Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Agoric / SES / 13 Apr 2023
Agoric / SES / 13 Apr 2023
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: SES Meeting: Import Reflection, WASM, and CSP

Description

Discuss the relationship of CSP (Content Security Policy) with the compilation and instantiation of WASM and ESM Import Reflection.

A

Mathieu hofman:, it will be here.

A

Mathieu hofman: all right., so today we will be talking about modules, csv and wasn't. source module, with, and guys here to give us an update on.

A

Mathieu hofman: from the modules. call that happened. Yesterday.

A

Mathieu hofman: right?.

B

Guy bedford: sure. I'm going to share my screen, and I don't have a presentation or anything,, but I can at least work through an example that helps to illustrate some of this stuff.. But I've been kind of like.

B

Guy bedford: trying to work out around this mainly the question is that.

B

Guy bedford: we've thrown around in discussions for both js source modules and webassembly source modules, which are already running on the web. Today.

B

Guy bedford:, you know this idea that guy bedford: this can integrate into csp. checks at various levels, and we need to.

B

Guy bedford:, I guess.

B

Guy bedford:, as we've been talking about this and and about it from a security perspective., we need to,. I guess, trying to.

B

Guy bedford: refine what we mean by that and and what security properties are in play., and so the hope is to try and flesh out some of that.

B

Guy bedford:- and we do have this example today with webassembly,, where.

B

Guy bedford:, a web assembly,, don't module, objects is a structure, clonable module object that represents a source, or whatever some resource.

B

Guy bedford: that can be transferred.

B

Guy bedford: and executed in these other environments. and as we've been talking about js modules as well through the input reflection proposal where it has this origin information, we've been thinking, about.

B

Guy bedford:, if that origin is tied to the source where you get the module from., so you you,, you know they've got some kind of secure process that gives you this module. you're thinking, of.

B

Guy bedford:, the import system is as a as a capability resource provider for the compiled module, and once you've got it,. That module represents the capability to execute that module.

B

Guy bedford: and when you transfer it you're transferring the capability to execute that module and and webassembly already does all of this., except it doesn't support any.

B

Guy bedford: content security. Policy., apart from just the global policy which is, you can either evaluate web assembly or you can't. and as we think about more fine grained content security policies., the question comes up.

B

Guy bedford:, can you guy bedford:, only permit certain origins, and only only certain wide listed modules that that are able to be executed?.

B

Guy bedford: and then how does that interact with the transfer process? because you can potentially have. and I frame with a different content security policy.

B

Guy bedford: than the mainframe., and if you're passing this thing around., how do those checks get integrated?? So the first question: was, well,? What does webassembly do?.

B

Guy bedford: and then the second question is like,: how? How can we integrate this into the work that we're doing.

B

Guy bedford: on js source,, which is very much,, falls under the room of the compartments? work and and questions around that, and.

B

Guy bedford:, at least for what we're doing with import reflection. right now. the question is,. Are we going to put some kind of stamp on this module that you get back, that that we need to now do for webassembly.

B

Guy bedford: and and figure that story out., that's the question: I've been grappling with, and I can dive into a bit here, and.

B

Guy bedford:, as far as I'm away., that's that's on topic for the discussions we're having here around modules. I. If, if anyone wants to.

B

Guy bedford: share any thoughts on that,, but that that's kind of the direction that I've taken and trying to research. This.

B

Guy bedford: mark., I know you had particular questions about modules that you wanted to discuss.. I hope this is something that's clarifying as as we work it through, and I think it will be a useful thing to work. Through.

B

Guy bedford: yeah, so.

B

Guy bedford:, I can., I can get it to the example. sure.

A

Mathieu hofman:: it's everyone here sufficiently familiar with consent, security policy.,.

C

Mark s. miller, (mm, agoric):- I don't know that I would ever say I'm sufficiently,, but I'm so familiar enough with it to know what the topic is.

C

Thomas greco:, I echo that.

B

Guy bedford: okay,, I just posted it guy bedford: simple example into the chat, and I'll, I'll, just run it through now.

B

Guy bedford: to show how the policy can can work. well,. Basically what what.

B

Mark s. miller, (mm, agoric):, could you use a larger font, or you know, shrink your window or something.

C

Mark s. miller, (mm, agoric):- I noticed that as projected it was it's okay,. That's wonderful. thank you.

B

Guy bedford: right. so on this example: I'm. defining a content, security policy for the main page.

B

Guy bedford: that is, allowing guy bedford: scripts to be executed.

B

Guy bedford: self,, as in from the same origin as this page itself.

B

Guy bedford:, so I don't want to allow any other domains to execute code.

B

Guy bedford: and I'm also adding the wise amongsts for file, which,. As soon as you turn on content. security policy., you're not allowed to execute wisdom at all.

B

Guy bedford:, unless you, I was some unsafe of all. and that's the only way to execute western today.

B

Guy bedford: and then I've got a normal module.

C

Mark s. miller, (mm, agoric): with,. I think the 2 levels already appear in wisdom,, even without the the integration.

C

Mark s. miller, (mm, agoric):, there is the turning. turning so text into a as a module, and there's instantiating as a module.

C

Mark s. miller, (mm, agoric):, which one does,, what does the wisdom? csp. controls,, throttle, or both.

B

Guy bedford:, they both apply to the compilation phase,, because there is an overload of the instantiation function, which can also do compilation,, and it was only on that overload.

B

Guy bedford: that it was during the check,, so both checks are still only compilation, checks, and therefore there's only one check, which is a compilation check right, now., but potentially we might still need 2 checks. As we discussed some of these fine grand things., that's yeah, okay,, it's very interesting.

B

Guy bedford: sure. guy bedford:, so guy bedford:, then I'm loading a module, and I will be able to load this module because it's on the same domain, and it's gonna pass the script so self,. If it was in any any other domain. the content. Security policy wouldn't allow it.

B

Guy bedford: and then I've got an iframe, and I'm enforcing the content security policy. On that I frame to be that it can execute scripts,, but only on the same.

B

Guy bedford: a domain again., so the main module in this example.

B

Guy bedford: well, first first, one I want to show is that, like.

B

Guy bedford: you, can,, you can't execute things on the domain., so.

