On Thu, Dec 29, 2011 at 5:11 PM, David Bruant <bruan...@gmail.com> wrote:
[...]
> If you do not run first, the attacker can make the environement look
> like a normal one. Specifically, you can try to do
> Object.defineProperty(Object.prototype, '__proto__',
> {configurable:false}) and the attacker can later pretend that the
> property is not configurable (in response to an
> Object.getOwnPropertyDescriptor) even though it actually still is (and
> she can still change the value at convenience).
I just want to point out that SES initialization has been doing this kind
of virtualization for a long time, and depending on being able to do it
transparently enough. The most extreme example is <
code.google.com/p/es-lab/source/browse/trunk/src/ses/WeakMap.js>, where we
emulate WeakMaps with surprising efficiency on platforms that don't provide
these as built ins.
The technique relies on unguessability and undiscoverability of a random
chosen property name. We virtualize freeze, seal, and preventExtensions, to
add this property before we lose our ability to do so. We virtualize
Object.getOwnPropertyNames so that it doesn't report this property, and we
make the property non-enumerable, so that it can't be discovered with
for-in, which we cannot virtualize without parsing.
--
Cheers,
--MarkM
_______________________________________________
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss
