-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document CSP Threat Model #1
Comments
Here're my 2c on how CSP relates to ProblemWebAssembly future goals include
These are trivially addressed by extending CSP source lists. Neither
Definitions:eval-operators: APIs like explicit call to implicit call to var [x,y] = ['foo','bar']; // attacker controlled
this[x[][y](str) Some eval operators can be implicitly accessed thus var o = {};
var [x,y] = ["__proto__","constructor"];
o[x][y][x][y](str); // implicit call to Function(str) Security assumptionsA Content-Security-Policy that does not allow unsafe-eval implies some security assumptions:
Our first security premise is not a criticism of developers. In our second security premise we trust a small group of specialists to oversee The case for not attenuatingBelow is a distillation of several people's attempt to come up with an argument for
ResponseIt's true that We still ought not trust developers to vet arguments to We also ought not trust them to vet "Turing universality" is security relevant. "Explicit imports" is also not a concept that we can rely on. [x,y]=["WebAssembly","compile"] // Attacker caused
this[x][y] // Naive code and the global object can be similarly accessed when It's unlikely that any attacker in any given app will find a way to call We should not choose the "do not attenuate" option if we don't trust developers at large to That doesn't mean that WebAssembly JavaScript APIs need to be incompatible with a strict Content-Security-Policy in the long term. Shameless plug: |
Thanks for the clear explanation! This helps me understand the underlying issues a lot better. Would you say it's sufficient to vet either the wasm bytes (such as by verifying they have a certain hash or came from a certain URL?) or the import object? Vetting the wasm bytes seems to put us in a better position than running a vetted JavaScript script because Wasm is further limited by what capabilities are included in the import object. |
Yes. I don't think you need to vet both. Vetting the hash or the URL is more consistent with how CSP works now, and presumably with how But vetting the bytes might make it hard to compose a compilation pipeline using WebAssemblies. I forget who, but someone pointed out that streaming byte sources might make it possible to have a WebAssembly transform a byte stream that feeds |
We realized at the last CG meeting that one way to work around this is by using a hash script source. Basically, the site owner knows what the module should decompress too, so they can send the correct hash and we have to make sure the hash matches the hash of the raw bytes we're given. So this will still allow custom decompression algorithms, although it seems to impose a heavy cost of the developers to make sure to keep their hashes up to date. |
Are we talking CSP or SRI? I know we discussed both at the in-person CG meeting. You mean that you authenticate the post-modified |
(attn @wycats ) |
@jfbastien Sorry if this is a dumb question, but I wasn't at that meeting. By "SRI," are you referring to
IIUC, SRI is designed to address MITM and other compromised endpoint problems which I suppose would allow controlling which binaries load. |
@mikesamuel I believe all of these were included in the discussion, but we didn't get much of a conclusion. My point is mainly that CSP and SRI are complementary, and interact sometimes, so we shouldn't design a new checksum thing for WebAssembly but should rather follow what's already in the Web platform. I think we should only invent if what already exists is clearly insufficient in a manner that's fundamentally required for WebAssembly's success. In particular, IIRC we've talked about not trying particularly hard to make the sync and async APIs powerful, in favor of putting effort towards the streaming API. If the streaming API is what we'd rather have people use then giving it the fancy features is a better way to spend our time. Only usecases which sync / async can meet, but fetch can't, should warrant more work on sync / async. |
For the hash stuff, CSP already allows you to specify a hash or a nonce as
a script-src. As far as I know we should be able to use the same thing for
compiling Wasm bytes out of an ArrayBuffer.
…On Tue, Dec 5, 2017 at 2:37 PM JF Bastien ***@***.***> wrote:
@mikesamuel <https://github.com/mikesamuel> I believe all of these were
included in the discussion, but we didn't get much of a conclusion. My
point is mainly that CSP and SRI are complementary, and interact sometimes,
so we shouldn't design a new checksum thing for WebAssembly but should
rather follow what's already in the Web platform.
I think we should only invent if what already exists is clearly
insufficient in a manner that's fundamentally required for WebAssembly's
success. In particular, IIRC we've talked about not trying particularly
hard to make the sync and async APIs powerful, in favor of putting effort
towards the streaming API. If the streaming API is what we'd rather have
people use then giving it the fancy features is a better way to spend our
time. Only usecases which sync / async can meet, but fetch can't, should
warrant more work on sync / async.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAGdJrf-ols3oyfnbNMLyFIXInUnZRnZks5s9cWZgaJpZM4QVC1->
.
|
From @mikesamuel's list that's number 2, right? Or is that number 3? And is it desirable to forbid number 1? |
Here's my understanding of first four-item list, just to make sure we're all on the same page:
Assuming that's correct, the hashes and nonces are part of number 3. Number 1 is the current state of the world for Chrome. We allow Chrome uses number 2 for Chrome apps and extensions only, but I think we should make 'wasm-eval' a proper standard. @mikesamuel is arguing that we should not do number 4, and I think he has a fairly compelling argument. As far as whether it's desirable to forbid number 1, I'm going to interpret "forbidding number 1" as "'unsafe-eval' should not enable WebAssembly on its own." I would have a slight preference for not forbidding number 1, that is, "'unsafe-eval' should enable WebAssembly" because this is the current behavior for Chrome (and I think WebKit too). Note that these issues only apply if a CSP is given. When no policy is specified, then WebAssembly is allowed without restriction. |
I'm closing this since WebAssembly/meetings#6 is merged now. |
The proposal should specify what threats we are trying to protect against with CSP and how CSP mitigates these threats.
At the recent CG meeting, we had some confusion about what CSP is used for. The primary use seems to be to give developers control over what code runs as part of their application. However, it seemed like there were also efforts to use CSP to limit opportunities for heap spray attacks by restricting an attacker's ability to generate code. We should clarify in the proposal which threats our in scope.
See WebAssembly/design#1510 for the related action item that came out of the meeting.
Let's use this issue to discuss what we should do.
The text was updated successfully, but these errors were encountered: