►
From YouTube: Report on Realms Shim Security Review
Description
As given to tc39 meeting July 2018
A
Okay,
so
this
is
your
report
on
the
realm
realms
shim
security
review.
The
people
have
the
security
review.
Are
all
people
you're
familiar
with
from
these
pieces
39
meetings,
the
secured
review
was
mainly
collaboration
between
Salesforce
and
cleric,
but
I
also
want
to
thank
all
the
continuing
work
on
realms
and
the
weekly
meetings
on
realms
and
on
security
script.
A
A
The
realms
background
is
basically
saying
the:
what
and
the
why
will
motivate
wine
realms
are
interesting
to
us
why
it's
worth
spending
all
this
work
producing
Shin
the
shim
talk
will
be
how
it's
possible,
how
it
is
that
we've
actually
implemented
it
so
that
it
works
on
browsers
today,
without
the
need
for
any
further
web
standards
being
accepted,
and
then
the
weather
will
cap,
which
is
the
security
review,
will
capture
whether
this
thing
is
ready
for
production
use.
Now,
I
want
to
stress
this,
because
this
is
different
than
what
is
normally
called
the
shin.
A
A
On
realms
I'm
going
to
be
reviewing
it
in
terms
of
the
API
as
implemented
by
the
shim,
which
has
diverged
from
the
spec
and
will
be
coming
back
to
that
issue
later
some
terminology,
the
Eggman
scripts
standard
mandates
that
there
is
a
whole
bunch
of
objects
that
exist
before
any
code
starts
right.
So
the
objects
that
are
mandated
to
exist
by
atmospheric
before
code
starts
running
setting.
C
A
Of
those
prime
orioles
most
are
replaceable
by
initialization
code
code.
It
runs
first,
so
the
code
that
was
afterwards
that
thinks
it's
run.
First
sees
the
environment
created
by
those
replacements,
but
there
are
some
objects
that
are
reachable
by
syntax.
So,
no
matter
what
you
do
to
the
initial
environment,
if
you
evaluate
an
object,
literal
you
get,
you
get
something
inherits
from
object,
dot,
prototype,
etc.
So
we
call
everything:
that's
reachable
directly
by
syntax
undeniable
and
the
global
object
is
the
route
pointing
into
some
set
of
these.
A
A
A
There
are
no
pointers
back
to
the
global
object
from
the
other
primordial
x',
a
sign
from
the
evaluators
and
the
evaluators
give
access
to
the
primordial
by
evaluating
code
within
the
scope
of
the
global
object,
so
the
function
constructor
and
the
eval
function
where
they
evaluate
code.
They
reach
the
global
object
in
order
to
bind
the
top-level
this
in
order
to
look
up
global
variable
names,
variables
that
occur
freely
in
the
string
that
they're
evaluated.
A
Today,
the
platforms
already
support
the
creation
of
multiple
realms
on
the
browser.
The
same
words
my
frames
in
node
by
VM,
created
contacts
and
looking
at
just
the
JavaScript
portion
of
these
new
realms.
Each
of
these
realms
is
born
completely
isolated
from
everything
else,
except
the
only
initial
connectivity
is
that
the
Creator
over
the
realm
has
access
to
each
of
the
realms
they've
created
all
further
connectivities.
Bootstrap
from
that.
A
When
computing
across
multiple
realms
there's
a
phenomenon
that
we've
been
referring
to
as
identity
discontinuity,
it
becomes
very,
very
tricky
and
accident-prone
to
actually
write
code.
That
has
a
foot
in
multiple
realms
because
of
the
problems
illustrated
here.
For
example,
if
code
in
the
realm
here,
labeled
alice
simply
execute
a
evaluates.
An
array
literal
it'll,
create
an
array
narrating
from
her
array
prototype.
A
So
now
to
be
to
the
actual
behavior
of
the
realms
proposal,
as
represented
by
the
current
Shiv
API,
if
Alice
in
one
realm
one
says
make
root
realm,
make
root.
