Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(ses,pass-style): use non-trapping integrity trait for safety #2675

Draft
wants to merge 2 commits into
base: markm-no-trapping-shim
Choose a base branch
from

Conversation

erights
Copy link
Contributor

@erights erights commented Dec 31, 2024

Staged on #2673

Closes: #XXXX
Refs: #XXXX

Description

Use of the non-trapping integrity level, as provided by the ponyfill and shim at #2673 , for additional safety of both the ses-shim and @endo/pass-style.

  • Extends permits.js to permit the extra properties introduced by feat(non-trapping-shim): shim of the non-trapping integrity trait #2673 . This includes both
    • the trap support ({Object,Reflect}.{isNoTrapping,suppressTrapping})
  • Modify harden to suppressTrapping at each step, rather than merely freeze
  • Modify passStyleOf so that it checks isNoTrapping where it currently checks isFrozen.

Security Considerations

The point. By having passStyleOf ensure that copyData (copyList, copyRecord, tagged) is non-trapping, we enable programming patterns that check this pass-style early on suspect parameters. Once those checks pass, we now know we can operate on such copy-data within the function body without the possibility that these operations cause interleaving with foreign code, and thus without vulnerability to reentrancy hazards or attacks.

Scaling Considerations

In addition to those documented at #2673:

  • Until we get the native harden of XS to do suppressTrapping at each step, we need to remove the shortcut to use the native harden if there is one. This will be expensive. Likely too expensive to use in production.
  • In fact, avoiding the native hardener is so expensive that for this PR to proceed at all, the main changes will need to be switched by a new config option, likely starting with a default of off.
  • fix(ses): dont use native harden #2677 doesn't use the native harden, but its CI shows a bunch of resulting errors to be understood and fixed.

Documentation Considerations

Other than those documented at #2673, none

Testing Considerations

  • Because our checks for acyclic package dependencies does not distinguish between dependencies and devDependencies, if we want to continue to use ses-ava to test @endo/non-trapping-shim, but also have ses depend on @endo/non-trapping-shim for enhancing harden, we will need to move the @endo/non-trapping-shim tests somewhere else. Or find another way to avoid the package-dependency-cycle diagnostic.

  • We should also write tests that fail with the prior freeze-only harden behavior, especially tests that demonstrate reentrancy attacks, and see that those test newly pass with this PR.

Compatibility Considerations

In addition to those documented at #2673:

Proxies on frozen almost-empty targets often still do useful work in their trap handlers. This is because get and has, for example, if about non-own property names, are still general traps. In addition, apply can ignore the call behavior of its target and just do its own thing. For these cases, we need to be careful not to harden the target or proxy. We need to find and convert these cases to explicitly freeze.

Going the other way, some tests would freeze some inputs to passStyleOf, depending on these freeze calls to make the known-input-structure hardened, or hardened enough. But now that passStyleOf requires non-trapping, this should usually be changed to harden.

Upgrade Considerations

Other than those documented at #2673, none

@erights erights self-assigned this Dec 31, 2024
@erights erights force-pushed the markm-use-no-trapping-shim branch from c0354eb to 6bbdc1a Compare December 31, 2024 22:54
@erights erights force-pushed the markm-no-trapping-shim branch from aed8d00 to cb1e1f6 Compare December 31, 2024 23:03
@erights erights force-pushed the markm-use-no-trapping-shim branch from 6bbdc1a to dcf739c Compare December 31, 2024 23:04
@erights erights force-pushed the markm-no-trapping-shim branch from cb1e1f6 to 5c38d8c Compare December 31, 2024 23:11
@erights erights force-pushed the markm-use-no-trapping-shim branch from dcf739c to 128ef21 Compare December 31, 2024 23:11
@erights erights force-pushed the markm-no-trapping-shim branch from 98e6396 to f7d527c Compare January 1, 2025 00:05
@erights erights force-pushed the markm-use-no-trapping-shim branch 2 times, most recently from 7f44397 to dde0022 Compare January 1, 2025 01:26
@erights erights force-pushed the markm-use-no-trapping-shim branch 7 times, most recently from 49d9dfb to 5bc9589 Compare January 1, 2025 03:09
@erights erights marked this pull request as ready for review January 1, 2025 03:31
@erights erights requested a review from michaelfig January 1, 2025 03:57
@erights
Copy link
Contributor Author

erights commented Jan 1, 2025

@michaelfig Adding you as an additional reviewer. Please look at least at the changes to eventual-send and captp. Thanks!

@erights erights force-pushed the markm-use-no-trapping-shim branch from c0d1ae2 to 7c0edb8 Compare January 1, 2025 04:29
Copy link
Member

@michaelfig michaelfig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Your changes to eventual-send and captp LGTM.

Is it too late to change all occurrences of "no-trapping" to "non-trapping"? That would be more consistent with other terms in the integrity levels, like "non-frozen".

packages/captp/src/captp.js Outdated Show resolved Hide resolved
packages/captp/src/captp.js Outdated Show resolved Hide resolved
packages/eventual-send/src/E.js Outdated Show resolved Hide resolved
@erights erights changed the title feat(ses,pass-style): use no-trapping integrity level for safety feat(ses,pass-style): use non-trapping integrity trait for safety Jan 2, 2025
@erights erights force-pushed the markm-no-trapping-shim branch from f7d527c to 29223ef Compare January 2, 2025 21:41
@erights erights force-pushed the markm-no-trapping-shim branch from 85d55f0 to 0c6aa83 Compare January 2, 2025 23:28
Copy link
Contributor

@mhofman mhofman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So I have 2 concerns after looking at this PR and its adoption in agoric-sdk (Agoric/agoric-sdk#10795):

