-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(ses,pass-style): use non-trapping integrity trait for safety #2675
base: markm-no-trapping-shim
Are you sure you want to change the base?
Conversation
c0354eb
to
6bbdc1a
Compare
aed8d00
to
cb1e1f6
Compare
6bbdc1a
to
dcf739c
Compare
cb1e1f6
to
5c38d8c
Compare
dcf739c
to
128ef21
Compare
98e6396
to
f7d527c
Compare
7f44397
to
dde0022
Compare
49d9dfb
to
5bc9589
Compare
@michaelfig Adding you as an additional reviewer. Please look at least at the changes to eventual-send and captp. Thanks! |
c0d1ae2
to
7c0edb8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Your changes to eventual-send and captp LGTM.
Is it too late to change all occurrences of "no-trapping" to "non-trapping"? That would be more consistent with other terms in the integrity levels, like "non-frozen".
f7d527c
to
29223ef
Compare
85d55f0
to
0c6aa83
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So I have 2 concerns after looking at this PR and its adoption in agoric-sdk (Agoric/agoric-sdk#10795):
- Given the early nature of the non-trapping proposal, I would like SES and endo packages to avoid taking a hard dependency on it. Can we instead feature detect and use non-trapping only if available? Then we can move the shim application to
@endo/init
? - The changes to
harden
(and to some extendpassStyleOf
) are presenting a potential upgrade hazard. We generally considerharden
to be part of the platform, which means it may get upgraded independently of the code using it. The problem is that we have some code withharden
usages that are no longer valid after this change: any code that was hardening proxies or their target. That means we will not be able to use the same user code with updated XS and/or lockdown bundles that include this change. I am really not sure how we work around this one, besides accepting this breaking change / incompatibility, and require that platforms like agoric-sdk use "repaired" lockdown bundles to skip/undo this change if it needs to load incompatible user code.
packages/ses/package.json
Outdated
@@ -85,7 +85,8 @@ | |||
"postpack": "git clean -f '*.d.ts*' '*.tsbuildinfo'" | |||
}, | |||
"dependencies": { | |||
"@endo/env-options": "workspace:^" | |||
"@endo/env-options": "workspace:^", | |||
"@endo/non-trapping-shim": "^0.1.0" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"@endo/non-trapping-shim": "^0.1.0" | |
"@endo/non-trapping-shim": "workspace:^" |
This might also explain the issues you're trying to work around in #2684
import '@endo/non-trapping-shim/shim.js'; | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I kinda wish we could make SES and other endo packages compatible with the shim having been loaded or not, and then, we could move this from ses
to @endo/init
, at least until we get more clarity on where the proposal is moving.
// TODO Get the native hardener to suppressTrapping at each step, | ||
// rather than freeze. Until then, we cannot use it, which is *expensive*! | ||
// TODO Comment out the following to skip the native hardener. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah IMO this is another reason to optionally support non-trapping, as it's currently incompatible with a native hardener.
freezeTypedArray(obj); | ||
if (isFrozen(obj)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we modify freezeTypedArray
to make it return whether the typedArray got fully frozen ?
packages/ses/src/make-hardener.js
Outdated
// @ts-expect-error TS should know FERAL_STACK_GETTER | ||
// cannot be `undefined` here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very confused why this is no longer necessary.
yarn.lock
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The changes to this files are unexpected and would be reverted if the deps of ses
above are fixed.
4c095c0
to
191ce45
Compare
d52d176
to
14a3e2b
Compare
Converting to draft while we wait for draft #2684 to settle down |
b0a98e3
to
8e5af93
Compare
14a3e2b
to
1578716
Compare
8e5af93
to
10e5356
Compare
1578716
to
c5429af
Compare
Closes: #XXXX Refs: Agoric/agoric-sdk#10795 ## Description Prepare for anticipated introduction and use of the non-trapping integrity trait as explained at https://github.com/endojs/endo/blob/b12eb434b6672f0ceae41be55aac7f24c4562b7b/packages/ses/docs/preparing-for-stabilize.md These preparations must work now, before these traits are introduced, and should continue to work after these traits are introduced and used. ### Security Considerations Some things that had been deeply frozen automatically by `harden` are now manually frozen by explicit calls to `freeze`. We need to review these carefully to ensure that nothing has inadvertently be left unfrozen as a result of the changes in this PR. Some proxies will become unhardenable, but they will still be hardenable as of now, so mistaken hardenings will not be detected. ### Scaling Considerations For this PR by itself, none. Using the shim-based implementation of the non-trapping trait will have scaling consequences: #2675 ### Documentation Considerations https://github.com/endojs/endo/blob/b12eb434b6672f0ceae41be55aac7f24c4562b7b/packages/ses/docs/preparing-for-stabilize.md will need to be reflected in developer docs. ### Testing Considerations Since this PR by itself should be a pure refactor with no observable changes, there is nothing to test at this stage. The testing burden will come with #2675 to see how adequate these preparations were. ### Compatibility Considerations The point. This changes to coding patterns that should be compat both with the current status quo and with #2675 ### Upgrade Considerations As a pure refactor, none.
10e5356
to
74fc5e8
Compare
78c5b8b
to
6d3c6f2
Compare
afe438b
to
7ab2643
Compare
6d3c6f2
to
bb949c1
Compare
7ab2643
to
9b20c1b
Compare
bb949c1
to
103c1bb
Compare
9b20c1b
to
c9b61ee
Compare
103c1bb
to
5b48cc6
Compare
642154e
to
2b82131
Compare
52b6c2d
to
3ceaac9
Compare
* - Before stabilize/hardenOrSuppressTrapping, a valid TagRecord must be frozen. | ||
* - After stabilize/hardenOrSuppressTrapping, a valid TagRecord must also be |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo
Staged on #2673
Closes: #XXXX
Refs: #XXXX
Description
Use of the non-trapping integrity level, as provided by the ponyfill and shim at #2673 , for additional safety of both the ses-shim and @endo/pass-style.
Object
,Reflect
}.
{isNoTrapping
,suppressTrapping
})harden
tosuppressTrapping
at each step, rather than merelyfreeze
passStyleOf
so that it checksisNoTrapping
where it currently checksisFrozen
.Security Considerations
The point. By having
passStyleOf
ensure that copyData (copyList
,copyRecord
,tagged
) is non-trapping, we enable programming patterns that check this pass-style early on suspect parameters. Once those checks pass, we now know we can operate on such copy-data within the function body without the possibility that these operations cause interleaving with foreign code, and thus without vulnerability to reentrancy hazards or attacks.Scaling Considerations
In addition to those documented at #2673:
harden
of XS to dosuppressTrapping
at each step, we need to remove the shortcut to use the nativeharden
if there is one. This will be expensive. Likely too expensive to use in production.Documentation Considerations
Other than those documented at #2673, none
Testing Considerations
Because our checks for acyclic package dependencies does not distinguish between
dependencies
anddevDependencies
, if we want to continue to useses-ava
to test@endo/non-trapping-shim
, but also haveses
depend on@endo/non-trapping-shim
for enhancingharden
, we will need to move the@endo/non-trapping-shim
tests somewhere else. Or find another way to avoid the package-dependency-cycle diagnostic.We should also write tests that fail with the prior freeze-only
harden
behavior, especially tests that demonstrate reentrancy attacks, and see that those test newly pass with this PR.Compatibility Considerations
In addition to those documented at #2673:
Proxies on frozen almost-empty targets often still do useful work in their trap handlers. This is because
get
andhas
, for example, if about non-own property names, are still general traps. In addition,apply
can ignore the call behavior of its target and just do its own thing. For these cases, we need to be careful not to harden the target or proxy. We need to find and convert these cases to explicitlyfreeze
.Going the other way, some tests would
freeze
some inputs topassStyleOf
, depending on thesefreeze
calls to make the known-input-structure hardened, or hardened enough. But now thatpassStyleOf
requires non-trapping, this should usually be changed toharden
.Upgrade Considerations
Other than those documented at #2673, none