<div>[+ankur, joe, arjun, shriram, ulfar, mitchell, shap]</div><div><br></div><div><br></div>On Wed, May 18, 2011 at 1:54 PM, David Bruant <span dir="ltr"><<a href="mailto:david.bruant@labri.fr">david.bruant@labri.fr</a>></span> wrote:<br>
<div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div text="#000000" bgcolor="#ffffff">
<font size="-1">Hi,<br>
<br>
This message regards Secure ECMAScript (SES) [1] (by the way, can
links like [2], [3] or [4] be added to the ses wiki page?).<br></font></div></blockquote><div><br></div><div>Good suggestion. I will do so. For your [4], SES development has moved to <<a href="http://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/">http://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/</a>>. I will update the wiki and the es-lab site to make that clear. I may not get to either until after the May meeting.</div>
<div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div text="#000000" bgcolor="#ffffff"><font size="-1">
SES requires initSES.js to run. An environment where this happens
is called "Secureable EcmaScript 5" (please correct if I
misunderstand or misuse the terminology).<br></font></div></blockquote><div><br></div><div>Ideally that would be right, and we hope will be right once browsers come into more complete ES5 conformance. The current SES development includes various so-called "kludge switches". From <<a href="http://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/es5shim.js#33">http://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/es5shim.js#33</a>>:</div>
<div><br></div></div><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;"><div class="gmail_quote"><div><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
/////////////// KLUDGE SWITCHES ///////////////</blockquote></div></div><div class="gmail_quote"><div><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
/////////////////////////////////</blockquote></div></div><div class="gmail_quote"><div><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
// The following are only the minimal kludges needed for the current</blockquote></div></div><div class="gmail_quote"><div><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
// Firefox, Safari, or the current Chrome Beta. At the time of</blockquote></div></div><div class="gmail_quote"><div><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
// this writing, these are Firefox 4.0, Safari 5.0.4 (5533.20.27)</blockquote></div></div><div class="gmail_quote"><div><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
// and Chrome 12.0.742.12 dev</blockquote></div></div><div class="gmail_quote"><div><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
// As these move forward, kludges can be removed until we simply</blockquote></div></div><div class="gmail_quote"><div><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
// rely on ES5.</blockquote></div></div></blockquote><div class="gmail_quote"><div><br></div><div><br></div><div>Each kludge switch indicates whether it preserves SES safety. For example, the first is:</div><div><br></div>
</div><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
<br></blockquote></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
/**</blockquote></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
* Workaround for <a href="https://bugs.webkit.org/show_bug.cgi?id=55537">https://bugs.webkit.org/show_bug.cgi?id=55537</a></blockquote></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
*</blockquote></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
* <p>This kludge is safety preserving.</blockquote></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
*</blockquote></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
* <p>TODO(erights): Turning on this kludge is expensive, so we</blockquote></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
* should auto-detect at initialization time whether we need to on</blockquote></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
* this platform.</blockquote></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
*/</blockquote></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
//var TOLERATE_MISSING_CALLEE_DESCRIPTOR = false;</blockquote></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; ">
var TOLERATE_MISSING_CALLEE_DESCRIPTOR = true;</blockquote></div></blockquote><div class="gmail_quote"><div><br></div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div text="#000000" bgcolor="#ffffff"><font size="-1">
Regarding Securable ECMAScript 5, are there particular aspects of
ES5 that would need to be tested in order to make sure not only
that initSES.js runs but also does what is expected from it.</font></div></blockquote><div><br></div><div>Yes, absolutely.</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div text="#000000" bgcolor="#ffffff"><font size="-1"> In
other words, are there tests that could be added to Test262 in
order to help ensuring an ES5 implementation is securable with
"very high" confidence? Or is the current test suite sufficient?<br></font></div></blockquote><div><br></div><div>The current test suite is not sufficient. Regarding which tests to add, a good place to start is to look at the kludge-switch doc-comments in initSES, especially those in es5shim.js. But there are a large number of other issues I've been planning to write down and turn into tests. (I've been making some progress on these in Sputnik CLs, some of which I have yet to commit.)</div>
<div><br></div><div><b>More eyeballs would help here! </b>Please read the SES sources and Ankur's paper at <<a href="http://www-cs-students.stanford.edu/~ataly/Papers/sp11.pdf">http://www-cs-students.stanford.edu/~ataly/Papers/sp11.pdf</a>> which captures the reasoning and claims about SES's security, and try to spot any assumptions we're making that are not adequately tested by test262. Especially those that might be violated by some current implementations. Thanks!</div>
<div><br></div><<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=637994">https://bugzilla.mozilla.org/show_bug.cgi?id=637994</a>> causes a huge workaround in WeakMap.js but is documented only in a doc-comment in WeakMap.js not associated with a kludge switch, because I didn't want to include both versions in initSES.js. However, the current workaround is not safety preserving for reasons documented there (the identity stealing attack).</div>
<div class="gmail_quote"><br></div><div class="gmail_quote">This all brings up another maintenance issue not specific to SES. For each spec non-conformance, it would be nice to have a site, not necessarily the "official" test262 site, where it was easy to gather associations between failing tests and the corresponding bug threads of associated with the various major JS engines that have publicly accessible issue trackers. In particular, it would help answer the two questions: Are there any failing tests without corresponding open bugs? And are there any open bugs not demonstrated by corresponding failing tests?</div>
<div class="gmail_quote"><br></div><div class="gmail_quote"><br></div><div class="gmail_quote">Even on a perfect Securable ES5 system, the kludge switch PATCH_MUTABLE_FROZEN_DATE_PROTO at <<a href="http://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/es5shim.js#111">http://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/ses/es5shim.js#111</a>> would still be necessary because the bug here is in the ES5 spec, not in the implementations. In fact, AFAICT, all implementations correctly implement this part of the spec, and so faithfully create the vulnerability that the spec demands.</div>
<div class="gmail_quote"><br></div><div class="gmail_quote">This case is interesting because, even though there have been two world class efforts to formalize JS and do automated verification of security properties, where both of these efforts have poured over the ES3 and ES5 specs as a reference, and had real browsers to test against, that both these efforts missed this vulnerability. In fact, I am not aware of any previous JS security work that even noticed the issue. This should *NOT* be taken as a criticism of these efforts. It's just an important lesson in the kinds of confidence we should and should not derive from the existence even of a machine checked proof of security.<div>
<br></div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div text="#000000" bgcolor="#ffffff"><font size="-1">
<br>
David<br>
<br>
[1] </font><font size="-1"><a href="http://wiki.ecmascript.org/doku.php?id=ses:ses" target="_blank">http://wiki.ecmascript.org/doku.php?id=ses:ses</a></font><br>
<font size="-1">[2]
<a href="http://code.google.com/p/es-lab/wiki/SecureEcmaScript" target="_blank">http://code.google.com/p/es-lab/wiki/SecureEcmaScript</a><br>
[3] <a href="http://code.google.com/p/es-lab/wiki/SecureableES5" target="_blank">http://code.google.com/p/es-lab/wiki/SecureableES5</a><br>
[4] <a href="http://code.google.com/p/es-lab/source/browse/trunk/src/ses/" target="_blank">http://code.google.com/p/es-lab/source/browse/trunk/src/ses/</a><br>
</font>
</div>
</blockquote></div><br><br clear="all"><br>-- <br> Cheers,<br> --MarkM<br>