B

Guy bedford:, if, if I, if I try and import content from another domain. I'll, get a a. csp. era.,.

B

Guy bedford:, because it it violates the csp. policy.

B

Guy bedford: and so guy bedford:, our imports are also restricted to only those urls that are permitted by the content. security policy.. There is one exception to that, and that's if I use a nonce.

B

Guy bedford: and I put a a nonce. if I use a nons policy, which is to to define a nonce. you're supposed to define it on every single page, load.

B

Guy bedford: and then put that on on the on the top level script. and when I'm using a nonce policy.

B

Guy bedford:, I can actually get away with importing anything.. So then it'll work.

B

Mark s. miller, (mm, agoric): just to make sure. I'm on the phone.. The theory there is that the nonce is.

C

Mark s. miller, (mm, agoric):, I'm guessable., guy bedford: and therefore knowledge of the nonce is proof of legitimate authority.. Exactly the problem with the nonce is that once once it's done, any monitor in the graph is allowed to load anything else.. So you don't get the checks down the module br.

B

Guy bedford:, whereas normally you would get the check step for each module in the module graph.. So.

B

Guy bedford: of the dependency checking.

A

Mathieu hofman:, I I didn't realize it was transitive like that.

A

guy bedford:, yeah. yeah.,.

B

Guy bedford: so in in a sense, nonsense,, a more dangerous policy for that reason, because it only takes one hidden dependency to embed a little external url. and before you know, it., you've, externalized, everything.,.

C

Mark s. miller, (mm, agoric): are the people concerned with browser security.

C

Mark s. miller, (mm, agoric): concerned about the fact that.

C

Mark s. miller, (mm, agoric): from their perspective, there is no confidentiality within an agent because of meltdown. inspector.

A

Mathieu hofman:, I think.

A

Mathieu hofman: so. you're supposed to declare like here.. This is declared in.

A

Mathieu hofman: in, in, in, in a met out., but it can come as a header, and the idea is that,. Like it,. It's used right away.. So, while you're parsing the page,, it will be in the page.

A

Mathieu hofman:, so there is no opportunity really for anything else to go and grab and try to use that announce another time, anyway. and once the nonsense being used,, it's it's. It's burned.

C

Mark s. miller, (mm, agoric): okay,, once the nonce has been used,, it's burned.

B

Guy bedford: you're supposed to create a new one,. Every single request. oh, okay, got it?.

B

Guy bedford: sure. so that that was a bit of a diversion. but just to show that we get this transitive property of checking. and so in theory..

B

Guy bedford:, if you're importing web assembly in the module system.

B

Guy bedford: that can also be verified against your content, security, policy. and, if you're importing a module as a reflected source.

B

Guy bedford: that can also be integrated into the content, integrated policy,. So that verifies that property, which is nice to have.

B

Guy bedford:, hopefully and sure.

B

guy bedford:. So then the the the concern was well.. How does. why them deal with this problem of.

B

Guy bedford:, if you can transfer webassembly modules with structured clone. and you have a frame.

B

Guy bedford:, how is well, as I'm going to deal with the situation where there's 2 content security policies.. So in this case I'm allowing webassembly of on the mainframe.

B

Guy bedford:, but on the sub frame guy bedford:, I don't have webassembly evaluation enable., so I'm basically have a policy that says, what?, but somebody is not allowed to evaluate inside the frame.

B

Guy bedford:! So what if I take a web assembly module.

B

Guy bedford: on the outer frame, and then post it into the.

B

Guy bedford: frame. guy bedford:, and that that's got a different security policy., where this is the compiled module.. Will it allow me to execute it?.

B

Guy bedford: so basically, the the instantiation is.

B

Guy bedford:, you fetch the module, and you can see. This is exactly why we want import reflection., you fetch the module,, you run it through compile streaming., and then you have to call instantiate on it. and if we have import reflection, all of this this will become.

B

Guy bedford:, basically.

B

Guy bedford: right, so that the top 2 lines, guy bedford: with import reflection, would replace all of well without the logs,. Obviously,.

B

Guy bedford: replace these 3 lines.

B

Guy bedford:, so you you basically to replace these 2 lines with this line in import, reflection.

C

Mark s. miller, (mm,, agoric): okay., but but but the the attack would be if line 9.

C

Guy bedford: or within the frame r: within the okay, right?, so that yeah, that's the example that we've got., so we we first can compile it, and we can instantiate it, and we can do that on the mainframe, and that's absolutely fine.

B

Guy bedford:, if I'm in the module frame., so here's the frame.

B

Guy bedford:, I try and fetch your web assembly, module.. I try to compile it.

B

Guy bedford: and it's gonna for an era.

B

Guy bedford:, so it's not going to! Let me compile. refuse to compile because it doesn't fulfill this content security policy in the frame., but in the in the parent I'm able to.

B

Guy bedford: compile and instantiate.

B

guy bedford: so yeah, that then then the case is now.. I'm gonna.

B

Guy bedford: wait a while for the frame to initialize and then post the module through structure, clone to the frame.

B

Guy bedford: in the frame. I'm going to pick up that module in a.

B

Guy bedford: the event listener and I'm then going to instantiate that transferred module.

B

Guy bedford: and it lets me, do it., so I'm now able to execute unsafe,, wise, and mobile inside of the frame that had a policy that wasn't allowing.

B

Guy bedford: web assembly. so yeah, that our our questions that that kind of figure out.

B

Guy bedford: that., but so that that's that's a good overview of like the situation.

B

Guy bedford: and then I guess the question is,. Should we seek to improve.

B

Guy bedford:, this behavior, should we, when we think about javascript and the transferability, one of the major features of module expressions is allowing you to transfer java, compile javascript modules.

B

Guy bedford: do?, we would, we expect the same thing to happen,, or would we want to have stronger guarantees?.

B

Guy bedford: yeah,, that's that's a good place to start the. I think, the I think the important invariant is that.

C

Mark s. miller, (mm, agoric):, however,, we, however,, we end up treating wisdom, modules.

C

Mark s. miller, (mm, agoric):, we should be treating javascript modules, the same way.

B

Guy bedford: okay., that's a good start, and guy bedford:. I am following up this question with my some modules folks to try to work out.

B

Guy bedford:, if we can do something better, for guy bedford: at the very least in our sorry discuss,, had a discussion with francis, who worked on the csp. specification for webassembly modules.

B

Guy bedford: and he was open to the idea of.

B

Guy bedford: supporting more than just why some unsafe eval.

B

Guy bedford:, but guy bedford:, either allowing, when you importing wisdom in the asm integration, the as an integration being the ability to import, like a webassembly module like a js module.

B

Guy bedford:, that is distinct from the reflection, which is the the compiled module.

B

Guy bedford:, he was open to it. checking with the script source policy,, because now it would have a handle on it.

B

Guy bedford: I'm sorry. could you?. Could you go over?? I did not follow that.

B

Guy bedford: okay. so, as I showed at the beginning,, if you try and import.

B

Guy bedford: a a. js. module from another domain.

B

Guy bedford: in this example, because it doesn't fulfill the script source policy.

B

Guy bedford:, it's gonna throw a a csp error because I'm trying to load a script from another domain. and if I wanted to pass, I'd, have to explicitly say unpackaged.com.

B

Guy bedford: is allowed to execute code on this page.

B

Guy bedford: and then it would be allowed. guy bedford:, so the csp policy can control what urls are able to be executed.

B

Guy bedford: on the page.

C

Guy bedford: or, and that's for scripts,, not for modules. no. see,. This is happening for the module right, now. yeah., so for for modules, it'll do., the scriptures controls both module and scripts- that that's the confusion. but yeah, so yeah, script source also means module. in this context.

B

Guy bedford: okay, more like that, being the screen. okay.

C

Mark s. miller, (mm, agoric): got it?.

B

Guy bedford:, so guy bedford: webassembly could potentially participate in the same thing. or if you're loading, react or wasn't.

B

Guy bedford:, it could basically participate in the same policy here.

C

Mark s. miller, (mm, agoric):, so so so.. So let me let me try to to.

C

Mark s. miller, (mm, agoric): understand the relationship here right, now.

C

Mark s. miller, (mm, agoric):, the javascript, in the absence of a explicit mantra, loading system.- we don't have re-ified source module objects.

C

Mark s. miller, (mm, agoric):, so mark s. miller, (mm, agoric):, you. you.. We can't state that the behavior,, the csp behavior we're seeing.

C

Mark s. miller, (mm, agoric): is only consistent with one theory that you could.

C

Mark s. miller, (mm, agoric): a tribute mark s. miller, (mm, agoric): to it., either that the throttling is happening. going from source.

C

Mark s. miller, (mm, agoric): to static module record or go, or instantiating the static module record. either of those theories.

C

Mark s. miller, (mm, agoric):, would be consistent with the current. csp. javascript behavior. is that correct?.

B

Guy bedford: right?, because today we don't have a this, we haven't exposed this phase for javascript,, which represents.

B

Guy bedford: compilation without execution.

C

Mark s. miller, (mm, agoric): right?.

B

Guy bedford: and the check is all guy bedford:. Just one check right, now.

C

Mark s. miller, (mm, agoric):, right, now., mark s. miller, (mm, agoric): and the and and the and in particular, there's with the absence of something like a reified module., there's nothing to pass.

C

Mark s. miller, (mm, agoric): 2, another frame.

C

Mark s. miller, (mm, agoric): such that the question would arise.. So the really so the constraining factor is.

C

Mark s. miller, (mm, agoric): that mark s. miller, (mm, agoric):, the question already does arise with web assembly?. Is the current webassembly csp. behavior already entrenched such that anything going forward, has to preserve the current.

C

Mark s. miller, (mm, agoric):, webassembly,, csp. behavior.

B

Guy bedford:, so it's actually not fully finalized the webassembly, csp. behavior,, because.

B

Guy bedford:, so guy bedford:, we this we've got 2 new kind of things that will be happening for web assembly.. From this perspective, the one is the direct asm integration.. So that's when you can directly import web assembly.

B

Guy bedford:, which guy bedford: right now web assembly doesn't participate in script, source.

B

Guy bedford:, it only supports wise and unsafe as well.. So in theory there is no reason.. Webassembly couldn't also participate in something like script source when it's imported.

B

Guy bedford:, because you have this tie. like javascript,, does what you've got a special.

B

Guy bedford: function that gives you the module. right, now. webassembly is loaded with fetch, and there's nothing special about. fetch that.. We know that it's a a webassembly capability,, and so it's there's no guardrails.

B

Guy bedford:, but when we integrate web as somebody into the js. module system.

B

Guy bedford: we're creating that privileged api that allows you to get access to as, and and that api can.

B

Guy bedford: handle guy bedford: got it regarding what you have access, to.

B

mark s. miller, (mm,, agoric):, okay,, so so. so.. So let me let me just sort of pursue this line of inquiry.. The.

C

Mark s. miller, (mm, agoric):, let's from the javascript side., I think the you know a big discovery.

C

Mark s. miller, (mm, agoric): for me last something I I learned from the last session of this.

C

Mark s. miller, (mm, agoric): is,, I was thinking that mark s. miller, (mm, agoric):, putting the the throttling on.

C

Mark s. miller, (mm, agoric):, going from source text to a source, module, was a better place to put the throttling, and and.

C

Mark s. miller, (mm, agoric):. What I learned last on is that from the javascript and module loader perspective.

C

Mark s. miller, (mm, agoric):- probably that's not the best place to put them throttling.. Rather it's on instantiation.

C

Mark s. miller, (mm, agoric): however,, that's not what the web does right. Now, for csp. applied to.

C

Mark s. miller, (mm, agoric): is the mark s. miller, (mm, agoric):, the wisdom situation fluid enough.

C

Mark s. miller, (mm, agoric): that we could instead make the throttling on wisdom only on instantiation., because I don't I don't. I would prefer that there's only one knob, and it only.

C

Mark s. miller, (mm, agoric):, throttles mathieu hofman:, one of those 2 phases.

A

Mathieu hofman:, so why? Why is it not preferable.

A

Mathieu hofman: to basically have the knob on the first stage? we're. I I mean.

A

Mathieu hofman:, I I I think we should decide by what how we want the platform.

A

Mathieu hofman: to be, what what kind of used cases we might see in the platform, and and whether that informs the the first a a not on the first stage, or on the second stage.

C

Mark s. miller, (mm, agoric): I. yes, yes,, I I think it should be. it should be driven by what we want to 2.. What we want to to do with these knobs.

C

Mark s. miller, (mm, agoric):, I'm not sure I can., I remember it was in a hall moment,, but I don't know that I can recount the ha accurately.. Can anybody else here.

C

Mark s. miller, (mm, agoric):, recount the argument? why, from a javascript, module, perspective,, explicit module, perspective.

C

Guy bedford: that instantiation was the better thing to throttle the throttle.

B

Guy bedford: that has a different policy.

B

Guy bedford: you'd want to check it again at the instantiation time., so right, now, with this example, with the web assembly, I was able to run potentially webassembly.. I wasn't allowed to.

B

Mathieu hofman:, but the the way I see it, is.

A

Mathieu hofman:, if you have codes.

A

Mathieu hofman: that receives that module and explicitly.

A

Mathieu hofman: goes in and instantiates. it's code. That is also able to verify where that message is coming. From.

A

Mathieu hofman: because there is on post message., there is an origin check that you can have like that.. That code is able to do its own checks and then decide.

A

Guy bedford: to the the post message check: is,, you know,, which origins are allowed to communicate.

B

Guy bedford:, but that's potentially a distinct question from.

B

Guy bedford: we origin. did the code come from?.

A

Mathieu hofman: yeah., but at that point you have code that you have trusted to execute.

A

Mathieu hofman: and I I like, I guess the question is whether your trust,, that code to.

A

Mathieu hofman: to handle. mathieu, hofman: and potentially instantiate something that it has received.

A

Mathieu hofman:, I.

A

Mathieu hofman:, I I I would like it.. I know this is powerful,, but I I I it it it. It would make me sad to try to nerve that.

A

Mark s. miller, (mm, agoric):, I mean one way to to.

C

Mark s. miller, (mm, agoric): to think. I mean what one way. well, you don't can experiment for thinking about the this issue is imagining.. Imagine.

C

Mark s. miller, (mm, agoric):, we had 2 knots, one for 1,, one for suppressing at each phase.

C

Mark s. miller, (mm, agoric):, but it was the same pair for both webassembly and javascript.

C

Mark s. miller, (mm, agoric):, the mark s. miller, (mm, agoric):, when we, when would you use?.

C

Mark s. miller, (mm, agoric): yeah.

C

mark s. miller, (mm, agoric):. When should you?, you clearly use one knob rather than the other.

C

Mark s. miller, (mm, agoric): is it does does either knob dominate the other in the sense that.

C

Mark s. miller, (mm, agoric):, there's a use case.. It was a compelling use case for using one of the knobs that, using the other. Knob would not substitute for.

C

Mark s. miller, (mm, agoric):, if that's the case only in one direction,, then one of the knobs dominates.

C

Mark s. miller, (mm, agoric):, I don't I'm not deriving an answer from that., I'm just saying that may might be a way to invest. In.

B

Guy bedford: yeah. and my hope as well is that in presenting this question to the web assembly folks, we can figure out. if webassembly would want to.

B

Guy bedford: move to an instantiation policy.

B

Guy bedford: or not,, because that might also affect you, know what javascript decides to do so, I I can continue following this question out from a webassembly perspective.

B

Guy bedford: okay. guy bedford: yeah.

C

Mark s. miller, (mm, agoric): yeah., so yeah, finding out, if it's a possibility for them to move to instantiation., that would say that it's a possibility on our side.

C

Mark s. miller, (mm, agoric): to use to have just an instantiation knob for both.. If we decide that's what we want to do.

C

Mark s. miller, (mm, agoric):, but without actual., but but you so investigate that without implying that we know which choice we want to make.. But just we want to know what the options are.

D

Michael fig: in. in my opinion, there actually is a good reason to have both,, not.

D

Michael fig:, because the the no one safer dial kind of knob is saying,, I don't care where the source came from.. This is just going to be.

D

Michael fig: there's a way for me to say I don't., I don't care what the sources I just don't want any of all in my page. and that's somewhat different,, because that also includes constructed strings that don't really have a source other than soft. and.

A

Mathieu hofman: the the problem: is, I, mathieu hofman:. As soon as you enable mathieu, hofman: like, how like,? How would you define the evaluation?.

A

Mathieu hofman: instantiation. no., would it be overloaded?? Would it be the same script source?.

A

Mathieu hofman:, I I don't think it should be,, because then you get into those cases where it becomes roughly impossible to to get the case of oh,. I I have a trusted source here., I'm passing it around like go in, and.

A

You should be able to execute it.

A

Mathieu hofman:, if, if you trust me giving you give it me,, providing it for you.

A

Michael fig:, so you're saying. basically,. We even need brian checks of some kind on the sources.. If we're going to do, instantiation. I'm: checks.

A

Mathieu hofman: yeah,, then you would need to kind of.

A

Mathieu hofman: it. another argument will be. or only source at source time.

A

Mathieu hofman: is basically that's, that's the logical, or that's like the.

A

Mathieu hofman: it., it's very similar to trusted types with trusted, types. right now,. You can.

A

Mathieu hofman: basically mark some kinda source set as being trusted. and then passenger on your program,, not another realm,, but passing it into your around your in your current.

A

Mathieu hofman: well,, actually more like., mathieu, hofman: yeah,. I think right now, mathieu hofman: and then one and then evaluated in another place.

A

Mathieu hofman:, regardless of the the script source.

C

Mark s. miller, (mm, agoric): do browsers currently mark s. miller, (mm, agoric):, implement it?. Does the eval function.

C

Mark s. miller, (mm, agoric):, currently recognize trusted type arguments.

A

Mathieu hofman: for trusted type supporting browsers,, which are the 8 days. yes.

C

Mark s. miller, (mm, agoric):, so it's. v: 8. only right now.

A

Guy bedford: yeah,, I don't think any other browsers, have a.

B

Guy bedford: no. mathieu, hofman: no, no,, but it's more of the consent. like.

