Loading ...
Sorry, an error occurred while loading the content.

[Fwd: Re: ADsafe attack]

Expand Messages
  • David-Sarah Hopwood
    [This might be a duplicate; I m having trouble posting to this list from my usual account.] ... From: David-Sarah Hopwood
    Message 1 of 11 , May 21, 2008
    • 0 Attachment
      [This might be a duplicate; I'm having trouble posting to this list
      from my usual account.]

      -------- Original Message --------
      From: David-Sarah Hopwood <david.hopwood@...>
      To: Douglas Crockford <douglas@...>
      Subject: Re: ADsafe attack

      Douglas Crockford wrote:
      > I don't trust a blacklist approach to guard dot, so that would mean
      outlawing dot except in a few specific cases, which would make use of
      the language close to unbearable.
      >
      > So instead, I will fix Firefox:
      >
      > Array.prototype.concat = function () {
      > var concat = Array.prototype.concat;
      > return function () {
      > if (this === window) {
      > throw {
      > name: "ADsafe",
      > message: "ADsafe violation."
      > };
      > }
      > return concat.apply(this, arguments);
      > };
      > }();
      >
      > We will have to do this for all of the Array methods that return
      this.

      Not just Array; all of the methods accessible in the public API. The
      problem with that approach is that there may be methods that are not
      standardized, and that are also not enumerable.

      If there were a way to enumerate all properties of an object
      regardless
      of DontEnum attributes, then it would be possible to perform this fix
      automatically and reliably. Otherwise, it doesn't seem to be possible
      (without rewriting) to allow unrestricted use of both '.' and '()'.

      > It is galling, but I don't see a better alternative.

      Jacaranda doesn't allow unrestricted use of '.'; it allows only
      "foo.method(...)", "this.property", and "foo.$get('property')".
      It's possible to do a 'lightweight' rewriting of "foo.property" to
      "foo.$get('property')", where the rewriter is not in the TCB.

      > I think we should also add language to ES3.1 15.4.4.4 and elsewhere
      that force the methods to throw when they are called as functions
      (with this === window).
      >
      > Go ahead and make it public.

      OK -- can I also forward this conversation?
      [The answer was yes.]

      --
      David-Sarah Hopwood
    • David-Sarah Hopwood
      ... From: Douglas Crockford To: David-Sarah Hopwood , Mark Miller
      Message 2 of 11 , May 21, 2008
      • 0 Attachment
        -------- Original Message --------
        From: Douglas Crockford <douglas@...>
        To: David-Sarah Hopwood <david.hopwood@...>,
        Mark Miller <erights@...>
        Subject: Re: ADsafe attack

        I found three of Firefox's Array methods return window when called as
        functions.
        ADSAFE is now wrapping them:

        var mozilla = function (name) {
        var method = Array.prototype[name];
        Array.prototype[name] = function () {
        if (this === window) {
        error();
        }
        return method.apply(this, arguments);
        };
        };

        mozilla('concat');
        mozilla('reverse');
        mozilla('sort');

        I am worried about the extra Array methods (map, reduce, et al) but I
        haven't found a hole yet.
      • David-Sarah Hopwood
        ... From: Douglas Crockford To: David-Sarah Hopwood Subject: Re: ADsafe attack ... The
        Message 3 of 11 , May 21, 2008
        • 0 Attachment
          -------- Original Message --------
          From: Douglas Crockford <douglas@...>
          To: David-Sarah Hopwood <david.hopwood@...>
          Subject: Re: ADsafe attack

          David-Sarah Hopwood wrote:
          > Not just Array; all of the methods accessible in the public API. The
          > problem with that approach is that there may be methods that are not
          > standardized, and that are also not enumerable.

          The public API is the stuff that ADsafe allows. The ADSAFE object may
          not
          contain any method that can leak. The ADsafe contract does not allow
          adding
          methods to the public objects that can leak. ADsafe does not allow
          the public
          objects to be used as values, so

          var o = Object;
          for (name in o) {

          is not allowed.

