►
From YouTube: Preserve Host Virtualizability
Description
Original plan was to go for stage 1 at Dec 2019 meeting. But not enough time for full presentation.
A
So
Preserve
host
virtualize
ability
there
is
this
concept
that
we're
familiar
with
from
hardware
design
and
operating
system
design,
which
is
a
virtual
izybelle
machine.
There's
a
seminal
paper
or
early
in
the
history
of
operating
systems.
Talking
about
the
criteria
for
getting
the
separation
of
user
mode
instructions
versus
the
system,
mode
architecture
right
so
that
you
have
a
cleanly
virtual
eyes
upon
machine
and
the
essential
thing
is
that
the
user
mode
instructions
can
only
do
internal
computation.
A
They
cannot
interact
with
the
external
world
and
then
the
system
mode
architecture
has
system
mode
instructions
and
has
a
trapping
mechanism.
So
when
user
mode
computation
does
something
outside
of
user
mode,
it
traps
to
the
system
mode
and
then
that
in
turn
is
the
only
thing
that
has
direct
access
to
devices.
Oh
I'm,
sorry
and
the
amazing
thing.
A
Similarly,
our
the
the
browser,
the
global
the
global
scope,
lookup,
is
the
means
provided
by
the
language
for
JavaScript
code
to
reach
host
objects
hosts
by
and
large,
have
stayed
with
that
disappoint.
Thank
you.
I've
stayed
with
that
discipline
so
that
the
so
that
JavaScript
code
that
wants
to
influence
the
outside
world
looks
up
host
objects
by
name
in
the
global
scope
in
order
to
reach
through
the
host
into
effect,
whatever
the
outside
world
is
that
that
host
is
for
and
then
in
the
operating
system
world.
A
Likewise
because
of
the
global
scope
lookup,
if
you
can
intervene
in
the
global
scope,
lookup
one
realm
code
in
one
round
can
completely
virtualize
the
environment
as
seen
by
another
realm,
so
that
just
like
this
process
operating
in
the
virtualized
environment,
set
up
by
the
first
process,
sees
a
different
thinks.
It's
running
under
a
different
system
on
architecture,
with
a
different
set
of
devices
and
a
different
operating
system
in
like
manner.
A
We
are
almost
perfect
at
being
able
to
have
JavaScript
code
act
like
host
to
other
JavaScript
code,
so
that
you
can
emulate
on
one
house
the
environment
for
another
house,
and
if
we,
if
we
fix
the
remaining
shortfalls
here,
then
we
will
have
a
much
better
ability
to
emulate
that
leads
to
all
sorts
of
benefits.
Besides
the
obvious
security
benefits,
there's
also
a
lot
of
reproducibility
and
testing
benefits
mocking
benefits.
This
is
basically
the
this
sort
of
the
you
know.
God's
mocking
system,
there's
various
threats
to
virtualize
ability
a
for
example.
A
The
spec
allows
hosts
to
add
dangerous
operations
to
array.prototype
array.prototype.
If
it
did
that,
there's
no
way
too
hot.
If
it
did
that
and
it
made
them
non,
configurable
non
writable
data
properties,
there's
absolutely
nothing.
A
shim
can
do
to
prevent
attacker
code
from
using
the
dangerous
things.
So
these
are
things
no
host
does
the
dominant
effect
of
the
proposal
is
to
outlaw
dangerous
things
that
currently
no
house
does
anyway,
because
it's
only
once
you've
outlawed
them
that
it's
part
of
the
semantics
that
they're
not
there
and
then
only
once
they're
part
of
the
semantics.
A
Can
a
formalization
of
the
semantics
prove
the
security
properties
that
the
fact
that
we
already
have
because
hosts
don't
do
this?
There
is
a
variety
of
other
threats
to
virtualize
ability,
all
of
which
I
would
like
to
address,
and
given
the
limited
time,
does
anybody
object
to
this
advancing
to
stage
0.2.