A

Mathieu hofman: some piece of your system that trusts, fetches and or means some sort that that is evaluatable,, and then it goes into a sync. that may be a piece of code that is less trusted,, but because that particular string.

A

Mathieu hofman: that particular stream carries the the trust surrounds.

C

Mark s. miller, (mm, agoric):, but what I remember from those days is that the thing that was branded.

C

Mark s. miller, (mm, agoric): was not the string., it was a.

C

Mark s. miller, (mm, agoric): a a,, a object containing the.

C

Mathieu hofman: it., it is an object containing the string. yes,. I I simplified it., it's an object containing the screen,, the string, and then all the evaluators,. All the things are able to recognize those objects instead of.

A

Michael fig:, okay. yeah,- I I think this this kind of gets back to,. Maybe the insight that you had mark,, which is. if we want.

D

Michael fig:, it's hard to remember., I remember,. If we want to make the module source whatever we call that the comp, the compiled module, source. yup.

D

Michael fig:, if we want to make that somehow privileged michael fig:, then we need to abandon the third-party module source kind of things where we had other things, being able to stand in for module sources that weren't necessarily created by this.

D

Michael fig:, something that would pass a brand check.

D

Mathieu hofman:, you just need to make any of them to to brand the virtual module.

D

Michael fig: yeah., and if we have that,, then we have a way to be able to implement the instantiation check in the consistent way.

C

Mark s. miller, (mm, agoric): yeah,, one of the things that that.

C

Mark s. miller, (mm, agoric): is there there's nothing in.

C

mark s. miller, (mm, agoric):. Is there anything in the javascript standard.

C

Mark s. miller, (mm, agoric):, that is there in order to support crusted types.. I know that there was mike samuel's posing for a while that eval be able to accept.

C

Mark s. miller, (mm, agoric): an object rather than a string. and then call to a host. huh!.

C

Mark s. miller, (mm, agoric): to make a determination about.

C

Mark s. miller, (mm, agoric):, the object.. Does anybody know if that happened?.

A

Guy bedford:, I know it's implemented.. I don't know how it's specified., 2, 6, 2 notes around that supporting other things, and also dynamic import,. I believe, was amended to allow, taking non strings so that it in the host.

B

Mark s. miller, (mm, agoric): okay.

A

Mathieu hofman: yeah,, I I.

A

Mathieu hofman:, I mean,, I I understand it's it's more powerful and this more dangerous., but I I think it would be nice to keep the ability to.

A

Mathieu hofman: to grab and carry the the csv. when you,, when you fetch. and and then like,, wherever it's evaluated.. Even if you.

A

Mathieu hofman: post-mage it to another frame,. It ends up being available.

B

Guy bedford: yeah., so the question we have right. now for this webassembly case is like.. Is this actually a violation.

B

Guy bedford: that I'm able to transfer this web assembly, monitor and run it on a frame. That's strictly not allowed to.

B

Guy bedford: evaluate web assembly according to its csp policy.,.

B

Guy bedford: and if we are going to have more fine-grained policies,.

B

Guy bedford: or other types of guy bedford: transfer in in this case, there's kind of a clear.

B

Guy bedford: kind of authority hierarchy, and that the frame should have lower authority. and and if the parents passing in something to the frame.

B

Guy bedford:, maybe that's not a security violation,, because it's you're going from a higher, like a place of higher security to lower security.

B

Guy bedford:, but maybe there will be scenarios in future where that isn't the case., it will.

C

Mark s. miller, (mm, agoric): alarm. bells go off in my head every time I hear people talk about high and low.

C

Mark s. miller, (mm, agoric): yeah,, the right,, the the the better framing mark s. miller, (mm, agoric):, to approach security issues in general., not always,, but in general, is mutual suspicion..

C

Mark s. miller, (mm, agoric):, neither side is higher than the other.. Both sides might either side might attack the other.. Both sides would like to protect themselves from the other.

A

Mathieu hofman:, I I have implemented systems where the I frame is the high security context.

A

Mathieu hofman: and it doesn't trust actually the the the the the.

C

Mark s. miller, (mm, agoric): yeah., certainly any set of mechanisms that work well for mutual suspicion.

C

Mark s. miller, (mm, agoric):, will also work well, guy bedford:. When one is fired,, then we one is strictly higher than the I mean by that framing.. Then this is a security, vulnerability space,, because.

B

Guy bedford: you're allowing a violation of a security policy.

B

Guy bedford:, where unknown message guy bedford: can potentially be passing this capability without you realizing it,, and without you wanting to support it.

A

Mathieu, hofman: and and- and I argue, it, isn't. really it's only if you're it's only the code that is already trusted to the code to handle the incoming messages that has been trusted to execute already.

A

Mathieu hofman: does something to to actually evaluate the the incoming message.

B

Guy bedford: well, in this case, yes, it has to call web assembly that instantiate., but.

B

Guy bedford:, the the the suit like.

B

Guy bedford: from getting from message to data to the web assembly, dot, instantiate, sync. yeah, you'd still need to do that which is quite difficult to do..

B

Guy bedford: yeah, is that? or you have to dynamic and port it, or or anything like that?. It's it's a pattern that you can definitely audit in the code.

B

Guy bedford: right?, so the the question is,. If it could get.

B

Guy bedford: like, say,, you have some existing module bindings. If, if they were that being dynamically access,, could they be conflated with a message that you got, or something?, but probably not.,.

B

Guy bedford:, but if, if we are considering more complex kind of module, transfer, scenarios. both for javascript and for web assembly.,.

B

Guy bedford:, I guess the question is,: do we want to have.

B

Guy bedford:, the ability for these different. these different rooms to have their own policies.

B

Mathieu hofman: well,- I I mean at that point.

A

Mathieu hofman:, I think, it., that's if, if mathieu hofman:, I I think, that's when that. That's when we should consider a second, an an extra csp. value, where it's like restrict evaluation,, which by default, would be limited to the the same set of scripts.. But then.

A

Mathieu hofman:, you you, you end up.

A

Mathieu hofman:, you end up like restricting the the second., not basically.

C

Mark s. miller, (mm, agoric): so. so., so so this goes.