Realm
essentially
creates
something
like
the
realm
creations
that
we
saw
today,
except
that
it
also
creates
a
new
realm
object
that
represents
them
year
round.
So
on
the
right,
we
have
the
new
realm
Bob
that
was
created
by
analysis,
action.
A
A
The
realms
created
by
this
means
have
no
host
options.
They
have
nothing,
that's
not
mandated
to
exist
by
the
JavaScript
stack,
so
these
things
start
off
genuinely
with
no
connectivity
other
than
the
fact
that
Alice
by
being
the
creator,
has
connectivity
into
it.
This
means
that
realms
are
a
perfect
sandbox.
A
A
Addition
we
have
a
mate
compartment,
a
route
realm
and
a
compartment
or
both
kinds
of
realms.
If
a
compartment
is
the
realm
shown
here
as
Carol
and
the
characteristic
of
the
compartment
is
that
it
shares
most
of
the
primordial
with
the
route
realm
that
made
it.
So
the
only
new
objects
that
were
allocated
in
order
to
create
a
compartment
are
the
new
Carol
realm
instance
object
the
object
that
enables
Bob
to
manipulate
the
realm,
as
well
as
a
new
global
object,
is
per
compartment
and
a
set
of
evaluators,
in
particular.
A
A
All
of
the
compartments
within
that
root
realm
are
now
protected
from
each
other.
They
cannot
interact
because
everything
they're
sharing
is
completely
locked
out.
So
this
gives
us
featherweight
protection
domains,
just
a
few
objects
allocated
for
all
for
an
entire
protection
domain,
and
it
means
that
if
these
protection
amazed
are
introduced,
they
have
no
identity,
discontinuity,
a
array
allocated
by
Carol
and
executing
one
of
her
evaluators
when
shared
with
Dave
another
compartment
made
in
the
same.
C
A
A
A
A
A
This
could
need
this
code
to
work
on
if
they
work
on
secure
light,
so
I'm
going
to
show
you
the
heart
of
the
realm,
the
the
core
mechanism,
which
is
that
it
has
to
intercept
all
attempts
to
access
a
free
variable
when
you
evaluate
code,
the
free
variables
are
looked
up
somewhere
normally
on
the
global
lexical
scope
in
the
global
object,
and
our
mission
is
to
intercept
all
of
those
lookups
so
that
we
can
confine
all
the
effects.
So
we
can
make
these
featherweight
protection
domains
and
protect
them
from
each
other.
A
Furthermore,
we
want
to
bring
this
about
without
cursing
the
adversaries
code.
That
means
the
parsing
the
code
that
we're
confining
and
without
rewriting
it
so
without
parsing
or
rewriting.
We
want
to
be
able
to
take
dr.
Evil's
string
and
just
evaluated
within
one
of
these
compartments
and
know
know
that
it
cannot
cause
any
effect
that
we
did
not
authorize
it
to
cost.
In
addition-
and
we
need
this
to
be
fast
because
once
again,
there
are
large
companies
planning
to
move
a
lot
of
code
onto
this,
much
of
which
is
actually
existing
legacy.
A
A
These
eight
magical
lines
of
code
are
the
heart
of
the
realm
ship.
This
is
sort
of
the
core
mechanism
that
brings
about
all
of
the
rest
of
the
magic
I'm
using
the
funny
graphical
effect
here
is
it
indicate
the
two
levels
of
a
template
literal,
but
the
template.
Literal
aspect
here
only
has
to
do
with
the
optimizer
if
it's
inserting
the
optimizer,
which
is
beyond
the
scope
of
the
talk.
So
if
we
drop
that
optimizer
out
and
it's
equivalent
to
just
this
function,.
A
During
this
talk,
which
is
to
think
about
direct
eval
as
a
dynamic,
inline
anti
quote,
you
take
the
Kazi
code
at
the
top
here,
where
you've
got
quoted
code
and
then
you've
got
any
value
around
the
quoted
code
and
for
most
purposes
not
for
all
purposes.
It
acts
like
the
code
at
the
bottom,
as
if
the
contents
of
the
string
were
just
spliced
in
into
a
block
at
the
bottom
there.
The
magic
of
directive
L
is
that
the
string
that's
being
spliced
in
could
be
a
computed
string.
C
A
B
A
Here
trapped
me
if
I'm,
if
I'm
misunderstanding
here
but
argument
zero
here
are
the
arguments.
I
can
only
be
the
arguments
by
which
the
it's
immediately
containing
function
was
invoked
because
they're
creating
they're
created
fresh
and
therefore
they
can't
have
a
property
named
arguments
because
they're
not
initialized
to
and
there's
no
outside
access
to
the
rocket.
This.
A
A
A
A
E
A
One
thing
I'm
not
recovering
the
talk,
there's
certainly
in
the
code,
and
we
do
a
lot
of
head-scratching
during
interview
about
it
is
we
actually
do
make
use
of
unskilled
balls
in
the
same
bangs
mechanism?
So
in
any
case,
the
reason
we're
using
arguments
is
because,
since
we're
using
a
direct
eval
down
at
the
bottom
to
evaluate
dr.
Evil's
string,
any
variables
that
we
brought
into
scope
would
be
in
scope
has
seen
by
dr.
Evil's
string.
So
we
don't
want
to
name
our
arguments
because
we
don't
want
to
expose
our
internal
mechanism
to
dr.
A
So
what
we
do
with
these
nested
functions
is
we
apply
the
outer
function
to
a
proxy
that
we
refer
to
as
the
scope
proxy,
so
we're
doing
a
width
or
naproxen.
We
take
what
what
that
application
returns,
which
is
the
inner
function,
and
we
invoke
it
on
the
user's
sir
string,
but
we
also
pass
to
that
inner
function.
Invocation
as
it's
this
argument,
we
pass
the
object
that
we
want
dr.evil
to
see
as
its
global
object.
So
this
is
how
we
provided.
A
A
A
Invoking
objects
that
have
this
connectivity
structure,
the
width
proxy's
with
on
the
scope
Roxy
the
result
of
having
the
width
on
proxy
is
any
free
variables
that
are
looked
up
that
are
not
found
before
you
get
to
the
whiff
construct
are
trapped
by
the
proxy
and
are
trapped
to
the
scope
handler
and
the
scope
handler
receives
the
scope
target
dynamically.
Every
time
it
gets
trapped.
A
A
There
is
an
extremely
puzzling
problem
regarding
the
unsafe
eval,
which
is
the
name.
Eval
must
be
bound
to
the
most
dangerous
object
of
the
universe
in
the
lexical
scope
within
which
the
source
string
is
being
evaluated.
So
at
the
same
time,
we
have
to
put
it
in
that
scope,
but
we
have
to
deny
it
to
the
to
the
code
being
evaluated.
So
we
do
that
with
a
peculiar
mechanism
and
the
scoped
handler
that
the
first
time
it
craps
on.
A
A
These
are
comparisons
of
a
few
bench
fronts
of
Iran.
These
are
all
preliminary.
We
need
a
lot
better
work
measuring
this
was
kind
of
done
in
a
rush
for
this
presentation,
but
we're
getting.
The
shin
is
first
of
all,
vastly
faster
than
the
old
SES
in
Cobb,
and
not
only
that,
but
we
have
not
yet
measured
a
slowdown
compared
to
native
code.
A
We're
getting
actually
the
bizarre
result
that
four
measurements
so
far
the
shim
seems
to
be
faster,
but
we
don't
believe
it
yet
and
I'm
not
encouraging
anybody
else
to
believe
it,
but
so
far
key
thing
is
that
for
the
typical
case,
lookups
that
don't
go
through
the
proxy,
we
have
not
seen
any
slowdown.
The
thing
about
not
going
through
the
proxy
is
the
typical
case
for
reasons
of
the
optimizer
which
I'm
not
going
into
right
now.
I
think.
