Additional data point: saelo@ just pointed out we also had security bugs where the payload was well formed but caused V8 get confused while receiving it, e.g., https://bugs.chromium.org/p/chromium/issues/detail?id=1412487 (now public).
---- Does all this answer your Value(De)Serializer questions or is there more information you'd like to have on this topic? On Fri, Jun 30, 2023 at 12:26 PM 'Samuel Groß' via v8-dev < [email protected]> wrote: > We added this fuzzer some time last year: > https://github.com/googleprojectzero/fuzzilli/blob/700f669a1d38b787968229f7d7ab2a4d0a7bf2b7/Sources/FuzzilliCli/Profiles/V8Profile.swift#L278 > and it found another handful of issues fairly quickly, but nothing ever > since. I don't think there is too much room for improvement there. > ValueSerializer is an attack surface in Chrome as it potentially allows > for a site isolation bypass if a compromised renderer process can > compromise other renderer processes by sending malicious ValueSerializer > data. > > Cheers! > Samuel > > On Fri, Jun 30, 2023 at 11:33 AM Leszek Swirski <[email protected]> > wrote: > >> [email protected] <[email protected]>, do we have good fuzzing for >> ValueDeserializer? If not, should we expand it? >> >> On Thu, Jun 29, 2023 at 9:05 PM Ben Noordhuis <[email protected]> wrote: >> >>> On Thu, Jun 29, 2023 at 4:28 PM 'Kenton Varda' via v8-dev >>> <[email protected]> wrote: >>> > >>> > Hi v8-dev, >>> > >>> > We (Cloudflare Workers team) are wondering how V8 feels about the >>> security of the ValueDeserializer API. Do you believe it's safe to parse >>> possibly-malicious input with this? My understanding is that Chrome does >>> not provide any way to input attacker-controlled bytes to the API today, so >>> wasn't sure if it's designed for that. >>> > >>> > I ask because we'd like to expose V8 serialization in Cloudflare >>> Workers for compatibility with Node.js, which already exposes this. But our >>> threat model is very different from Node, such that we care a lot more >>> about the security of the V8 sandbox. >>> > >>> > Relatedly, is ValueDeserializer covered by fuzzing today? >>> > >>> > Thanks, >>> > -Kenton >>> >>> Single data point but I got paid $15k last year for >>> https://bugs.chromium.org/p/chromium/issues/detail?id=1339648 so on >>> the one hand, it's great it's covered by the VRP program, on the other >>> hand I wasn't even actively looking and still stumbled upon a fairly >>> critical bug. Probably a risky bet in a multi-tenant system like >>> Workers. >>> >>> (I realize "VRP program" is like saying "ATM machine" but I still do it.) >>> >>> -- >>> -- >>> v8-dev mailing list >>> [email protected] >>> http://groups.google.com/group/v8-dev >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "v8-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/v8-dev/CAHQurc89pAEYYq_zNjiMjEVmdoXmV4Ao39ZfrqhcpCY09mX3SQ%40mail.gmail.com >>> . >>> >> -- > -- > v8-dev mailing list > [email protected] > http://groups.google.com/group/v8-dev > --- > You received this message because you are subscribed to the Google Groups > "v8-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/v8-dev/CAMyKh9dOED%2BmZ1R95pM_CFJUBeA92qFVSCZO4Tn%2BJ2xwNA%3DPtA%40mail.gmail.com > <https://groups.google.com/d/msgid/v8-dev/CAMyKh9dOED%2BmZ1R95pM_CFJUBeA92qFVSCZO4Tn%2BJ2xwNA%3DPtA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- Google Germany GmbH Erika-Mann-Straße 33 80636 München Geschäftsführer: Paul Manicle, Liana Sebastian. Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Diese E-Mail ist vertraulich. Falls sie diese fälschlicherweise erhalten haben sollten, leiten Sie diese bitte nicht an jemand anderes weiter, löschen Sie alle Kopien und Anhänge davon und lassen Sie mich bitte wissen, dass die E-Mail an die falsche Person gesendet wurde. This e-mail is confidential. If you received this communication by mistake, please don't forward it to anyone else, please erase all copies and attachments, and please let me know that it has gone to the wrong person. -- -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev --- You received this message because you are subscribed to the Google Groups "v8-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/v8-dev/CAED6dUAyzr01WRxPGxmA97expwsL%2BPGGbUeFhsh40LNVbCwcYg%40mail.gmail.com.