C

Mark s. miller, (mm, agoric):, so you're you're engaged in that. Basically, you don't get an experiment of imagining that we have both knobs, and then I still,, you know I and it seems like.

C

Mark s. miller, (mm, agoric): you're you're, making a convincing argument that the instantiation knob.

C

Mark s. miller, (mm, agoric):, is not subsumed by the comp.; let's call it the instantiation of versus the compilation of. I think those are. Those are clear enough terms.

C

Mark s. miller, (mm, agoric): that the yeah., I think, you're making a case of the compilation not does not subsume the need for the instantiation.

A

Mathieu hofman: it's possible. We could have cases where.

A

Mathieu hofman: yes,, if you receive.

A

Mathieu hofman: a a a module, or something.

A

Mathieu hofman: evaluable mathieu hofman: through post message that you might want to,. You might want to make sure you never end up ever evaluating those unless they're from a trusted. Origin.

C

Mark s. miller, (mm, agoric): okay,, so that so?, so so that so?, so just to the implication of what you just said.

C

Mark s. miller, (mm, agoric):, is that mark s. miller, (mm, agoric):, the compilation of does not subsume the instantiation, the need for the instantiation that we would still,. Even if we have the compilation now,, we would still want an instantiation.. Is that correct?.

C

Mark s. miller, (mm, agoric):, is it correct that that's an implication of the argument you just made?.

C

Mathieu hofman:, I'm saying it's possible. some use cases. We would like to have that. not? yes.

C

Mark s. miller, (mm, agoric):, what about the other direction?

C

mark s. miller, (mm, agoric):? If we had the instantiation knob.

C

Mark s. miller, (mm, agoric):, our could that, with that substance,, the need for the compilation?.

D

Mathieu hofman: hmm.

B

Guy bedford: there,, there is one thing about that from a csp. perspective,, and that is that.

B

Guy bedford: in the csp guy bedford: model, it does set request headers at the time that the request is made.

B

Guy bedford: and I'm not exactly sure why. but there's this: sec. fetch desk header for csp. policy.

B

Guy bedford: that is set when you're.

B

Guy bedford: making a request under csp:, so they're they're in in the actual html pipeline.. There are actually request time.

B

Guy bedford: algorithms that are associated with the csp pipeline.

B

Guy bedford:, by by the design of csp. and that's something., maybe if we,, if we had and back to have some discussions around,, we could potentially dig into further.

B

Guy bedford:, this is this- is completely unfamiliar territory for me. it that that that informs the origin that made the request.

B

Guy bedford:, I I I don't know if it's purely for some kind of logging., I would be speculating,, but it is. If you want to research, it is the sec. hyphen. I'll, I'll, write that it's the. What is the content of that. there,? That's what I'm I'm. asking.

A

Guy bedford:, so it's the sec. bitch desk header,, and it's on these. These.

B

Guy bedford: requests., and it also associates with the destination of the of the resource which determines which.

B

Guy bedford: policy is being applied.

B

Guy bedford: again,: this is also unfamiliar territory to me.. I I would need to dive into that some more., but just to order to say that.

B

Guy bedford:, I believe the way that csp. is.

B

Guy bedford: specified links very heavily into the into the request model of the web.

B

Guy bedford: in the first place,, so so moving it outside of a compile guard.

B

Guy bedford:, because compilation and requests are, are so close it it's it's more of a request check than a compilation check,, even if that makes sense.

A

Mathieu hofman: okay., so the it's, the the content of the sec. fish desk seem to be.

A

Mathieu hofman:, whatever.

A

Mathieu hofman:, whatever triggered the the the request.

A

Guy bedford: yeah., mathieu, hofman: and some cases it would be script.

A

Mathieu hofman: or I don't know what it would be for an import., that's interesting., but it.. It's how the it's,, how it's fetched.. So it's what trigger the fetch.

A

Guy bedford:, it has nothing to do on how it will be evaluated or.

C

Mark s. miller, (mm, agoric): does a a compiled module as a module.. I have a. I currently have any unforgeable.

C

Mark s. miller, (mm, agoric): association with mark s. miller, (mm, agoric):, the origin.

C

mark s. miller, (mm, agoric):. The source was fetched from.

B

Guy bedford:, it does not currently, and that's something that we want to figure out for import reflection, of course,, because.

B

Guy bedford:, if we're exposing this this way to get a module and import reflection.

B

Guy bedford:, we might want to have guy bedford:, both checks or or have some kind of metadata that that gets added., and that's the discussion that I'm trying to figure out., I'm talking with a bunch of people about it., yeah.

B

Mark s. miller, (mm, agoric): yeah.. So let me just in state state another invariant that I think any solution to this should obey., which is.

C

Mark s. miller, (mm, agoric):, outside of the web.

C

Mark s. miller, (mm, agoric):, the.

C

Mark s. miller, (mm, agoric):, we want this to be able,. You know.

C

Mark s. miller, (mm, agoric):, if we're going to have a bunch of mechanism, that's part of the javascript standard to support this.

C

Mark s. miller, (mm, agoric):, and we believe that it actually is good for security.. It's not just good for web security.

C

Mark s. miller, (mm, agoric):, then mark s. miller, (mm, agoric):. It needs to also be good without being tied to notions of origin and same origin policy.

C

Mark s. miller, (mm, agoric): that it can be used outside the web.

C

Mark s. miller, (mm, agoric): for non origin, oriented security, such as object, capability,, security.

C

Mark s. miller, (mm,, agoric): and and and I don't know.

C

Mark s. miller, (mm, agoric):, I don't.- I don't have.

C

Mark s. miller, (mm, agoric): concrete ideas yet about what that implies,. But I just want to say that will be a filter that I'm taking to this..

B

Guy bedford: yeah, so.

B

Guy bedford:, sorry I'll, let you finish.

C

Mark s. miller, (mm, agoric): no,, I was at.

B

Guy bedford: yeah,, the do you know.

B

Guy bedford:, our current champions of the import reflection, and they do have an interest in a security story.

B

Guy bedford: for dino being a on web platform where they want to use this as a mechanism to be able to.

B

Guy bedford: allow or deny access to wiser modules through the import system.