  • Given the early nature of the non-trapping proposal, I would like SES and endo packages to avoid taking a hard dependency on it. Can we instead feature detect and use non-trapping only if available? Then we can move the shim application to @endo/init?
  • The changes to harden (and to some extend passStyleOf) are presenting a potential upgrade hazard. We generally consider harden to be part of the platform, which means it may get upgraded independently of the code using it. The problem is that we have some code with harden usages that are no longer valid after this change: any code that was hardening proxies or their target. That means we will not be able to use the same user code with updated XS and/or lockdown bundles that include this change. I am really not sure how we work around this one, besides accepting this breaking change / incompatibility, and require that platforms like agoric-sdk use "repaired" lockdown bundles to skip/undo this change if it needs to load incompatible user code.

packages/pass-style/src/passStyleOf.js Outdated Show resolved Hide resolved
@@ -85,7 +85,8 @@
"postpack": "git clean -f '*.d.ts*' '*.tsbuildinfo'"
},
"dependencies": {
"@endo/env-options": "workspace:^"
"@endo/env-options": "workspace:^",
"@endo/non-trapping-shim": "^0.1.0"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"@endo/non-trapping-shim": "^0.1.0"
"@endo/non-trapping-shim": "workspace:^"

This might also explain the issues you're trying to work around in #2684

Comment on lines +17 to +18
import '@endo/non-trapping-shim/shim.js';

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I kinda wish we could make SES and other endo packages compatible with the shim having been loaded or not, and then, we could move this from ses to @endo/init, at least until we get more clarity on where the proposal is moving.

Comment on lines +132 to +134
// TODO Get the native hardener to suppressTrapping at each step,
// rather than freeze. Until then, we cannot use it, which is *expensive*!
// TODO Comment out the following to skip the native hardener.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah IMO this is another reason to optionally support non-trapping, as it's currently incompatible with a native hardener.

Comment on lines 189 to +190
freezeTypedArray(obj);
if (isFrozen(obj)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we modify freezeTypedArray to make it return whether the typedArray got fully frozen ?

Comment on lines 241 to 242
// @ts-expect-error TS should know FERAL_STACK_GETTER
// cannot be `undefined` here.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very confused why this is no longer necessary.

yarn.lock Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes to this files are unexpected and would be reverted if the deps of ses above are fixed.

packages/pass-style/test/passStyleOf.test.js Outdated Show resolved Hide resolved
@erights erights force-pushed the markm-no-trapping-shim branch from 4c095c0 to 191ce45 Compare January 15, 2025 20:03
@erights erights force-pushed the markm-use-no-trapping-shim branch 2 times, most recently from d52d176 to 14a3e2b Compare January 15, 2025 20:14
@erights erights marked this pull request as draft January 15, 2025 20:23
@erights
Copy link
Contributor Author

erights commented Jan 15, 2025

Converting to draft while we wait for draft #2684 to settle down

@erights erights force-pushed the markm-no-trapping-shim branch 2 times, most recently from b0a98e3 to 8e5af93 Compare January 15, 2025 22:25
@erights erights force-pushed the markm-use-no-trapping-shim branch from 14a3e2b to 1578716 Compare January 15, 2025 22:36
@erights erights force-pushed the markm-no-trapping-shim branch from 8e5af93 to 10e5356 Compare January 18, 2025 02:41
@erights erights force-pushed the markm-use-no-trapping-shim branch from 1578716 to c5429af Compare January 18, 2025 02:48
erights added a commit that referenced this pull request Jan 19, 2025
Closes: #XXXX
Refs: Agoric/agoric-sdk#10795

## Description

Prepare for anticipated introduction and use of the non-trapping
integrity trait as explained at
/~https://github.com/endojs/endo/blob/b12eb434b6672f0ceae41be55aac7f24c4562b7b/packages/ses/docs/preparing-for-stabilize.md

These preparations must work now, before these traits are introduced,
and should continue to work after these traits are introduced and used.

### Security Considerations

Some things that had been deeply frozen automatically by `harden` are
now manually frozen by explicit calls to `freeze`. We need to review
these carefully to ensure that nothing has inadvertently be left
unfrozen as a result of the changes in this PR.

Some proxies will become unhardenable, but they will still be hardenable
as of now, so mistaken hardenings will not be detected.

### Scaling Considerations

For this PR by itself, none. Using the shim-based implementation of the
non-trapping trait will have scaling consequences:
#2675

### Documentation Considerations


/~https://github.com/endojs/endo/blob/b12eb434b6672f0ceae41be55aac7f24c4562b7b/packages/ses/docs/preparing-for-stabilize.md
will need to be reflected in developer docs.

### Testing Considerations

Since this PR by itself should be a pure refactor with no observable
changes, there is nothing to test at this stage. The testing burden will
come with #2675 to see how adequate
these preparations were.

### Compatibility Considerations

The point. This changes to coding patterns that should be compat both
with the current status quo and with
#2675

### Upgrade Considerations

As a pure refactor, none.
@erights erights force-pushed the markm-no-trapping-shim branch from 10e5356 to 74fc5e8 Compare January 20, 2025 23:07
@erights erights force-pushed the markm-use-no-trapping-shim branch 2 times, most recently from 78c5b8b to 6d3c6f2 Compare January 20, 2025 23:39
@erights erights force-pushed the markm-no-trapping-shim branch from afe438b to 7ab2643 Compare January 20, 2025 23:44
@erights erights force-pushed the markm-use-no-trapping-shim branch from 6d3c6f2 to bb949c1 Compare January 20, 2025 23:46
@erights erights force-pushed the markm-no-trapping-shim branch from 7ab2643 to 9b20c1b Compare January 21, 2025 00:01
@erights erights force-pushed the markm-use-no-trapping-shim branch from bb949c1 to 103c1bb Compare January 21, 2025 00:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants