Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

compartment-mapper: makeSecureBundle with bundled runtime and no-eval #1449

Open
wants to merge 18 commits into
base: master
Choose a base branch
from

Conversation

kumavis
Copy link
Member

@kumavis kumavis commented Jan 18, 2023

previous iterations:
modify existing bundler for ses-wrapping #1437
ensure archive machinery can bundle #1436

Must:

Should:

  • fix reference triangle in bundle-runtime
  • reduce serialization when reading from archive
  • test support of json and other modules

Could/someday:

  • init/load time stats api
  • support bundle splitting

@kumavis kumavis changed the title Secure bundler hybrid compartment-mapper: makeSecureBundle Jan 18, 2023
@kumavis kumavis changed the title compartment-mapper: makeSecureBundle compartment-mapper: makeSecureBundle with bundled runtime Jan 18, 2023
@kumavis kumavis changed the title compartment-mapper: makeSecureBundle with bundled runtime compartment-mapper: makeSecureBundle with bundled runtime and no-eval Jan 18, 2023
@kumavis kumavis force-pushed the secure-bundler-hybrid branch 5 times, most recently from c6199a7 to 7f909ed Compare January 26, 2023 00:17
@kumavis kumavis marked this pull request as ready for review January 26, 2023 00:18
@kumavis kumavis force-pushed the secure-bundler-hybrid branch 3 times, most recently from 6236096 to e323faa Compare February 21, 2023 17:41
return function() {
'use strict';
return (
${functorSrc}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure when's the good time to do it, but we should probably check functorSrc parses as JavaScript.

try {
  eval(`throw Error('valid');
  ${functorSrc}`);
} catch(e) {
 assert( e.message === 'valid')
}

It'd be the safest to do at runtime in case there's differences in parsing, but that's not something we want to do with end-users' CPUs so earlier in build process would have to suffice.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

consider 😈

  eval(`throw Error('valid');  ${functorSrc}`);

with functorSrc:

function Error () { /* attack payload */ }

browserify uses throw 'STOP';

Copy link
Member Author

@kumavis kumavis Mar 7, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • src is validated when creating a bundle by entrypoint, somewhere in prepareToBundle
  • added a failing test showing makeSecureBundleFromArchive not validating invalid module sources

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, that looks solid, the only remaining concern is someone finding a way to make unziping+parsing in the runtime host result in a different module.
eg. we build an archive in Node and then run it in Hermes or some bespoke JS engine with an ASI implementation quirk or parsing bug that changes the AST resulting from the original text. That could be exploited fairly easily (after it's been found, which is the hard part) using the method I used when exploiting the comment in LavaMoat.

This is the only reason to consider the browserify trick at runtime. It depends on eval though and is therefore unusable for us. Unless we have a non-eval alternative the work I put into typing all this up is for nothing anyway ;)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have we censored the functorSrc at this point?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we had not censored -- this has been fixed by running the "mandatory transforms"

@naugtur naugtur force-pushed the secure-bundler-hybrid branch from e323faa to 965ed99 Compare March 2, 2023 11:00
@kumavis kumavis force-pushed the secure-bundler-hybrid branch 2 times, most recently from d1e922b to 97baf9e Compare May 2, 2023 22:21
@kumavis kumavis requested review from naugtur and kriskowal May 2, 2023 22:22
Copy link
Member

@kriskowal kriskowal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Partial review for today.

Comment on lines 16 to 17
import fs from 'fs';
import url from 'url';
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ocap violation. The relevant powers of these modules must continue to be threaded through the powers argument. (Are these referenced?)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

relevant comment

// these read powers must refer to the disk as we are bundling the runtime from
// this package's sources. The user-provided read powers used elsewhere refer
// to the user's application source code.
const { read } = makeReadPowers({ fs, url });

unsure how to proceed - ask the bundle for two different read powers?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably. What are the two file systems in this case?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. this repo's file system so we can bundle the secure bundler runtime
  2. the user's file system for their app

return function() {
'use strict';
return (
${functorSrc}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have we censored the functorSrc at this point?

@kumavis kumavis force-pushed the secure-bundler-hybrid branch from 97baf9e to b4d2d81 Compare May 17, 2023 20:52
@kumavis kumavis force-pushed the secure-bundler-hybrid branch from 16d0c2f to f08ae39 Compare May 17, 2023 22:31
@kumavis kumavis force-pushed the secure-bundler-hybrid branch from f08ae39 to 8b17f6b Compare May 17, 2023 22:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants