Interestingly, I wonder if the idea of only collecting weak references between turns is immune to such attacks, since it's not possible to have a bogus reference on the stack between turns, where there is no stack.
Dave On Mar 26, 2013, at 5:55 PM, David Herman <dher...@mozilla.com> wrote: > Patrick Walton send me this link to a fascinating approach to exploiting weak > references in engines using conservative stack scanning to discover the > address of objects: > > https://github.com/justdionysus/gcwoah > > I don't fully grok all the details, but IIUC the attacker sprays the heap > with objects that it holds weak references to, synthesizes a fake reference > as an integer, triggers a conservative GC, and then uses the state of the > weak references to figure out which object lived at that address. As a > concrete example of how this can be used to do bad things: in conjunction > with an exploit that allows jumping to an arbitrary memory location, this > would effectively enable arbitrary code execution. > > One immediate takeaway: Mark deserves serious kudos, because Dionysus was not > able to figure out how to use this attack on WeakMaps. He explicitly mentions > the work on WeakMaps and credits them for having been well designed for > security. Well done! > > But we need to take this into account as we consider what to do about weak > references in ES7. > > Dave > > _______________________________________________ > es-discuss mailing list > es-discuss@mozilla.org > https://mail.mozilla.org/listinfo/es-discuss _______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss
