Tragedy or Hope in the Commons: The Race for JavaScript Prototype Override
SessionTrack BEnglish
JavaScript is a language of freedom. A defining feature of this freedom is the ability to override built-in prototypes. JavaScript also becomes a commons especially in the browser. It's a shared space where your application code, its dependencies, and even parts of browser extensions all co-exist within the same context. And, yes, malicious attackers also live there. In this commons, a constant struggle is happening between these stakeholders to override prototypes.
This session explores the forefront of this high-stakes game from three perspectives: the ecosystem, the attack/defense techniques, and the web standards. Can we ever achieve a state of harmony in this commons? The answer isn't clear yet. But that's why we should discuss it at JSConf :)
Outline
- Ecosystem: Competing Motivations for Overriding Prototypes
- A Contested Ground: Techniques for Attack and Defense
- Techniques for overwriting prototypes.
- Methods of defending against it.
- How to bypass those defenses.
- More stealth modification tactics.
- No Silver Bullet: A Look at Specifications Tackling This Issue
- Object.freeze is too strong
- ShadowRealm is not enough
- SES is ongoing
- Case Study 1: Information Theft From An Extension via Prototype Pollution
- Case Study 2: How MetaMask Uses Endo
- The Future: How should we go along with this freedom?
- Can We or Should We Get Access to Native Prototypes?: Lessons from debate for "use initial" directive
- What about outside of JS?: Proposal for CSP, debugging feature, etc.
canalun
Security Researcher at Flatt Security. Also developer of Firefox at Birchill. Browser Enthusiast. Bug Hunter.