Restricted Eval

# Kris Zyp (18 years ago)

It's a sandbox, right? Should be safe. Not so fast:

last they gave up. rexec was removed from the language. I know of no

Utilizing a sandbox is not a new concept to JavaScript. Browsers create a sandbox everytime there is a frame from a different domain. With hacks, these sandboxes can even pass information between each other. Fragment identifier takes the safer road with string only message passing. Subspace is another hack that allows real objects to be passed. Of course the challenge is providing a safer, easier mechanism for sandboxing with meaningful communication, and providing it at the language level. I think I am seeing how some of the different aspects of the language are different parts of putting the puzzle together. But sandboxing itself is not unexplored territory with JS implementors. BTW, If only string information was allowed to flow between, this would not be nearly as difficult, right? Kris

>> It's a sandbox, right? Should be safe. Not so fast:

> last they gave up.  rexec was removed from the language.  I know of no

Utilizing a sandbox is not a new concept to JavaScript. Browsers create a
sandbox everytime there is a frame from a different domain. With hacks,
these sandboxes can even pass information between each other. Fragment
identifier takes the safer road with string only message passing. Subspace
is another hack that allows real objects to be passed.
Of course the challenge is providing a safer, easier mechanism for
sandboxing with meaningful communication, and providing it at the language
level. I think I am seeing how some of the different aspects of the language
are different parts of putting the puzzle together. But sandboxing itself is
not unexplored territory with JS implementors.
BTW, If only string information was allowed to flow between, this would not
be nearly as difficult, right?
Kris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.mozilla.org/pipermail/es-discuss/attachments/20071101/30157a37/attachment-0002.html

# Jason Orendorff (18 years ago)

On Nov 1, 2007 3:46 PM, Kris Zyp <kriszyp at xucia.com> wrote:

It's a sandbox, right? Should be safe. Not so fast:

last they gave up. rexec was removed from the language. I know of no

Utilizing a sandbox is not a new concept to JavaScript. Browsers create a sandbox everytime there is a frame from a different domain.

Kris,

That sandbox has been very carefully designed and implemented--and reimplemented--over a period of decades by people who specialize in the field. I don't want to get too far into it, but it's seriously not the best analogy. The browser sandbox is complex and nuanced. It's nontrivial to see why it's secure. It exposes rather a lot of objects. There are many potential holes that are specially plugged. I don't know about other browsers, but at Mozilla we still haven't reduced the pace of vulnerabilities to zero, and these guys been at it for some time now. (This year--2007, mind you--saw significant new work on Mozilla's sandboxing model. Not a joke.)

What you're talking about is a simple sandbox-construction scheme. You would want it to be the opposite of the browser sandbox in a lot of respects. You would want it to be simple, trivially secure, exposing a small surface of attack, devoid of special cases, and with zero vulnerabilities by construction. All of which may be possible--I hear .NET has some easy, high-level sandboxing APIs--but browser vendors' JavaScript experience doesn't necessarily translate.

But the only point I was trying to make was that providing a fun eval(s, obj) and encouraging users to "roll their own" sandboxes would be irresponsible.

BTW, If only string information was allowed to flow between, this would not be nearly as difficult, right?

Urrrr, I'm not sure, but anyway that isn't the feature people are asking for. Sandboxes are useful because they expose limited functionality--meaning objects and methods--to untrusted code.

I'd better stop here, because I'm not an expert on this.

On Nov 1, 2007 3:46 PM, Kris Zyp <kriszyp at xucia.com> wrote:
> >> It's a sandbox, right? Should be safe. Not so fast:
>
> > last they gave up.  rexec was removed from the language.  I know of no
>
> Utilizing a sandbox is not a new concept to JavaScript. Browsers create a
> sandbox everytime there is a frame from a different domain.

Kris,

That sandbox has been very carefully designed and implemented--and
reimplemented--over a period of decades by people who specialize in
the field.  I don't want to get too far into it, but it's seriously
not the best analogy.  The browser sandbox is complex and nuanced.
It's nontrivial to see why it's secure.  It exposes rather a lot of
objects.  There are many potential holes that are specially plugged.
I don't know about other browsers, but at Mozilla we still haven't
reduced the pace of vulnerabilities to zero, and these guys been at it
for some time now.  (This year--2007, mind you--saw significant new
work on Mozilla's sandboxing model.  Not a joke.)

