memory safety and weak references
oliver at apple.com
Tue Mar 26 20:44:59 PDT 2013
On Mar 27, 2013, at 1:56 PM, David Herman <dherman at mozilla.com> wrote:
> Interestingly, I wonder if the idea of only collecting weak references between turns is immune to such attacks, since it's not possible to have a bogus reference on the stack between turns, where there is no stack.
If you could induce an integer with a controlled value to be on the stack between turns (not entirely inconceivable) it may be attackable, but once you're talking about a fixed number of samples per _turn_ i suspect the time required renders the attack infeasible.
That said I believe that this does kill any dreams i may have had w.r.t primitive-keyed WeakMaps, kudos to MarkM.
> On Mar 26, 2013, at 5:55 PM, David Herman <dherman at mozilla.com> wrote:
>> Patrick Walton send me this link to a fascinating approach to exploiting weak references in engines using conservative stack scanning to discover the address of objects:
>> I don't fully grok all the details, but IIUC the attacker sprays the heap with objects that it holds weak references to, synthesizes a fake reference as an integer, triggers a conservative GC, and then uses the state of the weak references to figure out which object lived at that address. As a concrete example of how this can be used to do bad things: in conjunction with an exploit that allows jumping to an arbitrary memory location, this would effectively enable arbitrary code execution.
>> One immediate takeaway: Mark deserves serious kudos, because Dionysus was not able to figure out how to use this attack on WeakMaps. He explicitly mentions the work on WeakMaps and credits them for having been well designed for security. Well done!
>> But we need to take this into account as we consider what to do about weak references in ES7.
>> es-discuss mailing list
>> es-discuss at mozilla.org
> es-discuss mailing list
> es-discuss at mozilla.org
More information about the es-discuss