-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XS deep freeze conflicts with SES security constraints #1058
Comments
Attn @phoddie |
Thanks for the nudge. Regarding |
A few more relevant issues:
|
Let's focus this issue on XS deep freeze (
I was going to close this, since security-related issues in the moddable repo (Moddable-OpenSource/moddable#351 , Moddable-OpenSource/moddable#353 ) are closed, and other stuff mentioned above is tracked elsewhere, but deep freeze is still an issue. |
@erights remind me which SES constraint this violates? i.e. how it can be used for attack? You explained it to me once but it has since leaked out. |
I'm not certain that our extension to Here's an example to check my understanding: class Foo {
#x = 12;
y = {z: 12};
set x(value) {
this.#x = value;
}
get x() {
return this.#x;
}
}
let f = new Foo;
Object.freeze(f, true);
f.x = 11;
trace(f.x, "\n");
f.y.z = 12; Setting Even if it is "safe", this extension to Note: When building a ROM image, the XS linker does perform a deeper freeze that goes beyond what can be expressed by the JavaScript language today. But, that feature of XS is not used by the Agoric runtime. |
That seems cost-effective. Yes, please, @phoddie |
I would love to understand its semantics. If it is approximately harden or purify, it may be great for us! Though we would package it differently. |
I removed the MN-1 label because this does not affect MN-1. |
Oh, I should have noticed @dckc that you added the MN-1 label recently. If I'm missing something, please add it back in and let me know. Thanks. |
Right... It's more MN-3. |
@kriskowal This does not have an area label that is covered by our weekly tech / planning meetings. Can you assign the proper label? We cover: agd, agoric-cosmos, amm, core economy, cosmic-swingset, endo, getrun, governance, installation-bundling, metering, run-protocol, staking, swingset, swingset-runner, token economy, wallet, zoe contract. |
Again, I suggest xsnap is covered in weekly endo / SES meetings. |
Agreed, I just added it to the ZH filter for the Zoe/ERTP meeting. |
The XS
Object.freeze
takes a second optional boolean parameter that, if truthy, causes some form of transitive freezing. But unlikeharden
, it does more freezing than user code can do (and inspired thepetrify
notion we're still designing). As currently implemented, this enhancedObject.freeze
can be used for attack.previously:
Moddable-OpenSource/moddable#351
Moddable-OpenSource/moddable#353
are both memory unsafety problems in XS. Let's use this issue thread to accumulate XS issues that are a security concern for us, until we start on an engineering process of securing XS.
Memory unsafety bugs are of course fully fatal for us. But all sorts of other deviations from standard ES, including deviations allowed by the ES spec, are potential concerns:
The text was updated successfully, but these errors were encountered: