Hi Marja, Yes, this has been very helpful. Thanks!
My takeaway is that a year or two ago, exposing ValueDeserializer to attacker-controlled bytes would indeed have been unwise, but these days it seems like it's getting similar scrutiny to the rest of V8. -Kenton On Tue, Jul 4, 2023 at 8:29 AM 'Marja Hölttä' via v8-dev < v8-dev@googlegroups.com> wrote: > Additional data point: > > saelo@ just pointed out we also had security bugs where the payload was > well formed but caused V8 get confused while receiving it, e.g., > https://bugs.chromium.org/p/chromium/issues/detail?id=1412487 (now > public). > > ---- > > Does all this answer your Value(De)Serializer questions or is there more > information you'd like to have on this topic? > > > > > On Fri, Jun 30, 2023 at 12:26 PM 'Samuel Groß' via v8-dev < > v8-dev@googlegroups.com> wrote: > >> We added this fuzzer some time last year: >> https://github.com/googleprojectzero/fuzzilli/blob/700f669a1d38b787968229f7d7ab2a4d0a7bf2b7/Sources/FuzzilliCli/Profiles/V8Profile.swift#L278 >> and it found another handful of issues fairly quickly, but nothing ever >> since. I don't think there is too much room for improvement there. >> ValueSerializer is an attack surface in Chrome as it potentially allows >> for a site isolation bypass if a compromised renderer process can >> compromise other renderer processes by sending malicious ValueSerializer >> data. >> >> Cheers! >> Samuel >> >> On Fri, Jun 30, 2023 at 11:33 AM Leszek Swirski <lesz...@chromium.org> >> wrote: >> >>> +sa...@chromium.org <sa...@chromium.org>, do we have good fuzzing for >>> ValueDeserializer? If not, should we expand it? >>> >>> On Thu, Jun 29, 2023 at 9:05 PM Ben Noordhuis <i...@bnoordhuis.nl> >>> wrote: >>> >>>> On Thu, Jun 29, 2023 at 4:28 PM 'Kenton Varda' via v8-dev >>>> <v8-dev@googlegroups.com> wrote: >>>> > >>>> > Hi v8-dev, >>>> > >>>> > We (Cloudflare Workers team) are wondering how V8 feels about the >>>> security of the ValueDeserializer API. Do you believe it's safe to parse >>>> possibly-malicious input with this? My understanding is that Chrome does >>>> not provide any way to input attacker-controlled bytes to the API today, so >>>> wasn't sure if it's designed for that. >>>> > >>>> > I ask because we'd like to expose V8 serialization in Cloudflare >>>> Workers for compatibility with Node.js, which already exposes this. But our >>>> threat model is very different from Node, such that we care a lot more >>>> about the security of the V8 sandbox. >>>> > >>>> > Relatedly, is ValueDeserializer covered by fuzzing today? >>>> > >>>> > Thanks, >>>> > -Kenton >>>> >>>> Single data point but I got paid $15k last year for >>>> https://bugs.chromium.org/p/chromium/issues/detail?id=1339648 so on >>>> the one hand, it's great it's covered by the VRP program, on the other >>>> hand I wasn't even actively looking and still stumbled upon a fairly >>>> critical bug. Probably a risky bet in a multi-tenant system like >>>> Workers. >>>> >>>> (I realize "VRP program" is like saying "ATM machine" but I still do >>>> it.) >>>> >>>> -- >>>> -- >>>> v8-dev mailing list >>>> v8-dev@googlegroups.com >>>> http://groups.google.com/group/v8-dev >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "v8-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to v8-dev+unsubscr...@googlegroups.com. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/v8-dev/CAHQurc89pAEYYq_zNjiMjEVmdoXmV4Ao39ZfrqhcpCY09mX3SQ%40mail.gmail.com >>>> . >>>> >>> -- >> -- >> v8-dev mailing list >> v8-dev@googlegroups.com >> http://groups.google.com/group/v8-dev >> --- >> You received this message because you are subscribed to the Google Groups >> "v8-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to v8-dev+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/v8-dev/CAMyKh9dOED%2BmZ1R95pM_CFJUBeA92qFVSCZO4Tn%2BJ2xwNA%3DPtA%40mail.gmail.com >> <https://groups.google.com/d/msgid/v8-dev/CAMyKh9dOED%2BmZ1R95pM_CFJUBeA92qFVSCZO4Tn%2BJ2xwNA%3DPtA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > > > -- > > Google Germany GmbH > > Erika-Mann-Straße 33 > > 80636 München > > > Geschäftsführer: Paul Manicle, Liana Sebastian. > > Registergericht und -nummer: Hamburg, HRB 86891 > > Sitz der Gesellschaft: Hamburg > > > Diese E-Mail ist vertraulich. Falls sie diese fälschlicherweise erhalten > haben sollten, leiten Sie diese bitte nicht an jemand anderes weiter, > löschen Sie alle Kopien und Anhänge davon und lassen Sie mich bitte wissen, > dass die E-Mail an die falsche Person gesendet wurde. > > > > This e-mail is confidential. If you received this communication by > mistake, please don't forward it to anyone else, please erase all copies > and attachments, and please let me know that it has gone to the wrong > person. > > -- > -- > v8-dev mailing list > v8-dev@googlegroups.com > http://groups.google.com/group/v8-dev > --- > You received this message because you are subscribed to a topic in the > Google Groups "v8-dev" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/v8-dev/yLkUN9hRWTw/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > v8-dev+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/v8-dev/CAED6dUAyzr01WRxPGxmA97expwsL%2BPGGbUeFhsh40LNVbCwcYg%40mail.gmail.com > <https://groups.google.com/d/msgid/v8-dev/CAED6dUAyzr01WRxPGxmA97expwsL%2BPGGbUeFhsh40LNVbCwcYg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- -- v8-dev mailing list v8-dev@googlegroups.com http://groups.google.com/group/v8-dev --- You received this message because you are subscribed to the Google Groups "v8-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to v8-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/v8-dev/CAJouXQ%3D6DExYmSMcgtVUGjZDemfYT73113mzvrhzQ2EHiVEraw%40mail.gmail.com.
