Clarification, I was using ValueSerializer to mean the whole component
consisting of ValueSerializer & ValueDesierializer, so, both sides. Though,
ValueDesierializer is of course more fragile because the input is raw bytes.
On Thu, Jun 29, 2023, 19:23 'James Snell' via v8-dev <
v8-dev@googlegroups.com> wrote:
> I've implemented some fuzzing also for ValueDeserializer and so far have
> only found a couple of minor issues (e.g. for some randomized inputs it
> seems it is possible for `ValueDeserializer::ReadValue()` to return an
> empty `MaybeLocal` without throwing, and sometimes when it does throw
> `tryCatch.Exception()` is empty (which we treat as equivalent to
> `!tryCatch.CanContinue()`). Beyond that, so far, our fuzzing hasn't found
> anything else with `ValueDeserializer`.
>
> I'm far less concerned about `ValueSerializer`, to be honest.
>
> On Thursday, June 29, 2023 at 10:17:43 AM UTC-7 Marja Hölttä wrote:
>
>> I'd say it's "best effort secure".
>>
>> In some use cases (levelDB), ValueSerializer reads data stored on disk,
>> and those bytes could be corrupted. Our intention is that no matter what
>> the data is, ValueSerializer should not crash (it should fail gracefully).
>> If this is not the case, please file bugs. (However, this invariant has
>> turned out to be invalid several times. We've fixed all bugs we're aware
>> of, but there might be some more lurking here.)
>>
>> We also have fuzzers which exercise it via the d8 serializer API, roughly
>> like this:
>> data = d8.serializer.serialize(some_object);
>> data[some_index] = something else;
>> d8.serializer.deserialize(data);
>>
>> However, ValueSerializer is not fuzzed and tested as thoroughly as our
>> general JavaScript execution parts of V8, so, I wouldn't regard it equally
>> secure. Use at your own risk.
>>
>>
>>
>> On Thu, Jun 29, 2023 at 4:39 PM 'James Snell' via v8-dev <
>> v8-...@googlegroups.com> wrote:
>>
>>> Oh, and to be clear, our intent here is to implement the same API that
>>> Node.js currently exposes.
>>>
>>> ```
>>> import { serialize, deserialize } from 'node:v8';
>>>
>>> const data = serialize({ a: 'foo' });
>>> const value = deserialize(data);
>>> ```
>>>
>>> ```
>>> import { Serializer, Deserializer } from 'node:v8';
>>>
>>> const ser = new Serializer();
>>> ser.writeHeader();
>>> ser.writeValue({ a: 'foo' });
>>>
>>> const des = new Deserializer(ser.releaseBuffer());
>>> des.readHeader();
>>> console.log(des.readValue());
>>> ```
>>>
>>>
>>> On Thursday, June 29, 2023 at 7:28:44 AM UTC-7 Kenton Varda wrote:
>>>
>>>> Hi v8-dev,
>>>>
>>>> We (Cloudflare Workers team) are wondering how V8 feels about the
>>>> security of the ValueDeserializer API. Do you believe it's safe to parse
>>>> possibly-malicious input with this? My understanding is that Chrome does
>>>> not provide any way to input attacker-controlled bytes to the API today, so
>>>> wasn't sure if it's designed for that.
>>>>
>>>> I ask because we'd like to expose V8 serialization in Cloudflare
>>>> Workers for compatibility with Node.js, which already exposes this. But our
>>>> threat model is very different from Node, such that we care a lot more
>>>> about the security of the V8 sandbox.
>>>>
>>>> Relatedly, is ValueDeserializer covered by fuzzing today?
>>>>
>>>> Thanks,
>>>> -Kenton
>>>>
>>> --
>>> --
>>> v8-dev mailing list
>>> v8-...@googlegroups.com
>>> http://groups.google.com/group/v8-dev
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "v8-dev" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to v8-dev+un...@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/v8-dev/d468377d-1f45-40eb-ba75-06d519fbe609n%40googlegroups.com
>>> <https://groups.google.com/d/msgid/v8-dev/d468377d-1f45-40eb-ba75-06d519fbe609n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
>>
>> --
>>
>> Google Germany GmbH
>>
>> Erika-Mann-Straße 33
>>
>> 80636 München
>>
>>
>> Geschäftsführer: Paul Manicle, Liana Sebastian.
>>
>> Registergericht und -nummer: Hamburg, HRB 86891
>>
>> Sitz der Gesellschaft: Hamburg
>>
>>
>> Diese E-Mail ist vertraulich. Falls sie diese fälschlicherweise erhalten
>> haben sollten, leiten Sie diese bitte nicht an jemand anderes weiter,
>> löschen Sie alle Kopien und Anhänge davon und lassen Sie mich bitte wissen,
>> dass die E-Mail an die falsche Person gesendet wurde.
>>
>>
>>
>> This e-mail is confidential. If you received this communication by
>> mistake, please don't forward it to anyone else, please erase all copies
>> and attachments, and please let me know that it has gone to the wrong
>> person.
>>
>> --
> --
> v8-dev mailing list
> v8-dev@googlegroups.com
> http://groups.google.com/group/v8-dev
> ---
> You received this message because you are subscribed to the Google Groups
> "v8-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to v8-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/v8-dev/c5470ddf-0098-46ff-9ae5-a9767de6bc0en%40googlegroups.com
> <https://groups.google.com/d/msgid/v8-dev/c5470ddf-0098-46ff-9ae5-a9767de6bc0en%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups
"v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to v8-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/v8-dev/CAED6dUD4U1e5Mh2x%3D81TH608xjdQ3wRHGcYXu_maVk_pFyx%2B%2Bg%40mail.gmail.com.
