Re: [JS-internals] Taint analysis in SpiderMonkey

Sun, 01 Sep 2013 01:07:13 -0700

Oh, this thread isn't dead, I hope - it's waiting for me to pull my benchmark results together and post them... which I expect to get to this coming week. 

"Waiting for data" != "dead"

-----Original message-----
From: Ivan Alagenchev <alagenc...@gmail.com>
To: dev-tech-js-engine-internals@lists.mozilla.org, Mark Goodwin <mgood...@mozilla.com>, j...@mozilla.com 
Cc: Jan de Mooij <jandemo...@gmail.com>
Sent: 2013 Aug, Thu, 29 21:05:40 GMT+00:00
Subject: Re: [JS-internals] Taint analysis in SpiderMonkey

I am going to be that guy - resurrecting a dead thread :-)

I just watched the jalangi video and while I sincerely liked the overall
idea, I have several reservations that I would like to list here.

First, I am concerned about the record replay approach. I don't know how
practical it will be for us to expect web developers
to use a two step system like that. My belief is that the more difficult we
make a security tool for people to use, the less likely it is
that it's going to be used.

At some point in the talk he briefly mentioned that jalangi has issues with
ecmascript 5. More evaluation would be necessary to
determine if that would be problematic.

My other concern is that this is still an academic project. This means that
it's not going to be ready for serious use and issues will arise.
How do we resolve any problems? Can we rely on the authors to go in and fix
bugs for us? Is that going to happen in a time frame that
wouldn't add risk to our project? The upside is that this is an open source
project, so theoretically someone can go in and fix issues, but
that will most likely be a difficult endeavor. If I had to chose, I would
prefer working solely in spider monkey, so that way I know that should
I have an issue, I can run to the lovely folks on #jsapi than having to go
to a third party for help.

Jalangi does not come without a performance penalty - he cites a 20x
performance decrease. Jim has done some work on benchmarking
what I currently have. It would be interesting to se

_______________________________________________
dev-tech-js-engine-internals mailing list
dev-tech-js-engine-internals@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-js-engine-internals

Reply via email to