>From email on this thread and from private email I've received, I'm a bit
worried that my earlier message was misunderstood. I agree that we're not
going to secure JavaScript well enough to solve the covert channel problem.
I stated so:
On Tue, Aug 31, 2010 at 9:32 PM, Mark S. Miller <erig...@google.com> wrote:
> The example above is of a covert channel, in the sense that b.js *intends*
> to send a signal that c.js can read. When b.js does not intend to signal, we
> have a side channel rather than a covert channel. Preventing a covert
> channel is generally much harder than preventing a side channel, so one
> might argue that the addition of this covert channel doesn't matter much.
>
> But JavaScript currently doesn't have any side channels as juicy as this
> one. If b.js is not intending to signal to c.js, but rather is just
> innocently doing some internal data-dependent algorithmic task, how much can
> c.js ascertain about b.js's internals by seeing which shared immutable
> objects get dropped? Securing JavaScript is already hard enough as it is.
> I'd rather not have to add to it the burden of trying to answer this very
> hard question.
>
Although I illustrated the non-overt channel here as a covert channel in a
possibly failed attempt at clarity, my real point and my real worry is about
its use as a side channel. As a side channel, this ability to sense the
collection of individual objects is much more informative than anything I
know of in current JS. If anyone knows of any side channels that seem as
bad, perhaps I've overlooked them, so please post. If they also seem
unpluggable, then I would agree that my position here becomes pointless and
we'd need to give on resisting side channels as well.
(Fortunately, regarding the WeakMap enumerability question, we seem to have
consensus to stick with non-enumerability on other grounds anyway. But this
side channel question will reappear so we may as well understand the limits
on how well we can resist them.)
--
Cheers,
--MarkM
_______________________________________________
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss
