How to clean up __proto__ (was: Why we need to clean up __proto__)

Mark S. Miller erights at google.com
Thu Dec 29 17:29:27 PST 2011


On Thu, Dec 29, 2011 at 5:11 PM, David Bruant <bruant.d at gmail.com> wrote:
[...]

> If you do not run first, the attacker can make the environement look
> like a normal one. Specifically, you can try to do
> Object.defineProperty(Object.prototype, '__proto__',
> {configurable:false}) and the attacker can later pretend that the
> property is not configurable (in response to an
> Object.getOwnPropertyDescriptor) even though it actually still is (and
> she can still change the value at convenience).


I just want to point out that SES initialization has been doing this kind
of virtualization for a long time, and depending on being able to do it
transparently enough. The most extreme example is <
code.google.com/p/es-lab/source/browse/trunk/src/ses/WeakMap.js>, where we
emulate WeakMaps with surprising efficiency on platforms that don't provide
these as built ins.

The technique relies on unguessability and undiscoverability of a random
chosen property name. We virtualize freeze, seal, and preventExtensions, to
add this property before we lose our ability to do so. We virtualize
Object.getOwnPropertyNames so that it doesn't report this property, and we
make the property non-enumerable, so that it can't be discovered with
for-in, which we cannot virtualize without parsing.


-- 
    Cheers,
    --MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20111229/f0f379c9/attachment.html>


More information about the es-discuss mailing list