security
Article Name
Mozilla enables W^X in Firefox 46 to improve security
Description
Mozilla enabled the security feature W^X in Firefox Nightly (currently version 46) to improve browser security while executing JavaScript code.




  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. Nebulus said on January 4, 2016 at 1:12 pm
      Reply

      Kudos for Mozilla for implementing such a security feature! While it can be bypassed, it requires more effort for the attacker, which is a good thing.

    2. Dale said on January 4, 2016 at 3:22 pm
      Reply

      So this is going to slow down Firefox even more?

      Mozilla should find ways to improve security without negatively impacting performance.

      1. Nebulus said on January 4, 2016 at 3:54 pm
        Reply

        I hope they will optimize their code further, so they can compensate for the loss of performance incurred by the new security feature.

      2. Ver Greeneyes said on January 4, 2016 at 4:07 pm
        Reply

        Javascript performance of Firefox is top notch, just look at the comparisons on http://www.arewefastyet.com. This change slows down the performance of Sunspider, an ancient benchmark not very suited to JIT compilation (because it finishes so quickly), by 4% on OSX, and the difference is smaller on other benchmarks and operating systems.

        If you are experiencing performance issues with Firefox, the problem is probably an extension or another component, like hardware acceleration (which is finicky due to the large amount of GPUs and drivers out there). You’re not going to notice the impact *this* change has on performance, but it might prevent your computer from being hijacked.

      3. Jason said on January 5, 2016 at 12:16 am
        Reply

        Honestly, I don’t find Firefox slow. I’ve heard stories of people with 100 installed extensions or 100 tabs open at the same time, but for an ordinary user like me, I doubt there is a human-noticeable performance difference from other “full-feature” browsers like Chrome. Standardized metrics support this view.

        In any case, the 1-4% drop reported here is definitely not going to be noticed by the user. We’re talking 1-4% on a scale of fractions of a second. I say “Bring it on!”.

    3. juju said on January 4, 2016 at 10:56 pm
      Reply

      just whitewash. nothing to do with a word “security” if it’s pronounced by crooks

    Leave a Reply