> Date: Sat, 17 Apr 2010 15:19:16 +0530 > From: > To: [email protected]; [email protected] > Subject: [webkit-dev] Regarding malicious javascript detection > > Hi > > I have one doubt about javascript that does malicious things. Consider > following javascript. >
Just one? LOL. I would mention, esp in regards to things like rendering on UI thread, any arbitrary code can do anything without reading the mind of the author ( malicious or stupid intent ) , and needs to be executed with no assumptions about its "goodness" in any sense and in some way it can't kill the app through programmatic means or simple resource depltion ( programmatic including execution of data or calling some OS exit thing, resource depltion being stack overflow, cpu etc) . Having stated the obvious, I would ask if there is a tutorial or links in the code to references on generally how JS is implemented- leaving through code it looked like there was a bunch of stuff about a bytecode compiler etc. Interpretted byte code languages like java usually can be made much more safe than native code executors but there are still issues with resource wasters that kill entire app or machine ( you get those pop ups about " a script is causing computer to run slowly, do you want to terminate it?"). Memory waste in heap or I guess even stack, depletion of CPU, IO or even graphics resources ( I swear sometimes my java applets had problems due to underlying native grappics resource leaks that sometimes got reported as OutOfMemoryError) and other resource mis-allocations can cause lots of performance issues before a crach or lock up occurs. You might want to consider these "security" issues in a larger context. > > > > Above code causes exception and there by causing crash. Though Chrome doesnt > close. I am not sure what this scrpt does, but i think this is something to > do with 'throw' in JavaScript. > Maybe something to do with overflow. > > My doubt is, > > Is there any kind of handling done for above scenario which are potential for > hacking ? > > I have Chrome 4.1.249.1045 (42898) áon which above script crashes Chrome page. > > _________________________________________________________________ The New Busy is not the old busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3 _______________________________________________ webkit-dev mailing list [email protected] http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
