-
Notifications
You must be signed in to change notification settings - Fork 220
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
arguing the security properties of xsnap (XS, SES, JS) #2224
Comments
Hardware support? MPX in Intel SkylakeFrom What is memory safety? - The PL Enthusiast:
Intel MPX - Wikipedia citing "Intel Software Development Emulator". Intel. 2012-06-15:
Intel® Memory Protection Extensions (Intel® MPX) support in the GNU toolchain says it's deprecated, and Wikipedia goes on to say "In practice, there have been too many flaws discovered in the design for it to be useful, and support has been deprecated or removed from most compilers and operating systems." But it still looks interesting, to me. Wikipedia doesn't note the connection to capabilities. I wonder how similar it is to CHERI. |
Executable: 1.5M2.7M for debug
Compiled C: 2,084KB
Dependencies: libc, libpthread onlyThe debug build also has some socket stuff but we no longer use that in production: #2216
strcpyI don't see any guarantee that |
Good! Yes, please move to Agoric.
…On Wed, Jan 20, 2021 at 7:14 AM Dan Connolly ***@***.***> wrote:
@erights <https://github.com/erights> , you asked me how I'd go about
this... the question has been rattling around in my head and it's starting
to take shape... let me know if I should move this under the Agoric org.
during this early brainstorming stage. ...
--
Cheers,
--MarkM
|
for reference, earlier discussions:
|
splint looks somewhat promising... with a few annotations, it might be able to make a pretty good memory-safety argument. The defaults seem incompatible with the current XS idioms, but perhaps that could be addressed easily:
found while looking for CCured via SO clue. SAFECodeSAFECode: Enforcing Alias Analysis for Weakly Typed Languages https://news.ycombinator.com/item?id=17143237 [1705.07354] The Meaning of Memory Safety Checked C looks activeChecked C: Making C Safe by Extension - Microsoft Research https://github.com/Microsoft/checkedc 52d7a7f on Dec 18, 2020 https://github.com/Microsoft/checkedc-clang/releases 2020-07-31 2745f7d |
fuzzingI played around with AFL tonight. This looks like the result of some fuzzing too: SEGV at /xs/sources/xsBigInt.c:1182 · Issue #485 · Moddable-OpenSource/moddable looking at other work by the reporter... and from there: p.s. cf https://github.com/wasmerio/wasmer/tree/master/fuzz |
getters and setters vs. static analysis
-- Automated Analysis of Security-Critical JavaScript APIs |
Yes. And JS has changed even more since that article was written. |
to prevent escape from vat:
@erights wondered about in-vat mutual-suspicion boundaries:
p.s. browsing... Formalizing the LLVM Intermediate Representation for Verified Program Transformations setjmp / longjumpSupport for setjmp / longjmp · Issue #2625 · rust-lang/rfcs frama-C doesn't support it. |
esmbc -- Efficient model checking with CI techniquesThis looks like a particularly good match for XS: Continuous Verification of Large Embedded Software using SMT-Based Bounded Model Checking The project is active; the maintainers responded to an issue within a day: esbmc/esbmc#355 (comment) Map2Check -- fuzzing and symbolic executionesbmc contributors overlap with https://github.com/hbgit/Map2Check , which combines fuzzing and symbolic execution. tried the release from late 2019; not promising:
nesCheck -- good performance on subset of Cadding "embedded" to our search terms turns up other interesting work... nesCheck is aimed at a constrained subset of C, but the results are interesting:
|
I'm experimenting with coverity scan: https://scan.coverity.com/projects/dckc-moddable?tab=overview hmm... more involve than my first impression suggested. |
https://github.com/trailofbits/manticore , a Symbolic execution tool, can analyze WebAssembly . I wonder if analysis of XS compiled to WASM would be fruitful. |
tangentially related... (i.e. above the xsnap layer... or is it?) @erights writes:
|
Another fuzzing expert is working on XS! Go @rain6851 ! Moddable-OpenSource/moddable#580 cc @erights |
safety, metering via WASM?Crazy idea? Kill two birds with one stone by compiling xsnap to WASM:
|
General information here
|
We considered this option (ty Zaki for the detailed options). WRT metering, that means that the actual metering costs now derive the the entire tool chain of compilation of C to WASM, and the presents as a mysterious mapping to user-specified code. It ensures that nothing escapes the metering, but it would also make it difficult to have select things with custom metering (e.g., if we wanted to charge fixed costs for some class of crypto operations to not penalize multisig). WRT fail-stop memory-safety, we are already in position to have each vat run in a separate process, so WASM adds nothing there. It could conceivably provide stronger safety for multiple-vats within a single process, but for the cost of checking that taller tool chain, we could add other memory safety sanity checks. I would like to see XS or something like it directly in Rust someday :). |
Yes, I thought of that soon after I posted the idea. Any change at the C layer would change metering results. |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
@erights , you asked me how I'd go about this... the question has been rattling around in my head and it's starting to take shape... let me know if I should move this under the Agoric org. during this early brainstorming stage.
cc @warner @dtribble @kriskowal
xsBeginHost
and such correctly?dump of open tabs:
types: pointer-types and scalars." -- Prof. Mathias Payer Spring 2017
The text was updated successfully, but these errors were encountered: