[prev in list] [next in list] [prev in thread] [next in thread] 

List:       e-lang
Subject:    Re: [e-lang] SES prototype mostly working on latest Minefield,
From:       "Mark S. Miller" <erights () google ! com>
Date:       2010-08-30 23:39:46
Message-ID: AANLkTi=Ko9t3n5afGm_N3Czh2w-9kYrN1tq9DZawt=Fk () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


On Mon, Aug 30, 2010 at 3:12 PM, Mark S. Miller <erights@google.com> wrote:

> May crash your browser or page:
> http://es-lab.googlecode.com/svn/trunk/src/ses/index.html
>
> <http://es-lab.googlecode.com/svn/trunk/src/ses/index.html>Sources at
> http://code.google.com/p/es-lab/source/browse/trunk/src/ses/
>
> This has only been lightly tested and should **not** be relied on to have
> any security properties yet.
>
> The claim I working up to is that, on a securable ES5 implementation (<
> http://code.google.com/p/es-lab/wiki/SecureableES5>), these scripts create
> an SES environment (<http://code.google.com/p/es-lab/wiki/SecureEcmaScript>)
> implementing the object-capability security model and solving the safe
> mashup problem (<http://code.google.com/p/es-lab/wiki/SafeMashups>).
>
> Unfortunately, since there is not yet any full browser-based
> implementations of ES5, the present state of these scripts have various
> compromises that preserves their functionality but loses security. These are
> documented in the various files under "KLUDGE SWITCHES". With these kludges,
> from *extremely* light testing, it seems to work on the latest
> * Firefox Minefield 4.0b5pre,
> * Safari WebKit Nightly Version 5.0.1 (5533.17.8, r66356), and
> * Chromium beta 6.0.490.0 (3135).
> As soon as I get my VMWare installation fixed, I'll test on the IE9 preview
> as well. Opera 10.61.8429 does not yet implement Object.getOwnPropertyNames,
> so I can't even test there.
>
> This implementation of SES cannot run on ES5/3 (<
> http://code.google.com/p/google-caja/wiki/DifferencesBetweenES5Over3AndES5>)
> as is because of the lack of a client side eval. The current plan is to
> support SES5/3 directly, rather than porting these scripts to run on ES5/3.
>
> Like ADsafe, this is all implemented by a lightweight client-side library,
> with no server-side support need. Minified, the total size of the download
> comes in under 5k.
>

Minified and gzipped that is.



> Because it does not parse or transform code, aside from calls to "eval" or
> the "Function" constructor, the untrusted code runs at full speed and with
> no code expansion. Due to various transient problems, the safe eval is
> currently called "eval2" and "eval" remains unsafe.
>
> Interestingly, this library contains a surprising faithful emulation of
> WeakMaps on ES5 browsers that don't support WeakMaps directly (<
> http://code.google.com/p/es-lab/source/browse/trunk/src/ses/WeakMap.js#326
> >).
>
> --
>     Cheers,
>     --MarkM
>



-- 
    Cheers,
    --MarkM

[Attachment #5 (text/html)]

On Mon, Aug 30, 2010 at 3:12 PM, Mark S. Miller <span dir="ltr">&lt;<a \
href="mailto:erights@google.com">erights@google.com</a>&gt;</span> wrote:<br><div \
class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex;"> <div>May crash your browser or \
page:</div><a href="http://es-lab.googlecode.com/svn/trunk/src/ses/index.html" \
target="_blank">http://es-lab.googlecode.com/svn/trunk/src/ses/index.html</a><div><br></div><div><a \
href="http://es-lab.googlecode.com/svn/trunk/src/ses/index.html" \
target="_blank"></a>Sources at</div>

<div><a href="http://code.google.com/p/es-lab/source/browse/trunk/src/ses/" \
target="_blank">http://code.google.com/p/es-lab/source/browse/trunk/src/ses/</a></div><div><br></div><div>This \
has only been lightly tested and should <b><i>*not*</i></b> be relied on to have any \
security properties yet.</div>

<div><br></div><div>The claim I working up to is that, on a securable ES5 \
implementation (&lt;<a href="http://code.google.com/p/es-lab/wiki/SecureableES5" \
target="_blank">http://code.google.com/p/es-lab/wiki/SecureableES5</a>&gt;), these \
scripts create an SES environment (&lt;<a \
href="http://code.google.com/p/es-lab/wiki/SecureEcmaScript" \
target="_blank">http://code.google.com/p/es-lab/wiki/SecureEcmaScript</a>&gt;) \
implementing the object-capability security model and solving the safe mashup problem \
(&lt;<a href="http://code.google.com/p/es-lab/wiki/SafeMashups" \
target="_blank">http://code.google.com/p/es-lab/wiki/SafeMashups</a>&gt;). </div>

<div><br></div><div>Unfortunately, since there is not yet any full browser-based \
implementations of ES5, the present state of these scripts have various compromises \
that preserves their functionality but loses security. These are documented in the \
various files under &quot;KLUDGE SWITCHES&quot;. With these kludges, from *extremely* \
light testing, it seems to work on the latest </div>

<div>* Firefox Minefield 4.0b5pre, </div><div>* Safari WebKit Nightly Version 5.0.1 \
(5533.17.8, r66356), and </div><div>* Chromium beta 6.0.490.0 (3135). </div><div>As \
soon as I get my VMWare installation fixed, I&#39;ll test on the IE9 preview as well. \
Opera 10.61.8429 does not yet implement Object.getOwnPropertyNames, so I can&#39;t \
even test there. </div>

<div><br></div><div>This implementation of SES cannot run on ES5/3 (&lt;<a \
href="http://code.google.com/p/google-caja/wiki/DifferencesBetweenES5Over3AndES5" \
target="_blank">http://code.google.com/p/google-caja/wiki/DifferencesBetweenES5Over3AndES5</a>&gt;) \
as is because of the lack of a client side eval. The current plan is to support \
SES5/3 directly, rather than porting these scripts to run on ES5/3.</div>

<div><br></div><div>Like ADsafe, this is all implemented by a lightweight client-side \
library, with no server-side support need. Minified, the total size of the download \
comes in under 5k.</div></blockquote><div><br></div> <div>Minified and gzipped that \
is.</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 \
0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div> Because it does not parse \
or transform code, aside from calls to &quot;eval&quot; or the &quot;Function&quot; \
constructor, the untrusted code runs at full speed and with no code expansion. Due to \
various transient problems, the safe eval is currently called &quot;eval2&quot; and \
&quot;eval&quot; remains unsafe.</div>

<div><br></div><div>Interestingly, this library contains a surprising faithful \
emulation of WeakMaps on ES5 browsers that don&#39;t support WeakMaps directly \
(&lt;<a href="http://code.google.com/p/es-lab/source/browse/trunk/src/ses/WeakMap.js#326" \
target="_blank">http://code.google.com/p/es-lab/source/browse/trunk/src/ses/WeakMap.js#326</a>&gt;).</div>


<div><br>-- <br>    Cheers,<br>    --MarkM<br>
</div>
</blockquote></div><br><br clear="all"><br>-- <br>    Cheers,<br>    --MarkM<br>



_______________________________________________
e-lang mailing list
e-lang@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/e-lang


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic