Lecture series on SES and capability-based security by Mark Miller

Mark S. Miller erights at google.com
Fri Nov 4 18:36:43 PDT 2011

On Fri, Nov 4, 2011 at 10:33 AM, Axel Rauschmayer <axel at rauschma.de> wrote:

> How about:
>    function Bob(t) {
>        var stolenArray;
>       var hackedPush = function() {
>           stolenArray = this;
>       };
>       t.store("push", hackedPush);
>       t.add(0);
>       console.log(stolenArray);
>    }
>     Bob(makeTable());

Yes, that is precisely the attack I had in mind. Congrats!

As Dave Herman discovered, it works on v8 but not on SpiderMonkey due to a
known bug in v8 that I had forgotten was a bug. According to the ES5.1
spec, you can't override a non-writable data property with a simple
assignment. I had always considered this an unfortunate annoyance and
irrelevant to security, but in this case it did happen to accidentally
prevent an attack.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20111104/396b1419/attachment-0001.html>

More information about the es-discuss mailing list