Lecture series on SES and capability-based security by Mark Miller

Brendan Eich brendan at mozilla.com
Fri Nov 4 14:33:31 PDT 2011


On Nov 4, 2011, at 9:39 AM, Mark S. Miller wrote:

> Perhaps this annoyance really is a feature after all?

It is!


> I asked him to keep quiet about it for the remainder of the 24 hours because I was curious to see what people came up with.
> 
> Congrats to Dave!

Kris Zyp tweeted his attack and must have been testing only in Chrome. I tweeted back:

https://twitter.com/#!/kriszyp/status/132231939569618944
https://twitter.com/#!/BrendanEich/status/132367206657957888



kriszyp kriszyp 
An answer to M Miller's es-discuss challenge (w/out spoiling on ml): var array;table.store("push", function(){array = this;});table.add();
22 hours ago Favorite Retweet Reply
in reply to ↑

@BrendanEich
BrendanEich
@kriszyp should throw when store("push", ...) tries to shadow frozen Array.prototype.push -- does in SpiderMonkey. cc: @awbjs



> Note that I don't see any realistic way to fix problem #3 in the ES.next
> language.

If you mean the problem that o[x] = y can shadow a writable proto-method, that's a feature too. But freezing helps.

If you could redefine [] as an operator on all objects, perhaps that would help. Or hurt. Both, probably. That isn't what Allen proposes, though. It would have to be universal AFAICT. Thoughts?

/be


> My point is only that defensive programming is tricky even after
> you've gotten all the formal properties you need. As ES.next introduces
> various new abstraction mechanisms, whether classes, enhanced object
> literals, proxies, modules, or private names, the design of these can
> either help or hurt those attempting to write defensive abstractions. Any
> class abstraction that is only useful for making indefensible instances is
> worse than useless -- it is actively harmful, both to security and to
> serious software engineering.
> 
> You also rely on you security base framework being the first to run,
> 
> Yes, absolutely.
> 
> 
>  
> and on nobody trying to modify source on load, right?
> 
> I think the answer to this is "yes" as well, but first I should ask for clarification: source to what?
>  
> 
> Claus
> http://clausreinke.github.com/
> http://clausreinke.github.com/js-tools/
> 
> 
> 
> 
> 
> -- 
>     Cheers,
>     --MarkM
> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20111104/abcc6920/attachment-0001.html>


More information about the es-discuss mailing list