This document discusses hardened JavaScript and how it can be used to safely run untrusted code. It describes how JavaScript environments like browsers allow arbitrary programs to run but mediate their interactions. It then explains how techniques like freezing objects, compartmentalization, and avoiding direct eval can "harden" JavaScript to prevent malicious code from harming the system or accessing private data. The goal is to allow safe interaction between mutually untrusting code while preventing attacks.
2. DEC VT100 Terminal, Jason
Scott
Interaction and Vulnerability
Netscape Navigator 1.22 on
Windows
3. 3
Interaction and Vulnerability
Running other people’s programs is dangerous
and some people will even tell you that you
shouldn’t do it.
You can run other people’s programs safely.
The solution is Hardened JavaScript.
4. Ulysses and the Sirens, 1891, by John William Waterhouse
Interaction and Vulnerability
5. User Agent
5
User agents mediate interaction. A web browser is a
user agent.
■ Browsers invite arbitrary programs off the
internet to run on your computer.
■ Server sends a program to the client.
■ The client runs the program with limited
access to local resources.
■ The browser mediates the interaction through
its user interface “chrome”.
Motorcycle Reflections, Atoma
6. Two parties (client and server) are easy to
safeguard, but not very interesting.
Within a user agent, multiple parties can send each
other facets of APIs and interact directly with each
other on behalf of the user.
■ Client engages two other services.
■ Client introduces one service to the other, to
communicate on its behalf.
■ Browser mediates the interaction, including
the ability to revoke communication between
third-party services at any time.
Three is a Party
6
Granovetter Diagram
8. Queries are
Hobbled
Programs
Consider the case of a data
service provider that accepts
arbitrary programs instead of a
weakened query language.
8
const search = query => {
const matches = [];
for (const item of database.items()) {
if (eval(query)) {
matches.push(item);
};
}
return matches;
};
// With great interaction…
search('item.price > 50 && item.size == 8');
// …comes great vulnerability.
search('database.dropAllTables(), false');
9. Eval is not exactly Evil
The Levenshtein Distance between Eval and Evil is not zero.
Eval is not Evil, QED.
E V I L
E 0 1 2 3
V 1 0 1 2
A 2 1 1 2
L 3 2 2 1
13. How Eval can be
used for Evil
13
Let me count the ways.
■ To replace constructors with imposters,
■ To subvert methods on shared prototypes,
■ To distribute furtive missives on properties of
unsuspecting objects,
■ To listen to activity through the walls with
high resolution timers,
■ To hog local resources like memory or
compute time,
■ To use powerful API’s to steal your private
keys and scribble on your disk,
■ To run your kitchen sink garbage disposal at
inopportune times,
■ To teach your pets to wage a guerrilla war for
14. Taming Eval
■ 🔒 Lockdown: Freeze every object the
language provides, the shared primordials.
■ 🧊 Harden: Give programs a way to deep
freeze the objects they share with other
parties.
■ 📦 Compartment: Provide a way to make
spaces that only have the shared primordials
and other explicitly shared objects.
Give programs a firm foundation to stand on to
defend their own integrity and confidentiality.
14