          It also includes anything that Firefox provides that ADsafe does not
          block. Does it have any more tricks?
        • David-Sarah Hopwood
          ... I m not convinced that it is sufficiently robust to just check for (this === window). This should work: function robustify(aType, methodName) { var proto =
          Message 4 of 11 , May 21, 2008
          • 0 Attachment
            Douglas Crockford wrote:
            > I don't trust a blacklist approach to guard dot, so that would mean
            > outlawing dot except in a few specific cases, which would make use of
            > the language close to unbearable.
            >
            > So instead, I will fix Firefox:
            >
            > Array.prototype.concat = function () {
            > var concat = Array.prototype.concat;
            > return function () {
            > if (this === window) {
            > throw {
            > name: "ADsafe",
            > message: "ADsafe violation."
            > };
            > }
            > return concat.apply(this, arguments);
            > };
            > }();

            I'm not convinced that it is sufficiently robust to just check for
            (this === window). This should work:

            function robustify(aType, methodName) {
            var proto = aType.prototype;
            var oldMethod = proto[methodName];

            if ({}.__proto__ !== undefined) {
            aType.prototype[methodName] = function () {
            if (this.__proto__ !== proto) {
            throw {name: "ADsafe", message: "ADsafe violation."};
            }
            return oldMethod.apply(this, arguments);
            };
            } else {
            proto._type___ = proto;
            if (Object.dontEnum !== undefined) {
            Object.dontEnum(proto, '_type___');
            }
            aType.prototype[methodName] = function () {
            if (this._type___ !== proto) {
            throw {name: "ADsafe", message: "ADsafe violation."};
            }
            return oldMethod.apply(this, arguments);
            };
            }
            }

            robustify(Array, 'concat');

            However, without having a way to enumerate all of the functions,
            including undocumented ones, defined on the prototypes of
            {Object,Function,Array,String,Boolean,Number,Math,Date,RegExp,*Error},
            you still risk missing one that could potentially leak 'this'.

            Any chance of an Object.__allKeys__(object) method, which ignores
            DontEnum, in ES3.1?

            --
            David-Sarah Hopwood
          • Douglas Crockford
            ... We are considering an Object.keys method, but it will only return the own, enumerable property names.
            Message 5 of 11 , May 21, 2008
            • 0 Attachment
              --- In caplet@yahoogroups.com, David-Sarah Hopwood <david.hopwood@...>
              wrote:
              > Any chance of an Object.__allKeys__(object) method, which ignores
              > DontEnum, in ES3.1?

              We are considering an Object.keys method, but it will only return the
              own, enumerable property names.
            • Douglas Crockford
              ... Why? The test is intended to reject invocations of the method as a function. What cases are missed?
              Message 6 of 11 , May 21, 2008
              • 0 Attachment
                --- In caplet@yahoogroups.com, David-Sarah Hopwood <david.hopwood@...>
                wrote:
                > I'm not convinced that it is sufficiently robust to just check for
                > (this === window).

                Why? The test is intended to reject invocations of the method as a
                function. What cases are missed?
              • Mark S. Miller
                On Wed, May 21, 2008 at 12:02 PM, David-Sarah Hopwood ... Yes! The about-to-be-specified Object.getProperties(obj) will provide a reflective description of all
                Message 7 of 11 , May 21, 2008
                • 0 Attachment
                  On Wed, May 21, 2008 at 12:02 PM, David-Sarah Hopwood
                  <david.hopwood@...> wrote:
                  > Any chance of an Object.__allKeys__(object) method, which ignores
                  > DontEnum, in ES3.1?

                  Yes! The about-to-be-specified Object.getProperties(obj) will provide
                  a reflective description of all an object's own properties. This
                  operation itself will not be visible from Caja, and I wouldn't
                  recommend that it be visible from ADsafe, but in both cases it's
                  useful within the runtime libraries of these secure subsets, to help
                  enforce useful properties, as you explain.