What you're talking about is a simple sandbox-construction scheme.
You would want it to be the opposite of the browser sandbox in a lot
of respects.  You would want it to be simple, trivially secure,
exposing a small surface of attack, devoid of special cases, and with
zero vulnerabilities by construction.  All of which may be possible--I
hear .NET has some easy, high-level sandboxing APIs--but browser
vendors' JavaScript experience doesn't necessarily translate.

But the only point I was trying to make was that providing a fun
eval(s, obj) and encouraging users to "roll their own" sandboxes would
be irresponsible.

> BTW, If only string information was allowed to flow between, this would not be nearly as difficult, right?

Urrrr, I'm not sure, but anyway that isn't the feature people are
asking for.  Sandboxes are useful because they expose limited
*functionality*--meaning objects and methods--to untrusted code.

I'd better stop here, because I'm not an expert on this.

-j

# Kris Zyp (18 years ago)

But the only point I was trying to make was that providing a fun eval(s, obj) and encouraging users to "roll their own" sandboxes would be irresponsible.

Point taken, you are right. I still hope that some type of sandboxing can be developed though.

>
>
> But the only point I was trying to make was that providing a fun
> eval(s, obj) and encouraging users to "roll their own" sandboxes would
> be irresponsible.


Point taken, you are right. I still hope that some type of sandboxing can be
developed though.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.mozilla.org/pipermail/es-discuss/attachments/20071101/63c9b695/attachment-0002.html

# Kris Zyp (18 years ago)

On Nov 1, 2007 3:46 PM, Kris Zyp <kriszyp at xucia.com> wrote:

It's a sandbox, right? Should be safe. Not so fast:

last they gave up. rexec was removed from the language.

With the complexity of creating and verifing a sandboxing eval that allows shared mutable objects with some degree of safety, is it conceivable that ES4 could alternately pursue sandboxed eval through a shared nothing construct? I remember that Brendan mentioned that Google Gears approach is a good model, but that it would be premature to standardize. I agree standardizing on the actual Gears API would be strange, however, wouldn't taking a shared nothing approach to sandboxing (using messaging) like gears (but with our own API) be a safer and easier to analyze approach to sandboxing and more reasonable in terms of time constraints for inclusion in ES4 than the scopable eval? Shared nothing techniques are hardly a new PL concept, albiet I am sure it is still not a trivial addition. Just thinking about what it could look like: mySandbox = new Environment(myScriptToSandbox); onmessage=function(message : string) {...} mySandbox.sendMessage("start"); And of course, it seems hard to resist the temptation to entertain the hope that this could be a possible API for adventurous implementors to use for a concurrency construct (use the same API for ConcurrentEnvironment), which could advise ES5's work on concurrency. Kris

> On Nov 1, 2007 3:46 PM, Kris Zyp <kriszyp at xucia.com> wrote:
>> >> It's a sandbox, right? Should be safe. Not so fast:
>>
>> > last they gave up.  rexec was removed from the language.

With the complexity of creating and verifing a sandboxing eval that allows 
shared mutable objects with some degree of safety, is it conceivable that 
ES4 could alternately pursue sandboxed eval through a shared nothing 
construct? I remember that Brendan mentioned that Google Gears approach is a 
good model, but that it would be premature to standardize. I agree 
standardizing on the actual Gears API would be strange, however, wouldn't 
taking a shared nothing approach to sandboxing (using messaging) like gears 
(but with our own API) be a safer and easier to analyze approach to 
sandboxing and more reasonable in terms of time constraints for inclusion in 
ES4 than the scopable eval? Shared nothing techniques are hardly a new PL 
concept, albiet I am sure it is still not a trivial addition.
Just thinking about what it could look like:
mySandbox = new Environment(myScriptToSandbox);
onmessage=function(message : string) {...}
mySandbox.sendMessage("start");
And of course, it seems hard to resist the temptation to entertain the hope 
that this could be a possible API for adventurous implementors to use for a 
concurrency construct (use the same API for ConcurrentEnvironment), which 
could advise ES5's work on concurrency.
Kris