pulls your data out using their APIs • Third-party apps run in a secure JavaScript sandbox in your browser1 1. No extensions required, apps can also be migrated to the server as background tasks
from exfiltrating your data • It is a standard JavaScript environment with a Vaportrail API baked in • Multiple instances of the VRE can run in a single browser tab, each in a dedicated Worker Vaportrail Runtime Environment
from the VRE • Neither the DOM nor the browser API is directly exposed to app code • App code manipulates the DOM through a managed interface provided by a monitor Vaportrail Runtime Environment
a separate JavaScript runtime managed by Vaportrail, not the browser • Apps interact with the DOM via refs to proxy objects which RPC to instances in the main tab • Could expose a full DOM to apps, but its complex
Treehouse and friends? • Running untrusted code in the same context as the isolation mechanism is risky… • DOM and browser API are a very complex interface to interpose on reliably: ill-defined, many implementations, often just plain weird Vaportrail Runtime Environment
Attack vectors include the VTK and the monitor • E.g.: find a way to execute arbitrary code in the monitor context by: ✦ tricking the VTK or ✦ constructing code that tricks the JavaScript runtime Vaportrail Runtime Environment
draw UI and save state • VTK is injected into the runtime so it appears “native” to apps — just like document in browser JS • Network is limited to fetching predefined URLs after explicit user approval (e.g. gas prices database)
+ code • Can be published to the Vaportrail app hub • Can be shared as a single file • No real need to vet or analyze the apps because they can’t steal your data, just annoy you or not work
kmacrow
k141303
analokmaus
mela_dayo
shibuiwilliam
monochromegane
koide3
k_sato
skoyamalab
kanekomasahiro
.png){kind=avatar}
satai
yegusa
butchi
reverentgeek
rmw
schroneko
rakko
michielstock
geoffreycrofte
trallard
quramy
bcantrill
ipullrank
hannesfritz
schlessera
