Home     Blog     Rss     Contact     Donate

Tip: Run Brave Browser Without JIT

When it comes to secure web browsers, Brave is at the top of the list (no matter how some might want to disagree). However, extra hardening is never a bad thing, and one of the simplest way is to disable JIT.

JIT in a Nutshell

"JavaScript Just-In-Time (JIT) compilation is a technique used by modern web browsers to optimize the execution of JavaScript code. In this context, JIT refers to the compilation of JavaScript code into bytecode, which is then executed by an interpreter. This process occurs dynamically, during runtime, hence the term Just-In-Time."

The above was courtesy of Brave Search by the way.

Security Implications

The problem with JIT, though, is the increased attack surface it provides. You know when they say that browsers are the biggest attack vector on a computer? Well, JIT certainly doesn't help with that.

On top of that, it can be exploited in a number of ways, such as bypassing ASLR and data prevention execution (JIT spraying), and code injection attacks. Then there's the potential information leaks and arbitrary code execution.

Overall, for better security, JIT is something that should be used only if you absolutely need it. How do you know if you need it or not? As a general rule (which I use for myself as well) is "if you don't know whether you need something or not, assume you don't need it, until you do".

So, what to do?

Disable JIT

The easy solution is to disable JIT when running Brave, and this is easily done through the command line by using a simple flag:


$ /usr/bin/brave-browser --js-flags='--jitless' &

This can be made into a script like this one, or used as a command with sxhkd or xbindkeys.

Note that this flag will work with any Chromium-based browser (at least it works with pure Chromium), but why use them when you can use Brave?

Considerations

It goes without saying that like any other hardening technique, this does not render your browser 100% bulletproof, and the usual security considerations still apply.

Also, disabling JIT may cause a loss of performance, but this is a "your mileage may vary" type of situation. I have not noticed any slowness so far, so my best guess is that whatever performance loss that occurs is in the range of milliseconds at most. Again, YMMV. If you want security, though, this is a potential trade off you need to accept.

© 2023-2024 Ian LeCorbeau