►
From YouTube: Hardened JavaScript
Description
An introduction to hardened JavaScript, which makes eval safe.
A
Software
has
a
long
tradition
of
increasing
interactivity
by
sending
programs
from
servers
to
clients
from
the
vt-100
terminal
to
the
web
browser
and
even
arguably,
the
pattern
of
installing
any
networked
software
all
increase
interactivity.
They
increase
interactivity
by
eliminating
expensive
round
trips
between
the
user
and
the
service.
They
risk
increasing
vulnerability
because
the
user
must
be
able
to
run
arbitrary
programs
from
strangers
on
the
internet.
A
More.
So,
if
said,
programs
are
in
a
turing-complete
language,
we
aim
to
create
interactive
software
while
avoiding
vulnerability
to
have
interactivity.
We
need
to
be
able
to
run
other
people's
programs
but
running
other
people's
programs
is
dangerous
and
some
people
will
even
tell
you
that
you
shouldn't,
but
I'm
here
to
tell
you
that
you
can
run
other
people's
programs
safely.
A
A
It
is
no
accident
that
we
rely
on
javascript
to
run
arbitrary
programs
off
the
internet.
The
language
is
designed
to
run
in
a
sandbox
web
browsers
are
user
agents.
They
mediate
interaction
between
the
programs
provided
by
strangers
and
their
access
to
the
user's
resources.
Javascript
mitigates
vulnerability
when
there
are
only
two
parties-
the
stranger
and
the
user.
This
interaction
model
works
with
the
sandbox,
because
the
strangers
program
is
welcome
to
ruin
the
sandbox
for
itself
and
cannot
wreak
havoc
beyond
the
boundary
that
exists
between
the
user
agent
and
the
isolated
program.
A
However,
the
notion
that
there
are
only
two
parties
involved
in
a
web
page
is
a
rapidly
deteriorating
fiction.
Every
end
of
a
modern
web
application.
Even
a
centralized
monolith
mixes
the
conflicting
motivations
of
myriad
agents,
the
user,
the
service,
their
advertisements,
their
vendors
and
their
attackers,
and
while
we
might
find
some
comfort
in
the
security
boundaries
at
our
firewalls
or
authenticated
asynchronous
communication
over
encrypted
connections,
those
boundaries
will
not
protect
us
from
the
dependencies.
We
entrain
from
our
favorite
package
management
system.
A
When
there
are
three
or
more
parties
interacting
in
a
sandbox,
then
sandbox
is
not
sufficient.
When
one
stranger
can
pollute
the
environment,
the
other
stranger
becomes
vulnerable
and
the
strangers
can
attract
attack
each
other
directly
at
the
user's
expense
for
three
or
more
parties
to
interact.
We
need
a
solid
foundation,
not
a
box
of
sand
and
in
a
world
where
we
can
safely
create
interaction
involving
any
number
of
strangers.
A
A
Imagine
you
serve
data
and
want
to
allow
clients
to
be
able
to
make
arbitrary
queries
on
that
data.
Without
transmitting
all
of
the
data.
You
arrange
for
a
client
to
send
a
program
to
the
data.
Instead
of
the
data
to
the
program,
we
typically
use
hobbled
programming
languages
for
this
kind
of
interaction.
A
To
avoid
making
the
service
vulnerable
to
these
programs
in
javascript,
you
might
naively
evaluate
an
arbitrary
javascript
query,
but
with
the
soft
and
malleable
version
of
the
javascript
language,
the
query
receives
far
too
much
power.
It
can
read
database
from
scope.
It
can
call
any
method
of
any
object
in
scope.
It
can
modify
any
mutable
variable
and
scope.
It
can
install
a
thunk
on
the
prototype
of
a
popular
method.
It
can
add
a
proxy
to
the
prototype
of
the
global
object.
A
It
can
load
your
powerful
networking
module
and
exfiltrate
your
secret
burger
sauce
recipe
in
javascript.
You
run
other
people's
programs
using
an
evaluator
contrary
to
popular
wisdom.
Eval
is
not
evil
and
I
can
prove
it.
The
levenshtein
distance
between
eval
and
evil
is
not
zero,
even
if
you
give
it
a
discount
for
vowel
substitution,
but
like
evil,
eval
comes
in
many
forms.
The
oldest
and
most
perilous
form
is
direct
evil.
Where
the
program
you
run
inherits
the
caller's
scope.
A
A
A
A
The
subtle
eval
is
the
function
constructor
which
compiles
a
program
and
runs
it
in
a
closure
scope
parented
on
global
scope.
In
this
case,
the
siren
song
sets
nan
to
a
very
special
number.
Just
like
real
nands
eval
can
be
subverted
in
many
ways,
mostly
by
exploiting
the
pervasive
mutability
of
the
javascript
environment.
A
A
Now
we
can
turn
that
pervasive
mutability
in
upon
itself
taming
hardening
the
runtime
environment,
making
it
suitable
for
multi-tenant
programs
hardened
javascript,
like
goal
before
it
is
divided
into
three
parts.
Lockdown
harden
and
compartment,
lockdown
prepares
hard
and
defends
and
compartments.
Isolate
with
these
three
devices.
Programs
are
not
automatically
safe,
but
have
ground
to
stand
on
to
defend
their
own
design.
