Le 06/01/2012 06:03, Mark S. Miller a écrit :
Such a built in memoization, whether by boundTo or this enhancement to
bind itself, creates a fatal ambient communications channel.
// initSES initialization, freezing all built in primordials other
than the true global
// load Alice as a confined object graph
// load Bob as a confined object graph. Alice and Bob should not
be able to communicate
// Covert channels mean we might not be able to prevent them from
communicating bits
// But we must certainly prevent capability leaks
Alice says
Object.boundTo(Object).foo = capabilityBobShouldntGet;
Bob says
var HAH = Object.boundTo(Object).foo;
If Alice and Bob have been loaded as confined object graphs, they could
both be exposed different objects for what each refer to as "Object",
no? This can be applied to all object they could have in common (at some
memory cost, obviously), I think.
Maybe some problem can arise when the object is not retrieved from an
identifier, but when its identity is guaranteed by the language, for
instance 'Object.getPrototypeOf({})'. It can probably be worked around
too, but sounds more complicated.
Since Alice and Bob don't have any reference in common by default, they
wouldn't have a communication channel thanks to boundTo.
I think ES6 will help out more to prevent sharing same object at lower
cost with module loaders (if I understand them properly) and proxies
(let Object2 = new Proxy(Object) to create the same object with a
different identity).
David
Ps: by the way, what does "HAH" mean?
_______________________________________________
es-discuss mailing list
[email protected]
https://mail.mozilla.org/listinfo/es-discuss
