edbrowse-dev - development list for edbrowse
 help / color / mirror / Atom feed
* [edbrowse-dev] sharing and security
@ 2021-03-21 21:34 Karl Dahlke
  2021-03-23  7:39 ` Adam Thompson
  0 siblings, 1 reply; 2+ messages in thread
From: Karl Dahlke @ 2021-03-21 21:34 UTC (permalink / raw)
  To: edbrowse-dev

[-- Attachment #1: Type: text/plain, Size: 3319 bytes --]

This is just me thinking out loud.

Let's say we share the Table class in the master window mw$.
I don't have to replicate it and its methods for every web page.
Saves time and memory etc. All good.

There's an addRow method, which of course, adds a row to the table.
I wrote it, and web pages can use it.
Let's say your bank uses it to dynamically add a row to a table.
An evil web developer can write a phishing page that looks harmless, maybe just information about kangaroos.
It replaces my addRow with its own addRow function.
	mw$.Table.prototype.addRow = evil_addRow();
It starts with this(object) and works up through parentNode until it gets to document.
Then it looks at document.location to see if it is juicy.
Maybe a banking site.
It traverses the tree looking for a login form.
If it's really lucky, and it can try this again and again without you knowing it, it might find the login form.
Using xhr, it sends login and password back to a server in China somewhere.
Even more valuable is your routing and account numbers, which are probably somewhere on the page.
Whence the dude in China can withdraw money from your account by ACH.
After all that snooping, it calls the original addRow, my addRow, so it does what it did before and doesn't look any different.
You don't notice a thing.

Ok, I defend against that by making the addRow method not writable, not deletable.
Remember the second part cause they could remove mine and then replace it with theirs.
I can do that in javascript and it's not reversible. All good.

But, addRow lives in the Table.prototype object.
What if they remove the entire prototype object and replace it with theirs,
with all the methods I use to have, some of theirs boobytrapped.
So I make prototype not writable and not deletable.

The original class Table has to be not writable and not deletable, or they could replace the entire Table class in mw$ with their own.

Let's say I've done all that.
If I make one mistake of omission, if I forget one method in the DOM,
let's say I forgot deleteRow.
evil.com notices that I forgot that.
They install their own deleteRow in mw$.Table.prototype.
This method does all the hijacking, then deletes the row consistent with my framework.
It does what I should have done.
Remember they can read my open source and know exactly how all this works.
Well I can't guard against that.
In every operating system you can make a directory readonly, but nothing like that in javascript.
If the prototype object exists, and you can see it, you can add something to it.
Maybe you can't change what's there, but you can add to it.
So we would have to be 100% perfect, with a function or at least a stub for every method that exists,
and we would have to stay current with this as the DOM evolves,
cause if we don't, a shared class opens up a security risk.

That's how it looks to me anyways.

Do you follow what I'm saying?

No wonder every browser writes all its classes in C, thus shared at a level that can't be hijacked;
but of course we don't have the manpower to do that.
And if we did, we are, at that point, heavily invested in an engine;
I couldn't just switch engines in a couple weeks as I just did with quick.

That's my discouraging thought for the day.

Karl Dahlke

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [edbrowse-dev] sharing and security
  2021-03-21 21:34 [edbrowse-dev] sharing and security Karl Dahlke
@ 2021-03-23  7:39 ` Adam Thompson
  0 siblings, 0 replies; 2+ messages in thread
From: Adam Thompson @ 2021-03-23  7:39 UTC (permalink / raw)
  To: Karl Dahlke; +Cc: edbrowse-dev

On Sun, Mar 21, 2021 at 05:34:21PM -0400, Karl Dahlke wrote:
> This is just me thinking out loud.
> 
> Let's say we share the Table class in the master window mw$.
> I don't have to replicate it and its methods for every web page.
> Saves time and memory etc. All good.

Agreed, if we can do so safely.

[...]

> If the prototype object exists, and you can see it, you can add something to it.
> Maybe you can't change what's there, but you can add to it.
> So we would have to be 100% perfect, with a function or at least a stub for every method that exists,
> and we would have to stay current with this as the DOM evolves,
> cause if we don't, a shared class opens up a security risk.

Does it also open us up to any other unintended interaction (e.g.  someone
getting their hands on our prototype object somehow without using our shared
window object)? I simply don't know js well enough to know if there's any
way to get hold of an object's prototype from the object or, in a browser
context, its own window and for that to cascade to other windows if one does that.

> That's how it looks to me anyways.
> 
> Do you follow what I'm saying?
> 
> No wonder every browser writes all its classes in C, thus shared at a level that can't be hijacked;
> but of course we don't have the manpower to do that.
> And if we did, we are, at that point, heavily invested in an engine;
> I couldn't just switch engines in a couple weeks as I just did with quick.
> 
> That's my discouraging thought for the day.

Even if I'm concerned about nothing above, your security explanation makes
perfect sense (unfortunately).  I'm not sure of the best way around this
other than not to share classes.  This'd suck a bit from a performance
perspective (and possibly others) however it'd mean we had a somewhat better
isolation model from a security perspective.

In the spirit of coming up with an overly positive take on this; at least
we're thinking of security and getting to a point where this matters.
That's a good, if work-intensive, thing.

Cheers,
Adam.


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-03-23  7:39 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-21 21:34 [edbrowse-dev] sharing and security Karl Dahlke
2021-03-23  7:39 ` Adam Thompson

edbrowse-dev - development list for edbrowse

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://inbox.vuxu.org/edbrowse-dev

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V1 edbrowse-dev edbrowse-dev/ http://inbox.vuxu.org/edbrowse-dev \
		edbrowse-dev@edbrowse.org
	public-inbox-index edbrowse-dev

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.edbrowse.dev


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git