Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JavaScript In A Bottle

JavaScript In A Bottle

Spectre and Meltdown was a "Message in Bottle". We present how JavaScript can defend itself from speculative execution class security hacks by reprising Mark S Miller's work.



clive boulton

April 28, 2018


  1. JavaScript in a Bottle Spectre and Meltdown was a "Message

    in Bottle". Reprising Mark S Miller's work. by Clive Boulton 4/28 @LFNW Bellingham, WA
  2. To touch on the LFNW theme "Message in a Bottle".

    Security, Containerization, and Personal Data. We present a reprise of Mark S. Miller's continuing work on Robust Composition at TC39 on the EcmaScript standard. Turning JavaScript the programming language of the web into a first class object capabilities-based language. With an ability to defend itself from speculative execution class security hacks. We will show computer security examples incorporated into Ward Cunningham's federated wiki, github and how to secure your own JS code. Briefly we plan to mention how Miller’s work ties into decentralizing cyber risks with blockchain smart contracts. With a lot of ground to cover in this session will draw on past talks.
  3. Mark S Miller Mark S. Miller is the main designer

    of the E and Dr. SES distributed object-capability programming languages, inventor of Miller Columns, a pioneer of agoric (market-based secure distributed) computing, an architect of the Xanadu hypertext publishing system, a representative to the EcmaScript (TC39) committee, and a senior fellow of the Foresight Institute. https://research.google.com/pubs/author35958.html
  4. Object-capabilities at Splash 2017 JavaScript as first designed for everything

    can mess with everything (fine for web page scripting) JavaScript now used for complex applications, even series distributed applications (requiring defensive code). JavaScript functions as a very good approximation of lexical functions encapsulating the functions it captures. But not perfectly tamper proof objects (ES5 is statically scoped). - Freezing objects - Freezing realms
  5. What are capabilities? A capability is single thing that both

    designates a resource and authorizes some kind of access to it. A first class move from ACL (access control lists) by closing the loopholes bad actors are exploiting in e-commerce. Capabilities solve “The Confused Deputy” problem in Windows, MacOS, and Unix derived OS Linux, Android, etc.
  6. Object-capabilities can provide specific access instead of access control lists.

    Example: Passport vs Car key. Assume my identity vs grant you access to my car.
  7. 90% Researchers find current online applications maybe vulnerable to Ransomware,

    Programming language and logic bugs (smart contracts) and now Speculative Execution.
  8. Apple Root Password Vulnerability The bug meant anyone with physical

    access to a Mac running High Sierra could get admin access to the machine. https://twitter.com/lemiorh an/status/935581020774 117381
  9. Permission (ACL) or Object-capability (token)

  10. Allow access to what...

  11. Pull request

  12. None
  13. Introduction to robust composition... Objects, References, Messages Object-capabilities (OCaps) Access

    Abstractions and Compositions Patterns of Safe Cooperation Dimensions & Taxonomy of Electronic Rights Smart Contacts [cheap machines not expensive lawyers] Composing Networks of contracts
  14. How do I designate thee - The pointer --> count

    the ways - Two objects Bob points to Carol : By designation Bob Carol
  15. How do I designate thee - The pointer --> count

    the ways - By introduction Bob Carol Alice FOO
  16. How do I designate thee - The pointer --> count

    the ways - By endowment: Bob already exists, Bobs creates carol, Bob holds interface Bob Carol
  17. How do I designate thee - The pointer --> count

    the ways - By endowment: Carol already exists, Alice creates Bob already endowed Bob Carol Alice
  18. How do I designate thee - The pointer --> count

    the ways - Nothing exists: Bob comes into existence already points to Carol by initial conditions. Bob Carol
  19. Objects as closures Examples of Dr. SES a variant of

    JavaScript Function makeCounter ( ) { var count = 0 return { incr: function ( ) { return ++ count:}. decr: function ( ) {return - count:} }); }
  20. OCaps: Small step from pure objects 3 restrictions… + Memory

    safety and encapsulation + Effects only by using held references + No powerful references by default Reference graph === Access graph Only connectivity begets connectivity OO expressiveness for security patterns (normally thought complex)
  21. Secure Ecmascript ➢ When Alice asks: bob.foo(carol) Alice grants Bob

    access to Carol, as needed for foo ➢ Memory-safe encapsulated objects Protect objects from their outside world ➢ OCaps: Causality only by references No powerful references by default Protect world from objects ➢ Reference graph === Access graph Deny authority by withholding connectivity
  22. None
  23. None
  24. None
  25. None
  26. Surface Area

  27. None
  28. ECMAScript 5 Strict Mode Use strict Objects who can defend

    their integrity Properly defensive 7 steps of initialization is strict JS === Dr. SES In ES5-strict code: Failed assignments throw (non ported functions throw).
  29. strict mode: ECMAScript 2015, ES6 https://devfestseattle.org/ https://github.com/GDGSeattle/hoverboard

  30. None
  31. Multi-party computation Distributed systems Doing business with strangers! Doing business

    with friends... * Necessary Paranoia * Who has access?
  32. None
  33. None
  34. None
  35. strict mode: ECMAScript 2015, ES6 https://devfestseattle.org/ https://github.com/GDGSeattle/hoverboard

  36. Dr. SES - Distributed Resilient Secure EcmaScript Talk presented at

    the July 2017 TC39 (EcmaScript committee) meeting. https://www.youtube.com/watch?v=YQFPAyCgOlI ES2015 ES6 ES2017 lands... OCap
  37. Frozen Realms API Maximum modularity / least coupling (as close

    as practical, remove destructive behavior). TC39 https://github.com/tc39/proposal-frozen-realms A shim implementation of the Realm API can be found here And you can play around with the Shim here https://rawgit.com/agorics/proposal-realms/master/shim/examples/simple.html
  38. Mark Miller... “To clarify JS strict mode is one of

    several elements added in ES5 (along with Object.freeze, Object.getOwnPropertyNames, ...) that make SES possible as a library. JS strict mode by itself does not turn JS into an ocap system. You still need a library such as SES or the upcoming Frozen Realm shim.” http://clive.tries.fed.wiki/view/ecmascript-spec-proposal-for-realms-api
  39. Doing business with strangers Hard to hold strangers accountable, capabilities-based

    helps crypto-commerce. http://ward.bay.wiki.org/view/agreeing-with-strangers
  40. On scaling throughput during an ICO Blockchain meets Object-capability event

    at Berkeley, CAL via @ecsa_team pic @iC
  41. Federated Wiki... Ward, does wiki deliberately avoid global locks by

    design? page Clive, yes, wiki enables collective behavior without any synchronization at the application level" page Fed wiki implemented Caja another of Miller’s OCap languages. https://en.wikipedia.org/wiki/Caja_project
  42. The Linux Control Groups API - very capability-like The latest

    version of the Linux kernel has moved to a security model that is similar to an object capabilities model. It's known as Control Groups and contains two components: control groups and namespaces. In a typical deployment, only a small number of processes have the control group API enabled. Processes that need to manage cgroups for other processes and partition resources for a physical system need to be run with CAP_SYS_ADMIN, typically by running them as root. https://lwn.net/Articles/679786/
  43. None
  44. Summary • Web developers can implement JavaScript strict-mode now to

    improve current apps (more object-capabilities slated for EcmaScript (Frozen Realms). • Capabilities can enforce procedures within the company. For example, say, ‘user A can only access X document with approval from user B and C’. • In respect to trust, it allows companies to ensure that procedures are being executed in compliance with regulation. • Smart contracts can automate procedures. • Work scaling blockchain technologies perhaps is proxy for securing crypto-commerce. By addressing process, trust and access.
  45. More Mark Miller’s thesis and researched links http://clive.tries.fed.wiki/view/presenting-robust-composition Clive Boulton

    is fostering crypto-commerce… https://www.linkedin.com/in/cliveboulton/ Tweet me at twitter.com/iC