A
Yeah,
okay,
the
whole
thing
I
mean
the
the
subset
that
we
were
able
to
do
to
shim
there's
a
lot
of
the
realm
API.
That
includes
features
that
we
simply
cannot
share
with
that
person,
but
everything
that
we
need
for
production
sake
used
today.
That's
subset
of
the
functionality
of
the
realm
spec
is
what
the
applies.
A
A
A
So
sales
force
right
now
has
in
production
code
using
the
same
core
mechanism.
This
this
ship
is
actually
very
much
derived
from
a
lot
of
the
work
that
Salesforce
did
as
well
as
work
from
the
cob
project
and
both
Salesforce
and
comm
was
readers
who
tested
across
a
number
of
platforms.
Cobs
much
older,
doesn't
strength,
doesn't
use
more
modern
features,
but
the
Salesforce
implementation
does
so.
The
answer
is
no,
but
we're
not
too
scared
about
that
right
now,
but
clearly
we
need
to
go
so.
B
A
Ok,
so
the
findings,
the
the
the
scary
review,
many
of
which
were
surprises-
is
that,
in
order
to
write
the
code
of
the
shin
so
that
we
were
confident,
we
preserved
safety.
What
we
did
was
we
essentially
encoded
into
our
names,
a
1-bit
type
system
just
wish,
which
is
what
we
saw:
a
distinguishing
red
and
green
objects
where
the
red
objects
are
objects.
That
should
never
be
exposed,
and
there
was
an
obvious
graph
conductivity
in
varying
between
the
green
and
as
we
were
coding
it.
A
We
found
even
for
our
very,
very
careful
code
implementing
the
shim
that
we
kept
ripping
ourselves
up
on
again,
tedious
continuities
trying
to
program
in
the
face
of
of
standing
with
one
foot
in
two
different
realms
and
doing
anything.
Interesting,
I
didn't
use
continuities
just
kept
whacking
us
on
the
side
of
the
hat
they're
really
hard.
A
We
don't
support
modules,
get
in
the
shin,
but
we
are,
but
by
virtue
of
outside
tools
like
roll-up,
which
can
transform
coding
ahead
of
time,
we
can
accommodate.
We
do
accommodate
code
written
to
modules
well
enough
for
our
current
purposes,
and
we
don't
need
to
trust
roll-up
at
all
completely
the
whatever
that
transformation
is
doing
is
outside
of
our
trust
boundary.
A
It
turns
out
that
under
measurement
we
were
very
surprised
that
secure
meta
programming
is
free,
that
it
costs
us
nothing
while
providing
us
the
safety,
the
the
shim
is
essentially
secure
and
useful,
now
modulus
and
qualifications,
and
there's
a
process
issue
that
I
want
to
express
for
tc39,
which
is
there.
Sometimes
people
take
a
lot
of
wonderful
perspective,
process-wise
between
spec
and
shrimp.
The
shin
is
supposed
to
follow
from
the
spec,
and
in
fact
we
should.
We
should
avoid
waterful
here,
just
like
we
do
in
software
engineering
elsewhere.
A
A
In
any
other
ways,
we
still
need
to
set
up
a
responsible
disclosure
process,
offer
bugs
bounties
for
bugs
and
prove
correctness,
etc.
So
one
did
type
system.
We
verified
the
separation
by
writing
the
graph
Walker.
We
we
were
very
very
happy
to
see
that
that
our
transitive
graph
Walker
under
testing
did
not
find
any
inherent
leakage
that
we
could
already
know
to
suspect.
A
This
is
code.
This
is
code
from
the
realm
specs
readme,
so
this
was
written
to
explain
in
terms
of
the
old
realm
spec
API,
how
to
custom
on
how
Alice
can
customize
Bob's
route
and
it
turns
out.
This
is
one
of
the
places
where
we
found
cross
realm
leakage
by
virtue
of
trying
to
operate
across
realms,
so
we
ended
up
rejecting
the
old
API,
the
specified
API
as
the
means
for
which
for
one
realm
to
customize
another.
