deps,build: disable V8 untrusted code mitigations

[targos]

Checklist

• make -j4 test (UNIX), or vcbuild test (Windows) passes
• commit message follows commit guidelines

@nodejs/v8

[addaleax]

Can we add documentation for users on how to undo the effects of this at runtime?

[targos]

Sure, where should I write it? In BUILDING.md?

[vsemozhetbyt]

Refs: nodejs/node-v8#40

[targos]

Sorry I didn't read the "runtime" part. I guess we can add it to node --help output and the man page.

[addaleax]

Also, does this affect WebAssembly? I might be wrong but I was under the impression that that actually does provide a reliable, full sandbox within Node now.

Sure, where should I write it? In BUILDING.md?

I guess that depends – I read the linked issue, but I’m not sure whether --untrusted-code-mitigations will work at runtime or not if we bake this into the executable?
If not, then that seems like the right place, but I’m not sure whether it’s a good idea to do this at all then. If it does, I think it might be worth explicitly documenting this as a CLI option, like we do for --abort-on-uncaught-exception.

[targos]

/cc @hashseed and @bmeurer.
In nodejs/node-v8#40, you said that the flag not only impacts runtime but also some things are compiled differently.
I can't find anything in V8's source related to that. It seems to me that only the runtime flag is affected:

git grep -i untrusted -- deps/v8

deps/v8/BUILD.gn:  v8_untrusted_code_mitigations = true
deps/v8/BUILD.gn:  if (!v8_untrusted_code_mitigations) {
deps/v8/BUILD.gn:    defines += [ "DISABLE_UNTRUSTED_CODE_MITIGATIONS" ]
deps/v8/gypfiles/features.gypi:    'v8_untrusted_code_mitigations%': 'true',
deps/v8/gypfiles/features.gypi:      ['v8_untrusted_code_mitigations=="false"', {
deps/v8/gypfiles/features.gypi:        'defines': ['DISABLE_UNTRUSTED_CODE_MITIGATIONS',],
deps/v8/src/compilation-info.cc:      flags_(FLAG_untrusted_code_mitigations ? kUntrustedCodeMitigations : 0),
deps/v8/src/compilation-info.h:  bool has_untrusted_code_mitigations() const {
deps/v8/src/compiler/pipeline.cc:          data->info()->has_untrusted_code_mitigations()
deps/v8/src/compiler/wasm-compiler.cc:      untrusted_code_mitigations_(FLAG_untrusted_code_mitigations),
deps/v8/src/compiler/wasm-compiler.cc:  if (untrusted_code_mitigations_) {
deps/v8/src/compiler/wasm-compiler.cc:  if (untrusted_code_mitigations_) {
deps/v8/src/compiler/wasm-compiler.cc:  if (untrusted_code_mitigations_) {
deps/v8/src/compiler/wasm-compiler.cc:  if (untrusted_code_mitigations_) {
deps/v8/src/compiler/wasm-compiler.cc:  if (untrusted_code_mitigations_) {
deps/v8/src/compiler/wasm-compiler.cc:  if (untrusted_code_mitigations_) {
deps/v8/src/compiler/wasm-compiler.cc:  if (untrusted_code_mitigations_) {
deps/v8/src/compiler/wasm-compiler.h:  const bool untrusted_code_mitigations_ = true;
deps/v8/src/flag-definitions.h:#ifdef DISABLE_UNTRUSTED_CODE_MITIGATIONS
deps/v8/src/flag-definitions.h:#define V8_DEFAULT_UNTRUSTED_CODE_MITIGATIONS false
deps/v8/src/flag-definitions.h:#define V8_DEFAULT_UNTRUSTED_CODE_MITIGATIONS true
deps/v8/src/flag-definitions.h:DEFINE_BOOL(untrusted_code_mitigations, V8_DEFAULT_UNTRUSTED_CODE_MITIGATIONS,
deps/v8/src/flag-definitions.h:#undef V8_DEFAULT_UNTRUSTED_CODE_MITIGATIONS

[targos]

@addaleax see my previous message. The wasm compiler is affected.

[indutny]

LGTM, if CI is good.

[hashseed]

Let me give some information so that you can make an educated decision on this.

Also, does this affect WebAssembly? I might be wrong but I was under the impression that that actually does provide a reliable, full sandbox within Node now.

Spectre affects WebAssembly just as much as JavaScript. Both are "sandboxed". But that doesn't protect you from leaking information if CPUs do that at a machine instruction level.

In nodejs/node-v8#40, you said that the flag not only impacts runtime but also some things are compiled differently.
I can't find anything in V8's source related to that. It seems to me that only the runtime flag is affected

V8 runs mksnapshot at build time to produce the startup snapshot, which includes code objects to implement builtins and bytecode handlers. The latter are affected by the flag.

We are essentially looking at four combinations of enabling / disabling the flag at build time / runtime:

Disabled at build time and disabled at runtime
This is fine, no mitigations. Performance is good. However, we do not test this configuration at V8 at this point. I don't expect this to be a major risk though.

Disabled at build time and enabled at runtime
This makes no sense, since bytecode handlers do not have the mitigations. This is untested by V8.

Enabled at build time and disabled at runtime
We test this configuration in V8, but not in Chrome. Having mitigations enabled in bytecode handlers will slow down performance of the interpreter, but peak performance will unlikely to be affected, as optimized code do not include mitigations.

Enabled at build time and enabled at runtime
We test this configuration in V8 and in Chrome, with full Canary coverage. Performance will regress, as observed. This gives as much protection against Spectre as we can get with V8 6.6.

Personally I would just disable altogether, and discourage people from enabling at runtime via command line flag.

So this change looks good to me.

[natorion]

Please also have a look at https://github.com/v8/v8/wiki/Untrusted-code-mitigations

[bmeurer]

I also strongly recommend to not offer any of these mitigations at all by default in Node. They don't make sense. If someone needs a Node with these on, they should build their own version, and better know exactly what they are doing and why. I think we might otherwise risk sending people down into false sense of security, because just passing --untrusted-code-mitigations will not protect anyone in Node land from just accessing anything on the underlying system via require('fs') etc.

[bnoordhuis]

Is it an idea to add a regression test that checks that --untrusted_code_mitigations in --v8-options defaults to false?

[devsnek]

is this overridden by common.gypi?

[targos]

Yes. It's the 2nd commit in this PR.

[targos]

@bnoordhuis I added a test.

[targos]

CI: https://ci.nodejs.org/job/node-test-pull-request/13672/

[bmeurer]

LGTM

[targos]

Landed in cac4da0 and c6ae8a2