                  --
                  Cheers,
                  --MarkM
                • David-Sarah Hopwood
                  ... That s why I suggested a name using the __...__ convention. Otherwise, a subset language that does not do rewriting must do one of: - blacklist the name
                  Message 8 of 11 , May 21, 2008
                  • 0 Attachment
                    Mark S. Miller wrote:
                    > On Wed, May 21, 2008 at 12:02 PM, David-Sarah Hopwood
                    > <david.hopwood@...> wrote:
                    >> Any chance of an Object.__allKeys__(object) method, which ignores
                    >> DontEnum, in ES3.1?
                    >
                    > Yes! The about-to-be-specified Object.getProperties(obj) will provide
                    > a reflective description of all an object's own properties. This
                    > operation itself will not be visible from Caja, and I wouldn't
                    > recommend that it be visible from ADsafe, but in both cases it's
                    > useful within the runtime libraries of these secure subsets, to help
                    > enforce useful properties, as you explain.

                    That's why I suggested a name using the __...__ convention.

                    Otherwise, a subset language that does not do rewriting must do one of:
                    - blacklist the name 'getProperties', which is ugly;
                    - rebind 'Object' when running subset code, which does not have
                    well-defined semantics and may cause compatibility problems;
                    - block access to 'Object', which would not otherwise be necessary.

                    Actually, a better idea would be to move *all* of the methods proposed
                    to be added to Object, to a new global 'Reflect'. Rebinding 'Reflect'
                    in order to provide tamed versions of these operations when running
                    subset code would not have the same problems as rebinding 'Object',
                    since 'Reflect' is not used for anything else.

                    --
                    David-Sarah Hopwood
                  • Douglas Crockford
                    ... Mark came up with a better idea: ADsafe denies any access to Object.
                    Message 9 of 11 , May 21, 2008
                    • 0 Attachment
                      --- In caplet@yahoogroups.com, David-Sarah Hopwood <david.hopwood@...>
                      wrote:
                      > That's why I suggested a name using the __...__ convention.
                      >
                      > Otherwise, a subset language that does not do rewriting must do one of:
                      > - blacklist the name 'getProperties', which is ugly;
                      > - rebind 'Object' when running subset code, which does not have
                      > well-defined semantics and may cause compatibility problems;
                      > - block access to 'Object', which would not otherwise be necessary.
                      >
                      > Actually, a better idea would be to move *all* of the methods proposed
                      > to be added to Object, to a new global 'Reflect'. Rebinding 'Reflect'
                      > in order to provide tamed versions of these operations when running
                      > subset code would not have the same problems as rebinding 'Object',
                      > since 'Reflect' is not used for anything else.

                      Mark came up with a better idea: ADsafe denies any access to Object.
                    • David-Sarah Hopwood
                      ... I don t want to have to do that in Jacaranda (where it would otherwise be safe to allow first-class access to Object). -- David-Sarah Hopwood
                      Message 10 of 11 , May 21, 2008
                      • 0 Attachment
                        Douglas Crockford wrote:
                        > --- In caplet@yahoogroups.com, David-Sarah Hopwood <david.hopwood@...>
                        > wrote:
                        >> That's why I suggested a name using the __...__ convention.
                        >>
                        >> Otherwise, a subset language that does not do rewriting must do one of:
                        >> - blacklist the name 'getProperties', which is ugly;
                        >> - rebind 'Object' when running subset code, which does not have
                        >> well-defined semantics and may cause compatibility problems;
                        >> - block access to 'Object', which would not otherwise be necessary.
                        >>
                        >> Actually, a better idea would be to move *all* of the methods proposed
                        >> to be added to Object, to a new global 'Reflect'. Rebinding 'Reflect'
                        >> in order to provide tamed versions of these operations when running
                        >> subset code would not have the same problems as rebinding 'Object',
                        >> since 'Reflect' is not used for anything else.
                        >
                        > Mark came up with a better idea: ADsafe denies any access to Object.

                        I don't want to have to do that in Jacaranda (where it would otherwise
                        be safe to allow first-class access to Object).

                        --
                        David-Sarah Hopwood
                      Your message has been successfully submitted and would be delivered to recipients shortly.