A
A
A
A
The
host
environment
still
has
access
to
lots
of
powerful
objects,
maybe
even
powerful
modules,
and
can
delegate
these
powers
to
child
compartments
within
a
compartment.
Prototype
pollution
attacks
through
the
shared
intrinsics
are
not
possible
and
the
harden
function
is
available
for
programs
to
prevent
prototype
pollution
on
their
own
objects.
A
A
The
application
arranges
to
call
lockdown
once
as
early
as
possible
in
the
program's
life,
because
lockdown
itself
is
vulnerable
to
all
code
that
runs
before
it.
The
application
then
arranges
for
a
compartment
in
which
to
run
queries,
because
this
compartment
is
shared
by
multiple
parties
and
contains
no
modules.
We
then
freeze
the
compartments
global,
then,
because
we
want
to
be
able
to
inject
individual
items
into
the
scope
of
the
query.
We
capture
a
copy
of
the
safe
function
constructor
from
within
the
compartment
and
use
that
to
compile
queries.
A
A
They
also
cannot
stage
a
man-in-the-middle
attack
or
exploit
re-entrance
by
polluting
the
shared
array
prototype
and
they
can't
reach
the
file
system,
much
less
grief
it
or
worse.
They
do
not
have
access
to
the
powerful
modules
or
other
forms
of
what
we
call
ambient
authority.
Powerful
objects
laying
around
for
any
part
of
your
program
to
use
the
most
common
approach
to
creating
sandboxes
relies
on
a
coarser
boundary
called
a
realm
like
a
same
origin
iframe,
or
what
nodejs
and
v8
call
a
vm
context
with
these
approaches.
A
Each
tenant
program
gets
their
own
unique
set
of
primordials
like
their
own
array.
Constructor.
The
approach
is
fraught
with
a
number
of
inconveniences,
but
most
notably
identity,
discontinuity.
The
array
from
one
realm
is
chemically
incompatible
with
the
array
from
another
and,
ultimately,
while
separate
realms
can
defend
explicitly
partitioned
programs.
You
may
find
that
the
enemy
is
already
within
the
gate.
A
A
These
dependencies
run
with
all
the
same
power
as
the
three
percent
that
orchestrates
the
whole,
and
if
that
does
not
give,
you
pause,
consider
that
engines
like
node.js
implement
most
of
their
powerful
apis
in
the
same
realm
as
the
programs
that
they
run
our
partners
at
metamask
built
a
tool
called
lava
mode
on
top
of
hardened
javascript.
That
allows
them
to
limit
the
attack
surface.
They
expose
to
third-party
dependencies
all
the
way
from
their
front
end
to
the
build
tooling
during
development.
A
Together
we
are
building
a
tool
called
endo
that
demonstrates
how
hardened
javascript,
including
its
asynchronous
compartment-based
module
system,
can
be
used
to
host
many
applications
designed
without
foreknowledge
of
hardened
javascript.
We
at
agorik
and
members
of
the
sess
community
are
pursuing
standardization
of
hardened
javascript,
but
you
need
not
wait.
We
have
built
a
shim
that
implements
lockdown
harden
and
compartment
with
very
high
fidelity,
and
if
you
are
targeting
embedded
systems,
particularly
moddable's
xs
javascript
engine
implements,
these
features
natively
for
agoric
hardened
javascript
is
the
foundation
that
allows
us
to
safely
and
deterministically
run.
A
Smart
contracts
to
us
hardened
javascript
is
part
of
a
decentralized
operating
system
where
we
use
promises,
as
proxies
for
remote
objects.
The
skewing
heavy
rpc
frameworks
in
favor
of
a
synchronous
message
passing
between
hardened
objects,
where
we
can
arrive
at
consensus
through
a
replicated
log
of
these
messages
and
deterministic
javascript
replay
with
moddable's
xs
javascript
engine.
We
can
even
snapshot
running
programs
and
resume
them
later,
not
even
necessarily
on
the
same
host.
A
A
I
like
exciting
projects
to
me,
an
exciting
project
has
three
noteworthy
traits.
First,
it
is
evident
that
if
the
project
succeeds,
almost
everything
naturally
comes
to
depend
on
it,
and
the
new
world
is
bigger,
more
cooperative,
safer
or
accessible
than
the
old
one.
The
project
would
cause
a
cambrian
explosion
of
diversity
in
activity.
A
A
people
at
that
time
would
say:
javascript
doesn't
need
module
system
manually,
topo,
sorting,
script
tags
has
always
worked,
and
it
always
will
and
manually
sorting
script.
Tags
was
adequate
for
all
of
the
software
made
at
that
time.
In
no
small
part,
because
it
was
the
only
kind
of
software
you
could
make,
but
it's
not
obvious
on
the
near
side
of
a
hill.
A
Of
course,
I've
poured
my
soul
into
hundreds
of
projects
that
never
saw
the
light
of
day,
but
based
on
my
experience
with
javascript
modules
and
promises,
I
think
you're
likely
to
hear
about
hardened
javascript
again.
The
purpose
of
hardened
javascript
is
to
realize
this
cambrian
increase
in
software
diversity
by
allowing
a
greater
degree
of
cooperation
between
programs.