B

Guy bedford: and they would want to integrate their own checks where it's sort of defined at at deployment time,, and then they can control it. during the runtime.

B

Guy bedford:, which webassembly modules, you have access to and through and out out of band control mechanism, which would integrate into the way that they support.

B

Guy bedford:, import, reflection. and, and that's you know, very much something that we've seen as a feature of this way of getting hold of a wasm module,, because.

B

Guy bedford:, we we're turning the the the the function that gets the web, the web assembly don't want to object.

B

Guy bedford: we're turning it into a a fully host controlled function.

B

Guy bedford: and that allows it to be able to.

B

Guy bedford: be a a capability acquisition.

C

Mark s. miller, (mm,, agoric): and and and and if I recall,, is there anybody from you know, on this call right, now.

B

Guy bedford: luke,, who isn't here today? he was last time,. I think.

B

Mark s. miller, (mm, agoric): okay., if I recall correctly.

C

Mark s. miller, (mm, agoric): dino,, even if it's kind of a mixed system that it's it's it's trying to be.

C

Mark s. miller, (mm, agoric): what you know. more based on capability, access control, theory than identity access control, theory., there's a sort of pro capability bias. There which.

C

Mark s. miller, (mm, agoric): which,, if true. mark s. miller, (mm, agoric):, means that their investigation of what they'd like for security, is.

C

Mark s. miller, (mm, agoric): more likely to be well aligned with what we would want from a pardon, javascript and endo perspective..

B

Guy bedford: potentially., I I don't know the full details of you: know, security,, months,, month,, model, you'd, have to ask liquor.

B

Guy bedford:, but certainly I I I do think that's the the ideas have similar footing.

C

Mark s. miller, (mm, agoric):, okay, good.

B

Guy bedford: so is in in terms of follow up.. I I can certainly follow up on these questions, and in particular, that question around you know.

B

Guy bedford:, which of these knobs we need to have, and if we can have both, and and from a what from a purely webassembly perspective.

B

Guy bedford: and hopefully that can inform what we do.

B

Guy bedford: for javascript in turn,, and at least I I think, in terms of the progression of the import reflection, proposal.

B

Guy bedford: the question there is.: how much do we have to have these concepts figured out to be able to progress with that proposal.

B

Mark s. miller, (mm, agoric): and what stage?? What stage is that proposal at? right now?, it's at stage 2 currently,, but we are looking to move towards stage 3.

C

Mark s. miller, (mm, agoric): worked out concretely.

A

Mathieu hofman:, so one thing that comes to mind is that I, I believe one of the used cases for model source is being able to.

A

Mathieu hofman: understand what the import export findings of a mod of some source virtual source is,, but not automatically wanting to be able to.

A

Mathieu hofman: evaluate that virtual source in the current in in the current realm, or.

A

Mathieu hofman: agent, or whatever his boundary is.

A

Mathieu hofman:, if we.

A

mathieu hofman:. If the knob ends up on this on on the creation of the module. for like basically, then we might lose the ability to to do that analysis of a binding by creating a bunch of source from some text.

B

Guy bedford:, I I guess it also depends on how it's exposed., so you know,, if you're.

B

Guy bedford:, if you have arbitrary.

B

Guy bedford: me, you know. sorry. yeah,, you're, right., guy bedford:, yeah.

A

Mathieu hofman:, but I I think charity and an alternative. we're being able to purse and extract the binding of some. Some source was different than the virtual source. Itself. right?.

B

Guy bedford:, I I guy bedford: how you doing. guy bedford:. As far as I'm aware,, we've.

B

Guy bedford: been talking about a a a singular source in a singular instance., but yeah.

A

Mathieu hofman: yeah.

C

Mark s. miller, (mm, agoric):, I think part of the the insight from last time that I'm failing to recount.

C

Mark s. miller, (mm, agoric): in its fullness., but I think part of it was the the layering of concepts in the overall module.

C

Mark s. miller, (mm, agoric):, epic mark s. miller, (mm, agoric): that there's before you get to compart the you know the one before you get to the compartment layer. the prior layer is evaluators.

C

Mark s. miller, (mm, agoric): and for the for the evaluators layer.

C

Mark s. miller, (mm, agoric):, that's the layer, where.

C

mark s. miller, (mm, agoric): parameterized by an import hook.. You create.

C

Mark s. miller, (mm, agoric): in the valve function mark s. miller, (mm, agoric): a. you know, function, constructor, mark s. miller, (mm,, agoric): and a.

C

Mark s. miller, (mm, agoric):, if I recall, correctly, a module instantiator.

C

Mark s. miller, (mm, agoric):, because it's only on a state. yes, right?, because because you don't need an event, an eval hook.

C

Mark s. miller, (mm, agoric): isn't relevant for for compiling to a source module.

C

Mark s. miller, (mm, agoric):, but it's required, of course, to go from source module to an instantiated module.

C

Mark s. miller, (mm, agoric): so mark s. miller, (mm, agoric):, so the so, at least api design.. That's not an argument from use case. It's an argument from.

C

Mark s. miller, (mm, agoric):, the sort of what's most parsimonious.

C

Mark s. miller, (mm, agoric): from the api structure that we've been.

C

Mark s. miller, (mm, agoric):, proposing that. see where the that api structure was arrived at.

C

Mark s. miller, (mm, agoric): to satisfy multiple other constraints.

A

Mathieu hofman:, I yeah,. I actually take that back back what I'm saying. like,, you can build a module source., you can import it eventually.. It's just.

A

Mathieu hofman: captures.

A

Mathieu hofman: oh, no,, you can right mathieu hofman: because you said, like, we're,. We say virtual sources.. The only thing that is structured, floatable., right?, yeah.

A

Mathieu hofman: yeah,, it does point to mathieu hofman:. It does point to having the check being done at the evaluation phase.

A

Guy bedford: there. there is another alternative, there.

A

Mathieu hofman:, so I mean sensation phase.. It does not mean affected at the instantiation phase.

D

Mark s. miller, (mm, agoric): okay.

B

Guy bedford: there. there is another option: there, and that's to actually have a a god at the transfer phase.. So do you have permission.

B

Guy bedford: to receive this module and and have some kind of checks at the at that.. So you you got the the the so.

B

Guy bedford:, I think, maybe from an equivalent perspective. it's it's. You have to guard all your sources,. What you have to guard all your sinks, and maybe those are equal in.

B

Mathieu hofman: in power. those,, so you mean. csd, would apply to.

A

Mathieu hofman: to the payload, that's being transferred.

B

Guy bedford: right?. So when you transfer from one context to another.

B

Guy bedford: in in a structured phone that you.

B

Guy bedford: would somehow have that check taking place on the transfer boundary that it's able to be transferred.

C

Mark s. miller, (mm, agoric): okay,, so let's, let's remember that as a a possible third knob. and it.. It is the case that that you all 3 of these mobs are coherent from the capability perspective.

C

Mark s. miller, (mm, agoric):, sometimes you in a capability system,. Sometimes you enforce policy by what you have the capability to do., and so sometimes you enforce policy.

C

Mark s. miller, (mm, agoric): by the boundary mechanism that things have to pass through.

A

Mathieu hofman: well,, my main concern is that,, you see intrinsically is an ecl. and.

A

Mathieu hofman: and I mean it. it is.. It is a list of identity, origins that are allowed that are treated differently. and so.

A

Mathieu hofman: it it does conflict with the notion that passing some object around, we can do something, because now we're basically trying to apply.

A

Mathieu hofman: we're we're basically trying to apply an acl to to a possible carrying objects.

C

Mark s. miller, (mm, agoric):, I mean the web. it it's., so I mean whatever we we put into the javascript standard.

C

Mark s. miller, (mm, agoric):, we've not directly call out origins or apples, or csp.. It would be something where outside the web.

C

Mark s. miller, (mm, agoric): that whatever mechanism we're talking about at the javascript level should be usable in a net, you to support capability, oriented policies.. I don't., I don't know that. that.

C

Mark s. miller, (mm, agoric): yeah. mark s. miller, (mm, agoric):. What I don't know what the implications are about, what these knobs look like when you take that filter to them., but the fact that the web would use it in an echo, oriented way does not by itself disqualify.

B

Guy bedford: so yeah, for for the import, reflection, proposal.

B

Guy bedford:, the the integration question for us is,. How do we integrate the js marshal system, with whatever policies are happening.

B

Guy bedford: and that's maybe an easier question to figure out. then.

B

Guy bedford:, how do javascript source module source objects.

B

Guy bedford: want to integrate into these kind of security policies,, which is the wider question.. That's probably the the next question to tackle.. Once we figured out what we're doing for of assembly,, maybe.

D

Michael fig:, just just want to say we're at time.

D

Michael fig:, I don't know if you want to spend michael fig: a there's time cleaning up before we, this meeting. or oh,. He says it's okay to go over, and he's main.

D

Michael fig: participants in this meeting., so mathieu hofman:- I I think we should arise at this point.

A

Mathieu hofman:, unless anyone anything else to add topic.

A

Mathieu hofman: from what I heard is that no matter what.

A

Mathieu hofman: wasn't and gs module should consistent with each other.

A

Mathieu hofman:, the the knobs are instantiation.

A

Mathieu hofman: our compilation, phase, or.

A

Mathieu hofman:, we may have the precedence that currently a wasn't module.

A

Mathieu hofman:, the checks seem to be done at the compilation, fate, and.

A

Mathieu hofman:, given that you mathieu hofman: we'd, be able to reflect the the and still instantiate it with existing.. I don't think there would be a way to have.

A

Mathieu hofman:, something that was fetched. mathieu, hofman: and pass the unsafe eval,, and if it wasn't meanwhile, or something that was import, sourced, and and then end up having a different behavior,. I think those 2 things should end up being the same thing.. So we may be constrained there into.

B

Guy bedford:, the the question is, you know,, because we potentially can have different behavior for them,, because.

B

Guy bedford: fetch doesn't have any kind of an integration with what it is. Fetching.

B

Guy bedford:, whereas so so that's the problem with fetching web assembly today is that you don't know that you're fetching web assembly. you're just fetching arbitrary bytes.

B

Guy bedford:, whereas integrating it into the module system at the moment the web is something gets integrated into the module system.. We have that strong link between the fetch and the compile that allows us to provide a stronger key security, policies, or or potentially branding.

B

Guy bedford: at that level.

A

Mathieu hofman:, so it's possible that something that was import source. if you get a module.

A

Mathieu hofman:, if you get it,, wasn't module source to import source, or if you get it by a compile from fetch,. Those would end up one.

A

Mathieu hofman:, in the second case you we could say like, oh,. You never end up having a instantiation going to an instantiation. no., but in the first case you do have an of taking offense.. I see.

C

Mark s. miller, (mm, agoric): yeah,. Let me let me also just express a preference.

C

Mark s. miller, (mm, agoric):, you know soft preference that at the end of the day, we end up with only one non out of the 3 that we've discussed.

A

Mathieu hofman: and- and I think in principle, I would like.

A

Mathieu hofman: to have somehow a I would like to.. I would love to have a way to transfer in module,, knowing that the receiver will be able to in in instantiate it.

A

Mathieu hofman:, but maybe that's just not compatible with the web platform model.

B

Guy bedford: it.: it's an option to say that these cross realm policies don't get enforced, and that when you have these linked realms, they will just end up at the highest.

B

Guy bedford: execution, policy, and and that's sort of what web assembly is doing, today.

B

Guy bedford: so yeah, that that's maybe something we can pick up again next time, it'll be interesting to dig into.

A

Mathieu hofman: and it sounds like the tsb authorism or the integration with western like.. They need to get back to us., see which. if the current behavior is intended. and if the.

A

Mathieu hofman: or if you believe that that is the web platform correctly or wasn't, yeah point of order.

C

Mark s. miller, (mm, agoric):, I think it's, this zoom channel, that's re-used by the endo meeting.. Have people arrived here for the end of meeting?.

A

Zb (zbigniew) tenerowicz: yes,, we need to. yes, and they are enjoying don't worry.

C

Mark s. miller, (mm, agoric): okay? thank you?.

A

Mathieu hofman: yeah,, I think that's it.

A

mathieu hofman:, all right. thanks, everyone. guy bedford: thank you.