[Harmony proxies] Non-configurable properties: fixed properties VS trap all with invariants enforcement

David Bruant david.bruant at labri.fr
Wed Jun 22 07:51:29 PDT 2011

Le 22/06/2011 10:14, Tom Van Cutsem a écrit :
> It just occurred to me that the security issues you describe re. fixed 
> properties & membranes may not be as bad as we first thought they were.
> Because of the recursive wrapping of the membrane code, all of the 
> get/set/value attributes of fixed properties will contain wrappers 
> themselves. So, after revoking a membrane, untrusted code will still 
> have access to the structural information of these properties, but 
> won't be able to do anything useful with its values (they are revoked 
> wrappers themselves). The structural information itself does not 
> convey any useful authority to the untrusted code.
It does leak that the property exists (because a value is returned 
instead of throwing inconditionally). It doesn't sound very dangerous 
and exploitable, but it's a leak.

> The wrapper may still "leak" previously exposed information (e.g. 
> primitives are not wrapped), but the untrusted code could retain 
> access to this information regardless (even if we switched to 
> validating proxies).
The wrapper can also leak previously unexposed information (not for one 
piece of untrusted code, but at least two). That was the point of the 
adjustement of my example:
( 0) Untrusted code 1 and 2 have a reference to the wrapper w )
1) Untrusted code 1 does: Object.defineProperty(w, 'p', 
{configurable:false, value:1})
2) Trusted code closes the gate
3) In Untrusted code 2: 'p' in w === true

Before 1), this 'p' property wasn't exposed to Untrusted code 2. Closing 
the gate on 2) should prevent everyone (like Untrusted code 2) who 
hadn't seen 'p' before gate-closing to see it afterward. It is not big, 
but it allows two pieces of untrusted code to communicate (more than 
they would if the trap was called and threw right away).

The easy workaround is to hand a different wrappers to different 
untrusted codes, but duplicating the number of necessary objects to 
guarantee security is an unfortunate workaround.

> So, long story short: I don't think proxies with fixed properties 
> weaken the actual security afforded by membranes, but I fully agree 
> that the fact that information is lingering in revoked proxies is 
> surprising.
> Cheers,
> Tom

More information about the es-discuss mailing list