Mozilla is working on a feature called W^X which should help in toughening the security of its Firefox browser. The browser developer has added W^X, which stands for 'Write XOR Execute', to an early test version of Firefox. Although the feature makes the browser more secure, it does come at a cost.
'Write or Execute' is a security measure that should make every page in a process' address space either writable or executable, but not both simultaneously. Most Just in Time (JIT) compilers use Read, Write and eXecute (RWX) rights for memory pages. A JIT compiler is software that translates code to machine code during execution of the program, instead of when the code is finished like for most regular applications.
Memory pages that can be read, write and executed suffer from several problems. One of them is that it's easy to abuse several errors. Modern operating systems therefore store code in the executable memory that's not writeable. RWX JIT code is an exception to that and is an interesting target for attackers. Another possible problem is memory corruption. With W^X enabled all memory pages with JIT code are not writable by default.
W^X has now been added to the latest nightly of Firefox 46 and if there are no major issues it will become part of the definitive version of Firefox 46 which is planned for April this year.
The improved security comes at a (small) cost, it degrades the performance of the browser. In benchmarks such as Kraken and Octane with W^X enabled Firefox scores about 1% lower. In the Sunspider benchmark the performance degradation on Windows and Linux is about 3% and on Mac OS X about 4%.