A
D
A
Okay,
okay,
thank
you.
So
we
don't
support
modules
directly
in
the
shim.
Yet
there
are
some
discussant.
There
are
some
ideas
in
proposed
specifications,
primarily
by
Dave,
Herman
and
great.
You
know
that
looked
quite
wonderful
to
us,
but
we
doubt
that
we
can
succeed
assuming
them
accurately
without
parsing.
So
right
now,
it's
beyond
the
scope
of
what
we're
trying
to
achieve,
however,
because
the
needed
transfer
source
transformations
on
modules
that
we
need
in
order
to
accommodate
them
are
outside
our
trust
boundary.
A
Okay,
the
our
conclusions
are
that
the
shim
is
safe
and
useful
enough
for
production
work
to
get
started
building
on
top
of
it
that
gets
small,
solid
and
fast.
The
entire
realm
Shin
is
less
than
some
100
Wisie
code,
even
with
limited
time
to
repeat
that
the
entire
round
chin
is
less
than
seven
hundred
lines
of
code,
they're
very,
very
highly
reviewed.
At
this
point
we
spend
a
lot
of
time
reviewing
them
and
going
over
the
code.
We've
been
writing
lots
of
tests.
Last
time
we
measured.
A
It
was
ninety
percent
test
coverage,
there's
without
obviously
the
incorporating
a
parser
and
trusting
the
parser.
We
completely
blow
our
ability
to
be
confident
that
what
we
don't
do
to
secure
a
person
would
be
much
much
larger
than
the
entire
motion,
and
there
was
one
thing
in
JavaScript
that
we
cannot
do
correctly
without
a
genuine
purser,
which
is
prohibited
the
importance
pressure.
A
So
instead
you
wrote
a
conservative
reg
X
that
we
believe
will
catch
all
the
importance
pressures,
but
you
will
also
in
order
to
reject
them,
but
it
will
also
catch
by
import
expressions
that
occur
inside
comments
or
quoted
strings.
So
it's
safe,
but
it's
not
quite
conformant,
but
and
also
because
once
your
even
the
evaluated
code,
we
substitute
you
now
that
they
see
the
valve
it's
impossible
within
the
shim
to
support
direct
eval.
So
the
shim
is
not
a
self
hosting.
You
can't
run
the
shim
in
the
shin
because
you
don't
have
directive
Alan.
A
The
other
thing
is
process
wise,
even
though
we
can
do
it
all
at
user
level
right
now.
What
we
cannot
do
purely
from
the
outside
is
maintain
and
safety
as
the
spec
evolves.
We
have.
We
have
to
enumerate
all
of
the
bed,
denials
and
all
of
the
evaluators,
including
all
of
the
new
function,
constructors.
As
the
committee
and
new
undeniable
czar
as
new
evaluators,
we
have
no
idea
whether
it's
impossible
to
write
one
stable
piece
of
code
now
that
will
maintain
its
security
in
the
face
of
those
additions
to
the
spec.
So
that's
why?
A
A
Please
try
the
challenge
and
if
you
find
bugs,
please
report
them
if
you
find
bugs
that
you
even
suspect
might
be
security
relevant
and
for
this
thing,
I
think
any
bugs
should.
First
of
all,
it
should
be,
if
you
don't
know
otherwise,
suspected
security
relevant.
Please
report
the
bugs
responsibly
on
the
challenge
page
and
on
the
readme
for
the
shin
you'll
find
links
to
responsibly
disclosed
box
wow
thanks.
D
A
The
ability
evaluator
is
doing
first.
What
I
meant
is
we
want
to
avoid,
including
a
person
written
in
JavaScript,
so
we
want
to
avoid
person
at
the
user
level
if
there
was
a
bundle
in
cursor
in
the
platform
that
we
could
use
to
parse,
then
again,
we
can
accurately
reject
the
importance
Russian,
but
we
need
we
need
some
kind
of
help
from
from
the
platform
in
order
to
reject
the
important
special
factor.