Re: [w3ctag/design-reviews] Realms Initialization Control (Issue #985) from Mark S. Miller on 2024-10-16 (public-webapps-github@w3.org from October 2024)

From: Mark S. Miller <notifications@github.com>
Date: Wed, 16 Oct 2024 16:47:13 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/985/2418151209@github.com>

> We think WebAppSec and TC39 have relevant experience in this space, and you should make sure they're both happy with this before moving forward.

For context, I've been on TC39 since 2007 with a strong focus on security. I believe the following comments speak for many participants on TC39, especially those active in TG3, the Technical Group on JavaScript security.

> We talked about this in our breakout today, and we're very concerned about a belief that one can make a Javascript environment secure against hostile Javascript by running first.

At TG3, we tend to avoid the overly broad term "Security", and focus instead on its main components: Integrity, Availability, Confidentiality, as explained at
[A Taxonomy of Security Issues for understanding language-based security and modularity](https://agoric.com/blog/technology/a-taxonomy-of-security-issues).

Starting with EcmaScript 5, we explicitly designed JS so that one can make a Javascript environment secure against hostile Javascript by running first ***regarding integrity attacks***. The ses-shim is an implementation of Hardened JS as code that runs first, mostly to protect integrity. But
[Hardened JS Web Challenge](https://hardenedjs.org/challenge/)
seems to demonstrate that it also protects confidentiality under limiting assumptions. This challenge is on a web page running in a browser accepting hostile JS after it runs first. It is a subject of Agoric's bug bounty program. For purposes of this conversation, an attack on either integrity or confidentiality would win the point of the challenge.

As [A Taxonomy of Security Issues](https://agoric.com/blog/technology/a-taxonomy-of-security-issues) explains, there is no practical defense of availability against hostile code running in the same thread (aka "agent"), and Hardened JS makes no attempt to do so.

Those who believe that a script that runs first cannot defend integrity against hostile JS loaded later should submit guest code that breaks the integrity of the [Hardened JS Web Challenge](https://hardenedjs.org/challenge/) host program.

So, please reopen this bug. Thanks.

--
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/985#issuecomment-2418151209
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/985/2418151209@github.com>

Received on Wednesday, 16 October 2024 23:47:17 UTC