Why is JavaScript “safe” to run in the browser?
up vote
59
down vote
favorite
JavaScript has certain limitations such as preventing reading and writing to disk and not allowing access to other browser windows or domains. But is that all that's needed to prevent malicious code from running?
JavaScript is pretty powerful, and it seems odd that browsers will unquestioningly run all JavaScript code they are given. How is that safe?
web-browser javascript
|
show 16 more comments
up vote
59
down vote
favorite
JavaScript has certain limitations such as preventing reading and writing to disk and not allowing access to other browser windows or domains. But is that all that's needed to prevent malicious code from running?
JavaScript is pretty powerful, and it seems odd that browsers will unquestioningly run all JavaScript code they are given. How is that safe?
web-browser javascript
33
Can you specify your definition of safe? The design is safe, when you consider modifying files on the disk. The implementation can be unsafe, more often than allowing disk access the problem here is allowing cross-domain access to web-data. Having a bitcoin-miner running in your browser could be considered as the result of a unsafe feature. So the answer depends on the risk you want to avoid when having a "safe" javascript-runtime.
– allo
Nov 30 at 12:17
14
Not an answer /per se/, but: it is not Javascript who runs in the browser, is the browser who runs the Javascript. From an implementation point of view, Javascript code doesn't run autonomously but only inside the infrastructure set by the browser.
– MariusSiuram
Nov 30 at 13:54
2
@JakeGould I understood what you meant; I'm saying none of it is relevant and that running JS server side is hardly its "main power." The OP is almost certainly just describing the fact that it's a full blown programming language rather than mark up, making it practical to implement very complex logic in it.
– jpmc26
2 days ago
2
@MooingDuck Yes. And JavaScript the language has nothing to do with sandboxing. They could have taken python and it would have worked the same. Nothing about JavaScript really makes it safer than other languages. Sure, given that it's 20 years that it has been used in that way has driven implementation choices in that direction more so than for other languages, but in a parallel world they are running Haskell in browser with the safe safety concerns as us.
– Bakuriu
yesterday
2
@MooingDuck How exactly is JavaScript designed to be in a sandbox any more than any other language? I mean, you can run Perl and Awk in a sandbox mode...
– forest
23 hours ago
|
show 16 more comments
up vote
59
down vote
favorite
up vote
59
down vote
favorite
JavaScript has certain limitations such as preventing reading and writing to disk and not allowing access to other browser windows or domains. But is that all that's needed to prevent malicious code from running?
JavaScript is pretty powerful, and it seems odd that browsers will unquestioningly run all JavaScript code they are given. How is that safe?
web-browser javascript
JavaScript has certain limitations such as preventing reading and writing to disk and not allowing access to other browser windows or domains. But is that all that's needed to prevent malicious code from running?
JavaScript is pretty powerful, and it seems odd that browsers will unquestioningly run all JavaScript code they are given. How is that safe?
web-browser javascript
web-browser javascript
edited 2 days ago
Peter Mortensen
68049
68049
asked Nov 30 at 5:28
PBeezy
8252510
8252510
33
Can you specify your definition of safe? The design is safe, when you consider modifying files on the disk. The implementation can be unsafe, more often than allowing disk access the problem here is allowing cross-domain access to web-data. Having a bitcoin-miner running in your browser could be considered as the result of a unsafe feature. So the answer depends on the risk you want to avoid when having a "safe" javascript-runtime.
– allo
Nov 30 at 12:17
14
Not an answer /per se/, but: it is not Javascript who runs in the browser, is the browser who runs the Javascript. From an implementation point of view, Javascript code doesn't run autonomously but only inside the infrastructure set by the browser.
– MariusSiuram
Nov 30 at 13:54
2
@JakeGould I understood what you meant; I'm saying none of it is relevant and that running JS server side is hardly its "main power." The OP is almost certainly just describing the fact that it's a full blown programming language rather than mark up, making it practical to implement very complex logic in it.
– jpmc26
2 days ago
2
@MooingDuck Yes. And JavaScript the language has nothing to do with sandboxing. They could have taken python and it would have worked the same. Nothing about JavaScript really makes it safer than other languages. Sure, given that it's 20 years that it has been used in that way has driven implementation choices in that direction more so than for other languages, but in a parallel world they are running Haskell in browser with the safe safety concerns as us.
– Bakuriu
yesterday
2
@MooingDuck How exactly is JavaScript designed to be in a sandbox any more than any other language? I mean, you can run Perl and Awk in a sandbox mode...
– forest
23 hours ago
|
show 16 more comments
33
Can you specify your definition of safe? The design is safe, when you consider modifying files on the disk. The implementation can be unsafe, more often than allowing disk access the problem here is allowing cross-domain access to web-data. Having a bitcoin-miner running in your browser could be considered as the result of a unsafe feature. So the answer depends on the risk you want to avoid when having a "safe" javascript-runtime.
– allo
Nov 30 at 12:17
14
Not an answer /per se/, but: it is not Javascript who runs in the browser, is the browser who runs the Javascript. From an implementation point of view, Javascript code doesn't run autonomously but only inside the infrastructure set by the browser.
– MariusSiuram
Nov 30 at 13:54
2
@JakeGould I understood what you meant; I'm saying none of it is relevant and that running JS server side is hardly its "main power." The OP is almost certainly just describing the fact that it's a full blown programming language rather than mark up, making it practical to implement very complex logic in it.
– jpmc26
2 days ago
2
@MooingDuck Yes. And JavaScript the language has nothing to do with sandboxing. They could have taken python and it would have worked the same. Nothing about JavaScript really makes it safer than other languages. Sure, given that it's 20 years that it has been used in that way has driven implementation choices in that direction more so than for other languages, but in a parallel world they are running Haskell in browser with the safe safety concerns as us.
– Bakuriu
yesterday
2
@MooingDuck How exactly is JavaScript designed to be in a sandbox any more than any other language? I mean, you can run Perl and Awk in a sandbox mode...
– forest
23 hours ago
33
33
Can you specify your definition of safe? The design is safe, when you consider modifying files on the disk. The implementation can be unsafe, more often than allowing disk access the problem here is allowing cross-domain access to web-data. Having a bitcoin-miner running in your browser could be considered as the result of a unsafe feature. So the answer depends on the risk you want to avoid when having a "safe" javascript-runtime.
– allo
Nov 30 at 12:17
Can you specify your definition of safe? The design is safe, when you consider modifying files on the disk. The implementation can be unsafe, more often than allowing disk access the problem here is allowing cross-domain access to web-data. Having a bitcoin-miner running in your browser could be considered as the result of a unsafe feature. So the answer depends on the risk you want to avoid when having a "safe" javascript-runtime.
– allo
Nov 30 at 12:17
14
14
Not an answer /per se/, but: it is not Javascript who runs in the browser, is the browser who runs the Javascript. From an implementation point of view, Javascript code doesn't run autonomously but only inside the infrastructure set by the browser.
– MariusSiuram
Nov 30 at 13:54
Not an answer /per se/, but: it is not Javascript who runs in the browser, is the browser who runs the Javascript. From an implementation point of view, Javascript code doesn't run autonomously but only inside the infrastructure set by the browser.
– MariusSiuram
Nov 30 at 13:54
2
2
@JakeGould I understood what you meant; I'm saying none of it is relevant and that running JS server side is hardly its "main power." The OP is almost certainly just describing the fact that it's a full blown programming language rather than mark up, making it practical to implement very complex logic in it.
– jpmc26
2 days ago
@JakeGould I understood what you meant; I'm saying none of it is relevant and that running JS server side is hardly its "main power." The OP is almost certainly just describing the fact that it's a full blown programming language rather than mark up, making it practical to implement very complex logic in it.
– jpmc26
2 days ago
2
2
@MooingDuck Yes. And JavaScript the language has nothing to do with sandboxing. They could have taken python and it would have worked the same. Nothing about JavaScript really makes it safer than other languages. Sure, given that it's 20 years that it has been used in that way has driven implementation choices in that direction more so than for other languages, but in a parallel world they are running Haskell in browser with the safe safety concerns as us.
– Bakuriu
yesterday
@MooingDuck Yes. And JavaScript the language has nothing to do with sandboxing. They could have taken python and it would have worked the same. Nothing about JavaScript really makes it safer than other languages. Sure, given that it's 20 years that it has been used in that way has driven implementation choices in that direction more so than for other languages, but in a parallel world they are running Haskell in browser with the safe safety concerns as us.
– Bakuriu
yesterday
2
2
@MooingDuck How exactly is JavaScript designed to be in a sandbox any more than any other language? I mean, you can run Perl and Awk in a sandbox mode...
– forest
23 hours ago
@MooingDuck How exactly is JavaScript designed to be in a sandbox any more than any other language? I mean, you can run Perl and Awk in a sandbox mode...
– forest
23 hours ago
|
show 16 more comments
10 Answers
10
active
oldest
votes
up vote
79
down vote
The browser isolates JavaScript, as it executes within a browser process itself. It cannot do anything which is not permitted by the browser JavaScript interpreter or JIT compiler. However, owing to its complexity, it's not at all uncommon for vulnerabilities to be found that allow JavaScript to compromise the browser and gain arbitrary code execution with the privileges of the browser process.
Because these types of security bugs are so common, many browsers will implement a sandbox. This is a protection mechanism that attempts to isolate a compromised browser process and prevent it from causing further harm. The way the sandbox works depends on the browser. Firefox has very limited sandboxing, whereas Chrome and Edge have significant sandboxing. However, despite this defense in depth, browser vulnerabilities can often be combined with sandbox escape vulnerabilities.
42
And the browser can be put in a sandbox itself (Microsoft does this for IE and presumably Edge). Then you could of course also put the OS with the browser in a VM, only to be RowHammered or Spectred into submission :)
– Maarten Bodewes
Nov 30 at 6:50
1
@MaartenBodewes Sure, so a vulnerability has to use a sandbox bypass. That's a good point actually, I'll edit my answer to point it out.
– forest
Nov 30 at 6:54
14
Thats exactly the point: Javascript itself is not "unsafe" (in terms of harming the pc - for webapplications, Javascript can be a big challange). Problem is, the increase in complexity, functionality and pure size of browsers is huge - within a few years browsers grew from simple html-display-tools to OS-like software. So its very likely that there are and always will be vulnerabilities in the browser which can be exploited through Javascript. Another point: plugins. Written by "someone" but excuted by the browser, so you have additional surface for vulnerabilities.
– Alex
Nov 30 at 7:06
1
@forest There is a difference between the sandbox provided by the OS and the sandbox provided by the browser. The first one may be utilized by the browser. But if an OS sandbox e.g. offers access to any file on an FAT32 partition, that doesn't mean that the browser will allow JS to read it. E.g. firefox will still run JS in a restricted environment, but it may not use the OS to provide (additional) protection.
– Maarten Bodewes
Nov 30 at 7:15
1
@FabioTurati That answer is incorrect. The sandboxing in Firefox they speak of is designed to prevent individual crashing tabs from crashing the whole browser, not isolating compromise. For example, Chrome/Chromium sandbox the GPU, whereas Firefox does not (last I checked). Firefox (on *nix) uses jemalloc with 4 MiB heaps which makes heap spraying attacks to disable ASLR easier, whereas Chromium does not. Firefox's PresArena is also inferior to Chromium's PartitionAlloc. Firefox has testing done on it, whereas Chromium is working on CFI and has hundreds of cores fuzzing it 24/7.
– forest
Dec 1 at 2:19
|
show 7 more comments
up vote
41
down vote
How is it safe?
It is not. Or more exactly it is as safe as the browser implementation is. Browsers (including their JavaScript engine) are complex pieces of software, with regular addition of new features - because users want them.
That means that, even if well-known ones certainly have quality procedure to test their code against known vulnerabilities, the risk of an undetected flaw in implementing a feature always exists.
Currently, the accepted way is that as soon as a breach is detected, a new version containing a fix is released. But between the discovery of the breach and the installation of the fix, the browser is vulnerable.That is the reason why it is recommended to keep one's browser up to date, in order to only be exposed to zero-day vulnerabilities.
3
Well… "nothing is 100% safe". As such, you can answer "It is not." to everything. I think the OP really wants an answer considering practical/realistic aspects. You do e.g. not even mention sandboxes and other features browser's had built-in for a long time.
– rugk
yesterday
1
@rugk: sandboxing is just to tool to try to protect the system from malicious code, and it is efficient... until an attacker finds a vulnerability! That is the reason why I prefere to insist on keeping a browser up to date than on the various tools used to secure it.
– Serge Ballesta
yesterday
add a comment |
up vote
11
down vote
It's true that at the JavaScript level the browsers are designed to sandbox the code under execution (primarily by not exposing any dangerous API), but JavaScript is a very complex language to parse and execute.
ECMAScript is the standard behind JavaScript, due to the huge marketing inflation around beginner-friendly programming languages we are experiencing today, the ECMAScript is updating fast and introducing more and more complex functionality to implement for a runtime.
This, in turn, widen the surface of attack and allow bugs to creep in.
A wonderful example is the recent work of Patrick Biernat, Markus Gaasedelen, Amy Burnett for the pwn2own 2018.
http://blog.ret2.io/2018/06/05/pwn2own-2018-exploit-development/
The blog describe the discovery of a 0day that allows arbitrary code execution in WebKit and how that's used to exploit another 0day in the macOS Window Manager to escape the sanbox Safari is running in (that's a macOS sandbox, not a Safari's one) to escalate to "root" and own the system.
Long story short, by simply visiting a link while having JavaScript enabled, a macOS system can be totally compromised without a single glitch visible to the user.
That's how safe JavaScript can be: As safe as a complex piece of software as WebKit's JSCore can be.
That's why users that require high security are advised to disable JavaScript (that's a fairly common requirement in the DarkWeb, for example).
The vulnerability in WebKit discovered by the authors above is a race condition between the newly introduced garbage collector and the array.reverse
function: if the GC starts marking an array while it is being reversed it could lead to a UAF (User After Free) exploit.
The mark is done sequentially on the array, suppose the GC is right at the middle of the array when this is reversed, then second half is never marked and thus elected for collection, resulting in a UAF (the array object itself is not collected, only its element).
How an UAF is used to make more powerful exploit primitives that can lead to arbitrary code execution is more or less a variation of the same techniques: first an interesting object is allocated in the newly freed space (e.g. an array) then a RW primitive is created (e.g. by altering the boundary of the array) and finally arbitrary opcodes are written in memory (e.g in a JITted page).
The details for this particular 0day are in the linked blog.
The interesting part is the way this 0day was found: since WebKit is so big an in depth code review is impossible without an huge amount of effort so and automated jitter was set up.
This must make us reflect on the fact that when we have hundred thousand or millions of lines of code, it's very hard to make each one behave nicely with respect to every other one.
Typo: "Use After Free," not "User After Free."
– David Conrad
11 hours ago
1
Thank you @DavidConrad
– Margaret Bloom
9 hours ago
add a comment |
up vote
8
down vote
As stated in other answers, each browser has its own script engine that is designed to sandbox JavaScript execution and each engine attempts to limit JavaScript functionality that could lead to malicious behavior.
But as a rule JavaScript has never been safe within the browser. Malicious code developers are constantly finding ways to exploit how each engine works as well as its available JavaScript functionality to achieve malicious goals.
In the first few years, JavaScript was rather dangerous within the browser. Now it is a constant race between malicious code developers and the browser/engine developers and eventually the malicious developers always win, even if just for a short time. So JavaScript can hardly be called safe. "Should be safe for now" is a more accurate way to put it.
New contributor
add a comment |
up vote
7
down vote
JavaScript is pretty powerful
It is which is why many users consider it unsafe and block it using browser extensions. JavaScript allows websites to track users in ways not possible without it including identifying users after they have deleted their cookies by fingerprinting the browser. Many of the newer web APIs like WebUSB allow things that are not at all safe but browsers will request user permission when accessing unsafe APIs like USB and camera.
Exactly! That's why I use NoScript for Firefox. Have for years.
– Mike Waters
7 hours ago
add a comment |
up vote
2
down vote
It is safe compared to machine-level executable code, like ActiveX uses.
A machine code program has unmitigated access to any interface the operating system and libraries provide to any program running under that user account, is only REALLY restricted in what it can do by what the hardware and operating system restrict it to - essentially making such a program as powerful as the user running it. There might be tools that try and restrict it by intercepting some of the interfaces provided, but it is hard to stop a program aware of such measures to circumvent them.
The javascript interpreter is part of the browser, and written in a way that it only offers the program it is running the interfaces and powers it wants to offer them.
1
But JavaScript can be compiled and run as machine code. In fact it usually is.
– forest
23 hours ago
1
With a compiler that is controlled by the USER, not the DEVELOPER.
– rackandboneman
21 hours ago
1
True, the JIT compiler does limit the bytecode it can spit out.
– forest
21 hours ago
add a comment |
up vote
1
down vote
This answer will address two points raised at the question and one browser "feature" not raised in the question.
JavaScript has certain limitations such as preventing reading and
writing to disk
such limitation does not technically exist at Chromium/Chrome browsers where requestFileSystem
is defined, which writes directly to disk; that is, the File System
folder of the Chromium/Chrome configuration directory at the users' file system.
See How to Write in file (user directory) using JavaScript?
and not allowing access to other browser windows or domains.
If a window
is opened from an already opened window
, communication between window
s is possible using, including, but not limited to, postMessage
, MessageChannel
, SharedWorker
, or simply query string parameters.
See How can I load a shared web worker with a user-script?
One other point not mentioned at the OP that must be raised here specific to Chromium/Chrome is the fact that the SpeechRecognition
implementation of Web Speech API at those browsers records the users' voice (biometric identifier) and sends that recording to a remote service, without directly advising the user that is what is taking place. It is not immediately clear if the recording(s) are retained (forever) by the undisclosed "web service" or "deleted" at some point.
See Does webkitSpeechRecognition send recorded audio to a remote web service by default?
New contributor
add a comment |
up vote
1
down vote
JavaScript is "relatively safe," but not "absolutely safe." Any code you run on your system has a potential to do harm. There is no perfectly safe system, except for the one that never used. JavaScript is safer than putting an unknown USB device in your computer, and safer than a binary you download from a shady website or get in a suspect email attachment, and much safer than some of the scripts you'll find on websites that tell you to copy-paste them in to your shell.
It has safety features: a sandbox to help isolate the process, a relatively limited API that has security constraints to help avoid running arbitrary computer instructions, and security controls meant to limit exposure of sensitive data like fingerprints or cross-domain data sharing. These are on top of your operating system's controls applied to the browser binary to limit bad behavior, and anti-virus applications that can help stop such attacks.
However, it is not absolutely safe. Bugs in the browser's runtime engine, the browser itself, the anti-virus, or even the processor itself can all compromise JavaScript's security. The system is only as secure as its weakest security. The security of JavaScript is mostly meant to prevent "casual" exploits (such as an 8-year-old learning JavaScript for the first time and accidentally writing an exploit), but doesn't stand a chance against dedicated attackers. JavaScript is complicated enough that there are bound to be bugs, perhaps in weird and unexpected ways.
Those experienced in hacking, pen testing, and security can, and do, browse through source code, debug executables, and do whatever else they can to try and find chinks in the armor. The weak points of the JavaScript implementation. And JavaScript is big enough that such chinks exist to begin with, since it is virtually impossible to even automate all the possible tests that would find these bugs.
Generally speaking, any typical script you might run in to on a typical website is probably "safe", especially those linked to by major search engines. However, once you start going off the beaten path, it is incredibly likely you'll get your system compromised at some point if there's even a single weak point. It only takes one really good exploit, or sometimes two or three in tandem, to completely take over a system.
As it is, only enable JavaScript for sites you trust (I personally use NoScript for this purpose), always keep all your software up to date, and always pay attention to browser warnings like invalid certificates and so on. Even then, you won't be 100% safe, but you'll be taking an active part in your own mitigation strategy.
add a comment |
up vote
1
down vote
There is nothing inherently safe about JavaScript, in many ways it is less safe than other languages:
- eval statement
- dynamic typing
It is the sandbox where the browser executes the JavaScript that provides the safety. See documentation on the Chrome sandbox here, notice there is no reference to JavaScript or ECMA script.
Today, the great majority of code executing in the browser is written in JavaScript. With the rise of WebAssembly, we will likely see the browser platform switch from the primarily single language lock in of today (like a mainframe of the past) to an open platform where any WebAssembly compliant language can be used. This will, in a way, prove that JavaScript isn't particularly safe/special, as at that point many languages will be executing in the browser. All of these languages will use the sandbox provided by the browser to execute.
New contributor
The eval statement doesn't really make things less safe in this case. Eval poses a threat when an attacker is able to pass unfiltered strings to it, thus allowing them to run arbitrary code on the target system. In this case, the attacker is the one who wrote the Javascript and the target system is the browser on which it runs. The attacker is already running arbitrary code on the target system, and the question is how secure the sandbox is.
– Ray
6 hours ago
add a comment |
up vote
-4
down vote
It's safe because it was designed to be safe. Or at least it's safe to the point where a less than formal "JavaScript is pretty powerful" does suggest the it's probably sufficiently safe to reassure you. In practice, no piece of software is perfectly safe, so it's a matter of degree. Javascript is safe enough that most corporations are willing to let employees visit websites using company hardware.
JavaScript is designed to prevent attackers from gaining access to your files or any private information. For example, it has support to prevent a script on one site from looking at data from another site (known as a cross-site attack).
Of course, this is not perfect. There was a recent scare with Spectre and Meltdown, a pair of exploits which relied on a flaw in some processors to break free of the sandbox JavaScript runs in. That had to be patched with some rather ugly software hacks to cover for the flawed processors.
But in general, it is "safe" to execute such scripts because lots of security experts have spent a lot of time making sure that feeling of safety is justified. But it all depends on your threat model. If you had billions of dollars on the line, you might not even want to trust JavaScript's safety!
So the real question is what is your bar for "safe?" Do you consider Windows to be safe? What about Internet Explorer? Adobe Acrobat Reader? OpenJPEG? The Linux kernel? OpenSSL? Safety and usability are always at odds. You have to use something (or maybe you don't. The Amish haven't been hit with a 0-day yet... unless you count a new strain of Influenza) To really understand if you can call something "safe" or not you need a threat model, defining how someone might attack you, and a usability model defining what usability you need to achieve while mitigating the threat model. Without those, we have to read into your words and your history to guess what "safe" means.
3
To downvoters: an explaination for why you think this correct answer should be downvoted would be appreciated.
– Cort Ammon
yesterday
7
I downvoted because you overestimate the security of JavaScript by a large margin, especially when each and every release of a new browser is needed to fix numerous newly discovered vulnerabilities in the JS engine. The fact that a JS exploit can be purchased for around $30k in some countries shows that it's far too optimistic to assume that it's so safe that it takes a billion dollars of assets for it to be worthwhile to break. Your original premise, that JavaScript is "safe" because it was designed to be safe, is incorrect.
– forest
yesterday
3
I downvoted because it begins with the affirmative statement "It's Safe" which is untrue. It's only relatively safe, as you go on to point out.
– Ben
18 hours ago
@Ben Thank you. That explains a lot. I've added text to point out why I called it "safe," which was with respect to the bar it appeared the OP was drawing.
– Cort Ammon
14 hours ago
add a comment |
10 Answers
10
active
oldest
votes
10 Answers
10
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
79
down vote
The browser isolates JavaScript, as it executes within a browser process itself. It cannot do anything which is not permitted by the browser JavaScript interpreter or JIT compiler. However, owing to its complexity, it's not at all uncommon for vulnerabilities to be found that allow JavaScript to compromise the browser and gain arbitrary code execution with the privileges of the browser process.
Because these types of security bugs are so common, many browsers will implement a sandbox. This is a protection mechanism that attempts to isolate a compromised browser process and prevent it from causing further harm. The way the sandbox works depends on the browser. Firefox has very limited sandboxing, whereas Chrome and Edge have significant sandboxing. However, despite this defense in depth, browser vulnerabilities can often be combined with sandbox escape vulnerabilities.
42
And the browser can be put in a sandbox itself (Microsoft does this for IE and presumably Edge). Then you could of course also put the OS with the browser in a VM, only to be RowHammered or Spectred into submission :)
– Maarten Bodewes
Nov 30 at 6:50
1
@MaartenBodewes Sure, so a vulnerability has to use a sandbox bypass. That's a good point actually, I'll edit my answer to point it out.
– forest
Nov 30 at 6:54
14
Thats exactly the point: Javascript itself is not "unsafe" (in terms of harming the pc - for webapplications, Javascript can be a big challange). Problem is, the increase in complexity, functionality and pure size of browsers is huge - within a few years browsers grew from simple html-display-tools to OS-like software. So its very likely that there are and always will be vulnerabilities in the browser which can be exploited through Javascript. Another point: plugins. Written by "someone" but excuted by the browser, so you have additional surface for vulnerabilities.
– Alex
Nov 30 at 7:06
1
@forest There is a difference between the sandbox provided by the OS and the sandbox provided by the browser. The first one may be utilized by the browser. But if an OS sandbox e.g. offers access to any file on an FAT32 partition, that doesn't mean that the browser will allow JS to read it. E.g. firefox will still run JS in a restricted environment, but it may not use the OS to provide (additional) protection.
– Maarten Bodewes
Nov 30 at 7:15
1
@FabioTurati That answer is incorrect. The sandboxing in Firefox they speak of is designed to prevent individual crashing tabs from crashing the whole browser, not isolating compromise. For example, Chrome/Chromium sandbox the GPU, whereas Firefox does not (last I checked). Firefox (on *nix) uses jemalloc with 4 MiB heaps which makes heap spraying attacks to disable ASLR easier, whereas Chromium does not. Firefox's PresArena is also inferior to Chromium's PartitionAlloc. Firefox has testing done on it, whereas Chromium is working on CFI and has hundreds of cores fuzzing it 24/7.
– forest
Dec 1 at 2:19
|
show 7 more comments
up vote
79
down vote
The browser isolates JavaScript, as it executes within a browser process itself. It cannot do anything which is not permitted by the browser JavaScript interpreter or JIT compiler. However, owing to its complexity, it's not at all uncommon for vulnerabilities to be found that allow JavaScript to compromise the browser and gain arbitrary code execution with the privileges of the browser process.
Because these types of security bugs are so common, many browsers will implement a sandbox. This is a protection mechanism that attempts to isolate a compromised browser process and prevent it from causing further harm. The way the sandbox works depends on the browser. Firefox has very limited sandboxing, whereas Chrome and Edge have significant sandboxing. However, despite this defense in depth, browser vulnerabilities can often be combined with sandbox escape vulnerabilities.
42
And the browser can be put in a sandbox itself (Microsoft does this for IE and presumably Edge). Then you could of course also put the OS with the browser in a VM, only to be RowHammered or Spectred into submission :)
– Maarten Bodewes
Nov 30 at 6:50
1
@MaartenBodewes Sure, so a vulnerability has to use a sandbox bypass. That's a good point actually, I'll edit my answer to point it out.
– forest
Nov 30 at 6:54
14
Thats exactly the point: Javascript itself is not "unsafe" (in terms of harming the pc - for webapplications, Javascript can be a big challange). Problem is, the increase in complexity, functionality and pure size of browsers is huge - within a few years browsers grew from simple html-display-tools to OS-like software. So its very likely that there are and always will be vulnerabilities in the browser which can be exploited through Javascript. Another point: plugins. Written by "someone" but excuted by the browser, so you have additional surface for vulnerabilities.
– Alex
Nov 30 at 7:06
1
@forest There is a difference between the sandbox provided by the OS and the sandbox provided by the browser. The first one may be utilized by the browser. But if an OS sandbox e.g. offers access to any file on an FAT32 partition, that doesn't mean that the browser will allow JS to read it. E.g. firefox will still run JS in a restricted environment, but it may not use the OS to provide (additional) protection.
– Maarten Bodewes
Nov 30 at 7:15
1
@FabioTurati That answer is incorrect. The sandboxing in Firefox they speak of is designed to prevent individual crashing tabs from crashing the whole browser, not isolating compromise. For example, Chrome/Chromium sandbox the GPU, whereas Firefox does not (last I checked). Firefox (on *nix) uses jemalloc with 4 MiB heaps which makes heap spraying attacks to disable ASLR easier, whereas Chromium does not. Firefox's PresArena is also inferior to Chromium's PartitionAlloc. Firefox has testing done on it, whereas Chromium is working on CFI and has hundreds of cores fuzzing it 24/7.
– forest
Dec 1 at 2:19
|
show 7 more comments
up vote
79
down vote
up vote
79
down vote
The browser isolates JavaScript, as it executes within a browser process itself. It cannot do anything which is not permitted by the browser JavaScript interpreter or JIT compiler. However, owing to its complexity, it's not at all uncommon for vulnerabilities to be found that allow JavaScript to compromise the browser and gain arbitrary code execution with the privileges of the browser process.
Because these types of security bugs are so common, many browsers will implement a sandbox. This is a protection mechanism that attempts to isolate a compromised browser process and prevent it from causing further harm. The way the sandbox works depends on the browser. Firefox has very limited sandboxing, whereas Chrome and Edge have significant sandboxing. However, despite this defense in depth, browser vulnerabilities can often be combined with sandbox escape vulnerabilities.
The browser isolates JavaScript, as it executes within a browser process itself. It cannot do anything which is not permitted by the browser JavaScript interpreter or JIT compiler. However, owing to its complexity, it's not at all uncommon for vulnerabilities to be found that allow JavaScript to compromise the browser and gain arbitrary code execution with the privileges of the browser process.
Because these types of security bugs are so common, many browsers will implement a sandbox. This is a protection mechanism that attempts to isolate a compromised browser process and prevent it from causing further harm. The way the sandbox works depends on the browser. Firefox has very limited sandboxing, whereas Chrome and Edge have significant sandboxing. However, despite this defense in depth, browser vulnerabilities can often be combined with sandbox escape vulnerabilities.
edited Nov 30 at 6:55
answered Nov 30 at 5:38
forest
28.3k1388103
28.3k1388103
42
And the browser can be put in a sandbox itself (Microsoft does this for IE and presumably Edge). Then you could of course also put the OS with the browser in a VM, only to be RowHammered or Spectred into submission :)
– Maarten Bodewes
Nov 30 at 6:50
1
@MaartenBodewes Sure, so a vulnerability has to use a sandbox bypass. That's a good point actually, I'll edit my answer to point it out.
– forest
Nov 30 at 6:54
14
Thats exactly the point: Javascript itself is not "unsafe" (in terms of harming the pc - for webapplications, Javascript can be a big challange). Problem is, the increase in complexity, functionality and pure size of browsers is huge - within a few years browsers grew from simple html-display-tools to OS-like software. So its very likely that there are and always will be vulnerabilities in the browser which can be exploited through Javascript. Another point: plugins. Written by "someone" but excuted by the browser, so you have additional surface for vulnerabilities.
– Alex
Nov 30 at 7:06
1
@forest There is a difference between the sandbox provided by the OS and the sandbox provided by the browser. The first one may be utilized by the browser. But if an OS sandbox e.g. offers access to any file on an FAT32 partition, that doesn't mean that the browser will allow JS to read it. E.g. firefox will still run JS in a restricted environment, but it may not use the OS to provide (additional) protection.
– Maarten Bodewes
Nov 30 at 7:15
1
@FabioTurati That answer is incorrect. The sandboxing in Firefox they speak of is designed to prevent individual crashing tabs from crashing the whole browser, not isolating compromise. For example, Chrome/Chromium sandbox the GPU, whereas Firefox does not (last I checked). Firefox (on *nix) uses jemalloc with 4 MiB heaps which makes heap spraying attacks to disable ASLR easier, whereas Chromium does not. Firefox's PresArena is also inferior to Chromium's PartitionAlloc. Firefox has testing done on it, whereas Chromium is working on CFI and has hundreds of cores fuzzing it 24/7.
– forest
Dec 1 at 2:19
|
show 7 more comments
42
And the browser can be put in a sandbox itself (Microsoft does this for IE and presumably Edge). Then you could of course also put the OS with the browser in a VM, only to be RowHammered or Spectred into submission :)
– Maarten Bodewes
Nov 30 at 6:50
1
@MaartenBodewes Sure, so a vulnerability has to use a sandbox bypass. That's a good point actually, I'll edit my answer to point it out.
– forest
Nov 30 at 6:54
14
Thats exactly the point: Javascript itself is not "unsafe" (in terms of harming the pc - for webapplications, Javascript can be a big challange). Problem is, the increase in complexity, functionality and pure size of browsers is huge - within a few years browsers grew from simple html-display-tools to OS-like software. So its very likely that there are and always will be vulnerabilities in the browser which can be exploited through Javascript. Another point: plugins. Written by "someone" but excuted by the browser, so you have additional surface for vulnerabilities.
– Alex
Nov 30 at 7:06
1
@forest There is a difference between the sandbox provided by the OS and the sandbox provided by the browser. The first one may be utilized by the browser. But if an OS sandbox e.g. offers access to any file on an FAT32 partition, that doesn't mean that the browser will allow JS to read it. E.g. firefox will still run JS in a restricted environment, but it may not use the OS to provide (additional) protection.
– Maarten Bodewes
Nov 30 at 7:15
1
@FabioTurati That answer is incorrect. The sandboxing in Firefox they speak of is designed to prevent individual crashing tabs from crashing the whole browser, not isolating compromise. For example, Chrome/Chromium sandbox the GPU, whereas Firefox does not (last I checked). Firefox (on *nix) uses jemalloc with 4 MiB heaps which makes heap spraying attacks to disable ASLR easier, whereas Chromium does not. Firefox's PresArena is also inferior to Chromium's PartitionAlloc. Firefox has testing done on it, whereas Chromium is working on CFI and has hundreds of cores fuzzing it 24/7.
– forest
Dec 1 at 2:19
42
42
And the browser can be put in a sandbox itself (Microsoft does this for IE and presumably Edge). Then you could of course also put the OS with the browser in a VM, only to be RowHammered or Spectred into submission :)
– Maarten Bodewes
Nov 30 at 6:50
And the browser can be put in a sandbox itself (Microsoft does this for IE and presumably Edge). Then you could of course also put the OS with the browser in a VM, only to be RowHammered or Spectred into submission :)
– Maarten Bodewes
Nov 30 at 6:50
1
1
@MaartenBodewes Sure, so a vulnerability has to use a sandbox bypass. That's a good point actually, I'll edit my answer to point it out.
– forest
Nov 30 at 6:54
@MaartenBodewes Sure, so a vulnerability has to use a sandbox bypass. That's a good point actually, I'll edit my answer to point it out.
– forest
Nov 30 at 6:54
14
14
Thats exactly the point: Javascript itself is not "unsafe" (in terms of harming the pc - for webapplications, Javascript can be a big challange). Problem is, the increase in complexity, functionality and pure size of browsers is huge - within a few years browsers grew from simple html-display-tools to OS-like software. So its very likely that there are and always will be vulnerabilities in the browser which can be exploited through Javascript. Another point: plugins. Written by "someone" but excuted by the browser, so you have additional surface for vulnerabilities.
– Alex
Nov 30 at 7:06
Thats exactly the point: Javascript itself is not "unsafe" (in terms of harming the pc - for webapplications, Javascript can be a big challange). Problem is, the increase in complexity, functionality and pure size of browsers is huge - within a few years browsers grew from simple html-display-tools to OS-like software. So its very likely that there are and always will be vulnerabilities in the browser which can be exploited through Javascript. Another point: plugins. Written by "someone" but excuted by the browser, so you have additional surface for vulnerabilities.
– Alex
Nov 30 at 7:06
1
1
@forest There is a difference between the sandbox provided by the OS and the sandbox provided by the browser. The first one may be utilized by the browser. But if an OS sandbox e.g. offers access to any file on an FAT32 partition, that doesn't mean that the browser will allow JS to read it. E.g. firefox will still run JS in a restricted environment, but it may not use the OS to provide (additional) protection.
– Maarten Bodewes
Nov 30 at 7:15
@forest There is a difference between the sandbox provided by the OS and the sandbox provided by the browser. The first one may be utilized by the browser. But if an OS sandbox e.g. offers access to any file on an FAT32 partition, that doesn't mean that the browser will allow JS to read it. E.g. firefox will still run JS in a restricted environment, but it may not use the OS to provide (additional) protection.
– Maarten Bodewes
Nov 30 at 7:15
1
1
@FabioTurati That answer is incorrect. The sandboxing in Firefox they speak of is designed to prevent individual crashing tabs from crashing the whole browser, not isolating compromise. For example, Chrome/Chromium sandbox the GPU, whereas Firefox does not (last I checked). Firefox (on *nix) uses jemalloc with 4 MiB heaps which makes heap spraying attacks to disable ASLR easier, whereas Chromium does not. Firefox's PresArena is also inferior to Chromium's PartitionAlloc. Firefox has testing done on it, whereas Chromium is working on CFI and has hundreds of cores fuzzing it 24/7.
– forest
Dec 1 at 2:19
@FabioTurati That answer is incorrect. The sandboxing in Firefox they speak of is designed to prevent individual crashing tabs from crashing the whole browser, not isolating compromise. For example, Chrome/Chromium sandbox the GPU, whereas Firefox does not (last I checked). Firefox (on *nix) uses jemalloc with 4 MiB heaps which makes heap spraying attacks to disable ASLR easier, whereas Chromium does not. Firefox's PresArena is also inferior to Chromium's PartitionAlloc. Firefox has testing done on it, whereas Chromium is working on CFI and has hundreds of cores fuzzing it 24/7.
– forest
Dec 1 at 2:19
|
show 7 more comments
up vote
41
down vote
How is it safe?
It is not. Or more exactly it is as safe as the browser implementation is. Browsers (including their JavaScript engine) are complex pieces of software, with regular addition of new features - because users want them.
That means that, even if well-known ones certainly have quality procedure to test their code against known vulnerabilities, the risk of an undetected flaw in implementing a feature always exists.
Currently, the accepted way is that as soon as a breach is detected, a new version containing a fix is released. But between the discovery of the breach and the installation of the fix, the browser is vulnerable.That is the reason why it is recommended to keep one's browser up to date, in order to only be exposed to zero-day vulnerabilities.
3
Well… "nothing is 100% safe". As such, you can answer "It is not." to everything. I think the OP really wants an answer considering practical/realistic aspects. You do e.g. not even mention sandboxes and other features browser's had built-in for a long time.
– rugk
yesterday
1
@rugk: sandboxing is just to tool to try to protect the system from malicious code, and it is efficient... until an attacker finds a vulnerability! That is the reason why I prefere to insist on keeping a browser up to date than on the various tools used to secure it.
– Serge Ballesta
yesterday
add a comment |
up vote
41
down vote
How is it safe?
It is not. Or more exactly it is as safe as the browser implementation is. Browsers (including their JavaScript engine) are complex pieces of software, with regular addition of new features - because users want them.
That means that, even if well-known ones certainly have quality procedure to test their code against known vulnerabilities, the risk of an undetected flaw in implementing a feature always exists.
Currently, the accepted way is that as soon as a breach is detected, a new version containing a fix is released. But between the discovery of the breach and the installation of the fix, the browser is vulnerable.That is the reason why it is recommended to keep one's browser up to date, in order to only be exposed to zero-day vulnerabilities.
3
Well… "nothing is 100% safe". As such, you can answer "It is not." to everything. I think the OP really wants an answer considering practical/realistic aspects. You do e.g. not even mention sandboxes and other features browser's had built-in for a long time.
– rugk
yesterday
1
@rugk: sandboxing is just to tool to try to protect the system from malicious code, and it is efficient... until an attacker finds a vulnerability! That is the reason why I prefere to insist on keeping a browser up to date than on the various tools used to secure it.
– Serge Ballesta
yesterday
add a comment |
up vote
41
down vote
up vote
41
down vote
How is it safe?
It is not. Or more exactly it is as safe as the browser implementation is. Browsers (including their JavaScript engine) are complex pieces of software, with regular addition of new features - because users want them.
That means that, even if well-known ones certainly have quality procedure to test their code against known vulnerabilities, the risk of an undetected flaw in implementing a feature always exists.
Currently, the accepted way is that as soon as a breach is detected, a new version containing a fix is released. But between the discovery of the breach and the installation of the fix, the browser is vulnerable.That is the reason why it is recommended to keep one's browser up to date, in order to only be exposed to zero-day vulnerabilities.
How is it safe?
It is not. Or more exactly it is as safe as the browser implementation is. Browsers (including their JavaScript engine) are complex pieces of software, with regular addition of new features - because users want them.
That means that, even if well-known ones certainly have quality procedure to test their code against known vulnerabilities, the risk of an undetected flaw in implementing a feature always exists.
Currently, the accepted way is that as soon as a breach is detected, a new version containing a fix is released. But between the discovery of the breach and the installation of the fix, the browser is vulnerable.That is the reason why it is recommended to keep one's browser up to date, in order to only be exposed to zero-day vulnerabilities.
edited 2 days ago
Peter Mortensen
68049
68049
answered Nov 30 at 11:06
Serge Ballesta
15.3k32558
15.3k32558
3
Well… "nothing is 100% safe". As such, you can answer "It is not." to everything. I think the OP really wants an answer considering practical/realistic aspects. You do e.g. not even mention sandboxes and other features browser's had built-in for a long time.
– rugk
yesterday
1
@rugk: sandboxing is just to tool to try to protect the system from malicious code, and it is efficient... until an attacker finds a vulnerability! That is the reason why I prefere to insist on keeping a browser up to date than on the various tools used to secure it.
– Serge Ballesta
yesterday
add a comment |
3
Well… "nothing is 100% safe". As such, you can answer "It is not." to everything. I think the OP really wants an answer considering practical/realistic aspects. You do e.g. not even mention sandboxes and other features browser's had built-in for a long time.
– rugk
yesterday
1
@rugk: sandboxing is just to tool to try to protect the system from malicious code, and it is efficient... until an attacker finds a vulnerability! That is the reason why I prefere to insist on keeping a browser up to date than on the various tools used to secure it.
– Serge Ballesta
yesterday
3
3
Well… "nothing is 100% safe". As such, you can answer "It is not." to everything. I think the OP really wants an answer considering practical/realistic aspects. You do e.g. not even mention sandboxes and other features browser's had built-in for a long time.
– rugk
yesterday
Well… "nothing is 100% safe". As such, you can answer "It is not." to everything. I think the OP really wants an answer considering practical/realistic aspects. You do e.g. not even mention sandboxes and other features browser's had built-in for a long time.
– rugk
yesterday
1
1
@rugk: sandboxing is just to tool to try to protect the system from malicious code, and it is efficient... until an attacker finds a vulnerability! That is the reason why I prefere to insist on keeping a browser up to date than on the various tools used to secure it.
– Serge Ballesta
yesterday
@rugk: sandboxing is just to tool to try to protect the system from malicious code, and it is efficient... until an attacker finds a vulnerability! That is the reason why I prefere to insist on keeping a browser up to date than on the various tools used to secure it.
– Serge Ballesta
yesterday
add a comment |
up vote
11
down vote
It's true that at the JavaScript level the browsers are designed to sandbox the code under execution (primarily by not exposing any dangerous API), but JavaScript is a very complex language to parse and execute.
ECMAScript is the standard behind JavaScript, due to the huge marketing inflation around beginner-friendly programming languages we are experiencing today, the ECMAScript is updating fast and introducing more and more complex functionality to implement for a runtime.
This, in turn, widen the surface of attack and allow bugs to creep in.
A wonderful example is the recent work of Patrick Biernat, Markus Gaasedelen, Amy Burnett for the pwn2own 2018.
http://blog.ret2.io/2018/06/05/pwn2own-2018-exploit-development/
The blog describe the discovery of a 0day that allows arbitrary code execution in WebKit and how that's used to exploit another 0day in the macOS Window Manager to escape the sanbox Safari is running in (that's a macOS sandbox, not a Safari's one) to escalate to "root" and own the system.
Long story short, by simply visiting a link while having JavaScript enabled, a macOS system can be totally compromised without a single glitch visible to the user.
That's how safe JavaScript can be: As safe as a complex piece of software as WebKit's JSCore can be.
That's why users that require high security are advised to disable JavaScript (that's a fairly common requirement in the DarkWeb, for example).
The vulnerability in WebKit discovered by the authors above is a race condition between the newly introduced garbage collector and the array.reverse
function: if the GC starts marking an array while it is being reversed it could lead to a UAF (User After Free) exploit.
The mark is done sequentially on the array, suppose the GC is right at the middle of the array when this is reversed, then second half is never marked and thus elected for collection, resulting in a UAF (the array object itself is not collected, only its element).
How an UAF is used to make more powerful exploit primitives that can lead to arbitrary code execution is more or less a variation of the same techniques: first an interesting object is allocated in the newly freed space (e.g. an array) then a RW primitive is created (e.g. by altering the boundary of the array) and finally arbitrary opcodes are written in memory (e.g in a JITted page).
The details for this particular 0day are in the linked blog.
The interesting part is the way this 0day was found: since WebKit is so big an in depth code review is impossible without an huge amount of effort so and automated jitter was set up.
This must make us reflect on the fact that when we have hundred thousand or millions of lines of code, it's very hard to make each one behave nicely with respect to every other one.
Typo: "Use After Free," not "User After Free."
– David Conrad
11 hours ago
1
Thank you @DavidConrad
– Margaret Bloom
9 hours ago
add a comment |
up vote
11
down vote
It's true that at the JavaScript level the browsers are designed to sandbox the code under execution (primarily by not exposing any dangerous API), but JavaScript is a very complex language to parse and execute.
ECMAScript is the standard behind JavaScript, due to the huge marketing inflation around beginner-friendly programming languages we are experiencing today, the ECMAScript is updating fast and introducing more and more complex functionality to implement for a runtime.
This, in turn, widen the surface of attack and allow bugs to creep in.
A wonderful example is the recent work of Patrick Biernat, Markus Gaasedelen, Amy Burnett for the pwn2own 2018.
http://blog.ret2.io/2018/06/05/pwn2own-2018-exploit-development/
The blog describe the discovery of a 0day that allows arbitrary code execution in WebKit and how that's used to exploit another 0day in the macOS Window Manager to escape the sanbox Safari is running in (that's a macOS sandbox, not a Safari's one) to escalate to "root" and own the system.
Long story short, by simply visiting a link while having JavaScript enabled, a macOS system can be totally compromised without a single glitch visible to the user.
That's how safe JavaScript can be: As safe as a complex piece of software as WebKit's JSCore can be.
That's why users that require high security are advised to disable JavaScript (that's a fairly common requirement in the DarkWeb, for example).
The vulnerability in WebKit discovered by the authors above is a race condition between the newly introduced garbage collector and the array.reverse
function: if the GC starts marking an array while it is being reversed it could lead to a UAF (User After Free) exploit.
The mark is done sequentially on the array, suppose the GC is right at the middle of the array when this is reversed, then second half is never marked and thus elected for collection, resulting in a UAF (the array object itself is not collected, only its element).
How an UAF is used to make more powerful exploit primitives that can lead to arbitrary code execution is more or less a variation of the same techniques: first an interesting object is allocated in the newly freed space (e.g. an array) then a RW primitive is created (e.g. by altering the boundary of the array) and finally arbitrary opcodes are written in memory (e.g in a JITted page).
The details for this particular 0day are in the linked blog.
The interesting part is the way this 0day was found: since WebKit is so big an in depth code review is impossible without an huge amount of effort so and automated jitter was set up.
This must make us reflect on the fact that when we have hundred thousand or millions of lines of code, it's very hard to make each one behave nicely with respect to every other one.
Typo: "Use After Free," not "User After Free."
– David Conrad
11 hours ago
1
Thank you @DavidConrad
– Margaret Bloom
9 hours ago
add a comment |
up vote
11
down vote
up vote
11
down vote
It's true that at the JavaScript level the browsers are designed to sandbox the code under execution (primarily by not exposing any dangerous API), but JavaScript is a very complex language to parse and execute.
ECMAScript is the standard behind JavaScript, due to the huge marketing inflation around beginner-friendly programming languages we are experiencing today, the ECMAScript is updating fast and introducing more and more complex functionality to implement for a runtime.
This, in turn, widen the surface of attack and allow bugs to creep in.
A wonderful example is the recent work of Patrick Biernat, Markus Gaasedelen, Amy Burnett for the pwn2own 2018.
http://blog.ret2.io/2018/06/05/pwn2own-2018-exploit-development/
The blog describe the discovery of a 0day that allows arbitrary code execution in WebKit and how that's used to exploit another 0day in the macOS Window Manager to escape the sanbox Safari is running in (that's a macOS sandbox, not a Safari's one) to escalate to "root" and own the system.
Long story short, by simply visiting a link while having JavaScript enabled, a macOS system can be totally compromised without a single glitch visible to the user.
That's how safe JavaScript can be: As safe as a complex piece of software as WebKit's JSCore can be.
That's why users that require high security are advised to disable JavaScript (that's a fairly common requirement in the DarkWeb, for example).
The vulnerability in WebKit discovered by the authors above is a race condition between the newly introduced garbage collector and the array.reverse
function: if the GC starts marking an array while it is being reversed it could lead to a UAF (User After Free) exploit.
The mark is done sequentially on the array, suppose the GC is right at the middle of the array when this is reversed, then second half is never marked and thus elected for collection, resulting in a UAF (the array object itself is not collected, only its element).
How an UAF is used to make more powerful exploit primitives that can lead to arbitrary code execution is more or less a variation of the same techniques: first an interesting object is allocated in the newly freed space (e.g. an array) then a RW primitive is created (e.g. by altering the boundary of the array) and finally arbitrary opcodes are written in memory (e.g in a JITted page).
The details for this particular 0day are in the linked blog.
The interesting part is the way this 0day was found: since WebKit is so big an in depth code review is impossible without an huge amount of effort so and automated jitter was set up.
This must make us reflect on the fact that when we have hundred thousand or millions of lines of code, it's very hard to make each one behave nicely with respect to every other one.
It's true that at the JavaScript level the browsers are designed to sandbox the code under execution (primarily by not exposing any dangerous API), but JavaScript is a very complex language to parse and execute.
ECMAScript is the standard behind JavaScript, due to the huge marketing inflation around beginner-friendly programming languages we are experiencing today, the ECMAScript is updating fast and introducing more and more complex functionality to implement for a runtime.
This, in turn, widen the surface of attack and allow bugs to creep in.
A wonderful example is the recent work of Patrick Biernat, Markus Gaasedelen, Amy Burnett for the pwn2own 2018.
http://blog.ret2.io/2018/06/05/pwn2own-2018-exploit-development/
The blog describe the discovery of a 0day that allows arbitrary code execution in WebKit and how that's used to exploit another 0day in the macOS Window Manager to escape the sanbox Safari is running in (that's a macOS sandbox, not a Safari's one) to escalate to "root" and own the system.
Long story short, by simply visiting a link while having JavaScript enabled, a macOS system can be totally compromised without a single glitch visible to the user.
That's how safe JavaScript can be: As safe as a complex piece of software as WebKit's JSCore can be.
That's why users that require high security are advised to disable JavaScript (that's a fairly common requirement in the DarkWeb, for example).
The vulnerability in WebKit discovered by the authors above is a race condition between the newly introduced garbage collector and the array.reverse
function: if the GC starts marking an array while it is being reversed it could lead to a UAF (User After Free) exploit.
The mark is done sequentially on the array, suppose the GC is right at the middle of the array when this is reversed, then second half is never marked and thus elected for collection, resulting in a UAF (the array object itself is not collected, only its element).
How an UAF is used to make more powerful exploit primitives that can lead to arbitrary code execution is more or less a variation of the same techniques: first an interesting object is allocated in the newly freed space (e.g. an array) then a RW primitive is created (e.g. by altering the boundary of the array) and finally arbitrary opcodes are written in memory (e.g in a JITted page).
The details for this particular 0day are in the linked blog.
The interesting part is the way this 0day was found: since WebKit is so big an in depth code review is impossible without an huge amount of effort so and automated jitter was set up.
This must make us reflect on the fact that when we have hundred thousand or millions of lines of code, it's very hard to make each one behave nicely with respect to every other one.
edited 17 hours ago
a25bedc5-3d09-41b8-82fb-ea6c353d75ae
1386
1386
answered yesterday
Margaret Bloom
29629
29629
Typo: "Use After Free," not "User After Free."
– David Conrad
11 hours ago
1
Thank you @DavidConrad
– Margaret Bloom
9 hours ago
add a comment |
Typo: "Use After Free," not "User After Free."
– David Conrad
11 hours ago
1
Thank you @DavidConrad
– Margaret Bloom
9 hours ago
Typo: "Use After Free," not "User After Free."
– David Conrad
11 hours ago
Typo: "Use After Free," not "User After Free."
– David Conrad
11 hours ago
1
1
Thank you @DavidConrad
– Margaret Bloom
9 hours ago
Thank you @DavidConrad
– Margaret Bloom
9 hours ago
add a comment |
up vote
8
down vote
As stated in other answers, each browser has its own script engine that is designed to sandbox JavaScript execution and each engine attempts to limit JavaScript functionality that could lead to malicious behavior.
But as a rule JavaScript has never been safe within the browser. Malicious code developers are constantly finding ways to exploit how each engine works as well as its available JavaScript functionality to achieve malicious goals.
In the first few years, JavaScript was rather dangerous within the browser. Now it is a constant race between malicious code developers and the browser/engine developers and eventually the malicious developers always win, even if just for a short time. So JavaScript can hardly be called safe. "Should be safe for now" is a more accurate way to put it.
New contributor
add a comment |
up vote
8
down vote
As stated in other answers, each browser has its own script engine that is designed to sandbox JavaScript execution and each engine attempts to limit JavaScript functionality that could lead to malicious behavior.
But as a rule JavaScript has never been safe within the browser. Malicious code developers are constantly finding ways to exploit how each engine works as well as its available JavaScript functionality to achieve malicious goals.
In the first few years, JavaScript was rather dangerous within the browser. Now it is a constant race between malicious code developers and the browser/engine developers and eventually the malicious developers always win, even if just for a short time. So JavaScript can hardly be called safe. "Should be safe for now" is a more accurate way to put it.
New contributor
add a comment |
up vote
8
down vote
up vote
8
down vote
As stated in other answers, each browser has its own script engine that is designed to sandbox JavaScript execution and each engine attempts to limit JavaScript functionality that could lead to malicious behavior.
But as a rule JavaScript has never been safe within the browser. Malicious code developers are constantly finding ways to exploit how each engine works as well as its available JavaScript functionality to achieve malicious goals.
In the first few years, JavaScript was rather dangerous within the browser. Now it is a constant race between malicious code developers and the browser/engine developers and eventually the malicious developers always win, even if just for a short time. So JavaScript can hardly be called safe. "Should be safe for now" is a more accurate way to put it.
New contributor
As stated in other answers, each browser has its own script engine that is designed to sandbox JavaScript execution and each engine attempts to limit JavaScript functionality that could lead to malicious behavior.
But as a rule JavaScript has never been safe within the browser. Malicious code developers are constantly finding ways to exploit how each engine works as well as its available JavaScript functionality to achieve malicious goals.
In the first few years, JavaScript was rather dangerous within the browser. Now it is a constant race between malicious code developers and the browser/engine developers and eventually the malicious developers always win, even if just for a short time. So JavaScript can hardly be called safe. "Should be safe for now" is a more accurate way to put it.
New contributor
edited 2 days ago
Peter Mortensen
68049
68049
New contributor
answered Nov 30 at 20:58
JSON
1813
1813
New contributor
New contributor
add a comment |
add a comment |
up vote
7
down vote
JavaScript is pretty powerful
It is which is why many users consider it unsafe and block it using browser extensions. JavaScript allows websites to track users in ways not possible without it including identifying users after they have deleted their cookies by fingerprinting the browser. Many of the newer web APIs like WebUSB allow things that are not at all safe but browsers will request user permission when accessing unsafe APIs like USB and camera.
Exactly! That's why I use NoScript for Firefox. Have for years.
– Mike Waters
7 hours ago
add a comment |
up vote
7
down vote
JavaScript is pretty powerful
It is which is why many users consider it unsafe and block it using browser extensions. JavaScript allows websites to track users in ways not possible without it including identifying users after they have deleted their cookies by fingerprinting the browser. Many of the newer web APIs like WebUSB allow things that are not at all safe but browsers will request user permission when accessing unsafe APIs like USB and camera.
Exactly! That's why I use NoScript for Firefox. Have for years.
– Mike Waters
7 hours ago
add a comment |
up vote
7
down vote
up vote
7
down vote
JavaScript is pretty powerful
It is which is why many users consider it unsafe and block it using browser extensions. JavaScript allows websites to track users in ways not possible without it including identifying users after they have deleted their cookies by fingerprinting the browser. Many of the newer web APIs like WebUSB allow things that are not at all safe but browsers will request user permission when accessing unsafe APIs like USB and camera.
JavaScript is pretty powerful
It is which is why many users consider it unsafe and block it using browser extensions. JavaScript allows websites to track users in ways not possible without it including identifying users after they have deleted their cookies by fingerprinting the browser. Many of the newer web APIs like WebUSB allow things that are not at all safe but browsers will request user permission when accessing unsafe APIs like USB and camera.
answered yesterday
Qwertie
22618
22618
Exactly! That's why I use NoScript for Firefox. Have for years.
– Mike Waters
7 hours ago
add a comment |
Exactly! That's why I use NoScript for Firefox. Have for years.
– Mike Waters
7 hours ago
Exactly! That's why I use NoScript for Firefox. Have for years.
– Mike Waters
7 hours ago
Exactly! That's why I use NoScript for Firefox. Have for years.
– Mike Waters
7 hours ago
add a comment |
up vote
2
down vote
It is safe compared to machine-level executable code, like ActiveX uses.
A machine code program has unmitigated access to any interface the operating system and libraries provide to any program running under that user account, is only REALLY restricted in what it can do by what the hardware and operating system restrict it to - essentially making such a program as powerful as the user running it. There might be tools that try and restrict it by intercepting some of the interfaces provided, but it is hard to stop a program aware of such measures to circumvent them.
The javascript interpreter is part of the browser, and written in a way that it only offers the program it is running the interfaces and powers it wants to offer them.
1
But JavaScript can be compiled and run as machine code. In fact it usually is.
– forest
23 hours ago
1
With a compiler that is controlled by the USER, not the DEVELOPER.
– rackandboneman
21 hours ago
1
True, the JIT compiler does limit the bytecode it can spit out.
– forest
21 hours ago
add a comment |
up vote
2
down vote
It is safe compared to machine-level executable code, like ActiveX uses.
A machine code program has unmitigated access to any interface the operating system and libraries provide to any program running under that user account, is only REALLY restricted in what it can do by what the hardware and operating system restrict it to - essentially making such a program as powerful as the user running it. There might be tools that try and restrict it by intercepting some of the interfaces provided, but it is hard to stop a program aware of such measures to circumvent them.
The javascript interpreter is part of the browser, and written in a way that it only offers the program it is running the interfaces and powers it wants to offer them.
1
But JavaScript can be compiled and run as machine code. In fact it usually is.
– forest
23 hours ago
1
With a compiler that is controlled by the USER, not the DEVELOPER.
– rackandboneman
21 hours ago
1
True, the JIT compiler does limit the bytecode it can spit out.
– forest
21 hours ago
add a comment |
up vote
2
down vote
up vote
2
down vote
It is safe compared to machine-level executable code, like ActiveX uses.
A machine code program has unmitigated access to any interface the operating system and libraries provide to any program running under that user account, is only REALLY restricted in what it can do by what the hardware and operating system restrict it to - essentially making such a program as powerful as the user running it. There might be tools that try and restrict it by intercepting some of the interfaces provided, but it is hard to stop a program aware of such measures to circumvent them.
The javascript interpreter is part of the browser, and written in a way that it only offers the program it is running the interfaces and powers it wants to offer them.
It is safe compared to machine-level executable code, like ActiveX uses.
A machine code program has unmitigated access to any interface the operating system and libraries provide to any program running under that user account, is only REALLY restricted in what it can do by what the hardware and operating system restrict it to - essentially making such a program as powerful as the user running it. There might be tools that try and restrict it by intercepting some of the interfaces provided, but it is hard to stop a program aware of such measures to circumvent them.
The javascript interpreter is part of the browser, and written in a way that it only offers the program it is running the interfaces and powers it wants to offer them.
answered 2 days ago
rackandboneman
73137
73137
1
But JavaScript can be compiled and run as machine code. In fact it usually is.
– forest
23 hours ago
1
With a compiler that is controlled by the USER, not the DEVELOPER.
– rackandboneman
21 hours ago
1
True, the JIT compiler does limit the bytecode it can spit out.
– forest
21 hours ago
add a comment |
1
But JavaScript can be compiled and run as machine code. In fact it usually is.
– forest
23 hours ago
1
With a compiler that is controlled by the USER, not the DEVELOPER.
– rackandboneman
21 hours ago
1
True, the JIT compiler does limit the bytecode it can spit out.
– forest
21 hours ago
1
1
But JavaScript can be compiled and run as machine code. In fact it usually is.
– forest
23 hours ago
But JavaScript can be compiled and run as machine code. In fact it usually is.
– forest
23 hours ago
1
1
With a compiler that is controlled by the USER, not the DEVELOPER.
– rackandboneman
21 hours ago
With a compiler that is controlled by the USER, not the DEVELOPER.
– rackandboneman
21 hours ago
1
1
True, the JIT compiler does limit the bytecode it can spit out.
– forest
21 hours ago
True, the JIT compiler does limit the bytecode it can spit out.
– forest
21 hours ago
add a comment |
up vote
1
down vote
This answer will address two points raised at the question and one browser "feature" not raised in the question.
JavaScript has certain limitations such as preventing reading and
writing to disk
such limitation does not technically exist at Chromium/Chrome browsers where requestFileSystem
is defined, which writes directly to disk; that is, the File System
folder of the Chromium/Chrome configuration directory at the users' file system.
See How to Write in file (user directory) using JavaScript?
and not allowing access to other browser windows or domains.
If a window
is opened from an already opened window
, communication between window
s is possible using, including, but not limited to, postMessage
, MessageChannel
, SharedWorker
, or simply query string parameters.
See How can I load a shared web worker with a user-script?
One other point not mentioned at the OP that must be raised here specific to Chromium/Chrome is the fact that the SpeechRecognition
implementation of Web Speech API at those browsers records the users' voice (biometric identifier) and sends that recording to a remote service, without directly advising the user that is what is taking place. It is not immediately clear if the recording(s) are retained (forever) by the undisclosed "web service" or "deleted" at some point.
See Does webkitSpeechRecognition send recorded audio to a remote web service by default?
New contributor
add a comment |
up vote
1
down vote
This answer will address two points raised at the question and one browser "feature" not raised in the question.
JavaScript has certain limitations such as preventing reading and
writing to disk
such limitation does not technically exist at Chromium/Chrome browsers where requestFileSystem
is defined, which writes directly to disk; that is, the File System
folder of the Chromium/Chrome configuration directory at the users' file system.
See How to Write in file (user directory) using JavaScript?
and not allowing access to other browser windows or domains.
If a window
is opened from an already opened window
, communication between window
s is possible using, including, but not limited to, postMessage
, MessageChannel
, SharedWorker
, or simply query string parameters.
See How can I load a shared web worker with a user-script?
One other point not mentioned at the OP that must be raised here specific to Chromium/Chrome is the fact that the SpeechRecognition
implementation of Web Speech API at those browsers records the users' voice (biometric identifier) and sends that recording to a remote service, without directly advising the user that is what is taking place. It is not immediately clear if the recording(s) are retained (forever) by the undisclosed "web service" or "deleted" at some point.
See Does webkitSpeechRecognition send recorded audio to a remote web service by default?
New contributor
add a comment |
up vote
1
down vote
up vote
1
down vote
This answer will address two points raised at the question and one browser "feature" not raised in the question.
JavaScript has certain limitations such as preventing reading and
writing to disk
such limitation does not technically exist at Chromium/Chrome browsers where requestFileSystem
is defined, which writes directly to disk; that is, the File System
folder of the Chromium/Chrome configuration directory at the users' file system.
See How to Write in file (user directory) using JavaScript?
and not allowing access to other browser windows or domains.
If a window
is opened from an already opened window
, communication between window
s is possible using, including, but not limited to, postMessage
, MessageChannel
, SharedWorker
, or simply query string parameters.
See How can I load a shared web worker with a user-script?
One other point not mentioned at the OP that must be raised here specific to Chromium/Chrome is the fact that the SpeechRecognition
implementation of Web Speech API at those browsers records the users' voice (biometric identifier) and sends that recording to a remote service, without directly advising the user that is what is taking place. It is not immediately clear if the recording(s) are retained (forever) by the undisclosed "web service" or "deleted" at some point.
See Does webkitSpeechRecognition send recorded audio to a remote web service by default?
New contributor
This answer will address two points raised at the question and one browser "feature" not raised in the question.
JavaScript has certain limitations such as preventing reading and
writing to disk
such limitation does not technically exist at Chromium/Chrome browsers where requestFileSystem
is defined, which writes directly to disk; that is, the File System
folder of the Chromium/Chrome configuration directory at the users' file system.
See How to Write in file (user directory) using JavaScript?
and not allowing access to other browser windows or domains.
If a window
is opened from an already opened window
, communication between window
s is possible using, including, but not limited to, postMessage
, MessageChannel
, SharedWorker
, or simply query string parameters.
See How can I load a shared web worker with a user-script?
One other point not mentioned at the OP that must be raised here specific to Chromium/Chrome is the fact that the SpeechRecognition
implementation of Web Speech API at those browsers records the users' voice (biometric identifier) and sends that recording to a remote service, without directly advising the user that is what is taking place. It is not immediately clear if the recording(s) are retained (forever) by the undisclosed "web service" or "deleted" at some point.
See Does webkitSpeechRecognition send recorded audio to a remote web service by default?
New contributor
New contributor
answered yesterday
guest271314
1193
1193
New contributor
New contributor
add a comment |
add a comment |
up vote
1
down vote
JavaScript is "relatively safe," but not "absolutely safe." Any code you run on your system has a potential to do harm. There is no perfectly safe system, except for the one that never used. JavaScript is safer than putting an unknown USB device in your computer, and safer than a binary you download from a shady website or get in a suspect email attachment, and much safer than some of the scripts you'll find on websites that tell you to copy-paste them in to your shell.
It has safety features: a sandbox to help isolate the process, a relatively limited API that has security constraints to help avoid running arbitrary computer instructions, and security controls meant to limit exposure of sensitive data like fingerprints or cross-domain data sharing. These are on top of your operating system's controls applied to the browser binary to limit bad behavior, and anti-virus applications that can help stop such attacks.
However, it is not absolutely safe. Bugs in the browser's runtime engine, the browser itself, the anti-virus, or even the processor itself can all compromise JavaScript's security. The system is only as secure as its weakest security. The security of JavaScript is mostly meant to prevent "casual" exploits (such as an 8-year-old learning JavaScript for the first time and accidentally writing an exploit), but doesn't stand a chance against dedicated attackers. JavaScript is complicated enough that there are bound to be bugs, perhaps in weird and unexpected ways.
Those experienced in hacking, pen testing, and security can, and do, browse through source code, debug executables, and do whatever else they can to try and find chinks in the armor. The weak points of the JavaScript implementation. And JavaScript is big enough that such chinks exist to begin with, since it is virtually impossible to even automate all the possible tests that would find these bugs.
Generally speaking, any typical script you might run in to on a typical website is probably "safe", especially those linked to by major search engines. However, once you start going off the beaten path, it is incredibly likely you'll get your system compromised at some point if there's even a single weak point. It only takes one really good exploit, or sometimes two or three in tandem, to completely take over a system.
As it is, only enable JavaScript for sites you trust (I personally use NoScript for this purpose), always keep all your software up to date, and always pay attention to browser warnings like invalid certificates and so on. Even then, you won't be 100% safe, but you'll be taking an active part in your own mitigation strategy.
add a comment |
up vote
1
down vote
JavaScript is "relatively safe," but not "absolutely safe." Any code you run on your system has a potential to do harm. There is no perfectly safe system, except for the one that never used. JavaScript is safer than putting an unknown USB device in your computer, and safer than a binary you download from a shady website or get in a suspect email attachment, and much safer than some of the scripts you'll find on websites that tell you to copy-paste them in to your shell.
It has safety features: a sandbox to help isolate the process, a relatively limited API that has security constraints to help avoid running arbitrary computer instructions, and security controls meant to limit exposure of sensitive data like fingerprints or cross-domain data sharing. These are on top of your operating system's controls applied to the browser binary to limit bad behavior, and anti-virus applications that can help stop such attacks.
However, it is not absolutely safe. Bugs in the browser's runtime engine, the browser itself, the anti-virus, or even the processor itself can all compromise JavaScript's security. The system is only as secure as its weakest security. The security of JavaScript is mostly meant to prevent "casual" exploits (such as an 8-year-old learning JavaScript for the first time and accidentally writing an exploit), but doesn't stand a chance against dedicated attackers. JavaScript is complicated enough that there are bound to be bugs, perhaps in weird and unexpected ways.
Those experienced in hacking, pen testing, and security can, and do, browse through source code, debug executables, and do whatever else they can to try and find chinks in the armor. The weak points of the JavaScript implementation. And JavaScript is big enough that such chinks exist to begin with, since it is virtually impossible to even automate all the possible tests that would find these bugs.
Generally speaking, any typical script you might run in to on a typical website is probably "safe", especially those linked to by major search engines. However, once you start going off the beaten path, it is incredibly likely you'll get your system compromised at some point if there's even a single weak point. It only takes one really good exploit, or sometimes two or three in tandem, to completely take over a system.
As it is, only enable JavaScript for sites you trust (I personally use NoScript for this purpose), always keep all your software up to date, and always pay attention to browser warnings like invalid certificates and so on. Even then, you won't be 100% safe, but you'll be taking an active part in your own mitigation strategy.
add a comment |
up vote
1
down vote
up vote
1
down vote
JavaScript is "relatively safe," but not "absolutely safe." Any code you run on your system has a potential to do harm. There is no perfectly safe system, except for the one that never used. JavaScript is safer than putting an unknown USB device in your computer, and safer than a binary you download from a shady website or get in a suspect email attachment, and much safer than some of the scripts you'll find on websites that tell you to copy-paste them in to your shell.
It has safety features: a sandbox to help isolate the process, a relatively limited API that has security constraints to help avoid running arbitrary computer instructions, and security controls meant to limit exposure of sensitive data like fingerprints or cross-domain data sharing. These are on top of your operating system's controls applied to the browser binary to limit bad behavior, and anti-virus applications that can help stop such attacks.
However, it is not absolutely safe. