On Thu, Dec 29, 2011 at 5:11 PM, David Bruant <bruan...@gmail.com> wrote: [...]
> If you do not run first, the attacker can make the environement look > like a normal one. Specifically, you can try to do > Object.defineProperty(Object.prototype, '__proto__', > {configurable:false}) and the attacker can later pretend that the > property is not configurable (in response to an > Object.getOwnPropertyDescriptor) even though it actually still is (and > she can still change the value at convenience). I just want to point out that SES initialization has been doing this kind of virtualization for a long time, and depending on being able to do it transparently enough. The most extreme example is < code.google.com/p/es-lab/source/browse/trunk/src/ses/WeakMap.js>, where we emulate WeakMaps with surprising efficiency on platforms that don't provide these as built ins. The technique relies on unguessability and undiscoverability of a random chosen property name. We virtualize freeze, seal, and preventExtensions, to add this property before we lose our ability to do so. We virtualize Object.getOwnPropertyNames so that it doesn't report this property, and we make the property non-enumerable, so that it can't be discovered with for-in, which we cannot virtualize without parsing. -- Cheers, --MarkM
_______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss