Disable JavaScript JIT
JIT (Just-In-Time compilation) is an optimization applied to some interpreted languages which allows them to be compiled into bytecode just before being run. JavaScript is one of those languages. The sandbox should disable JIT to improve security. I've attached a solution (just appending the config changes to the autoconfig file).
Problems caused by JIT:
- Increased susceptibility to ROP
- A type of heap spraying called JIT-spraying (used for bypassing ASLR and NX)
- High speed loops leading to efficient rowhammer.js implementations
- Side-channel attacks against other tabs and other processes
- Improved accuracy for keystroke dynamics (biometric fingerprinting)
- Mandatory RWX mappings (Firefox 46 may fix this, making W!^X and maybe PAX_MPROTECT finally work)
- Increased attack surface by passing code through a compiler
Problems solved by JIT:
- Improved performance on extremely JavaScript-heavy pages
Given that the priority is assumed to be security rather than performance, I hope the negligible trade-off is acceptable.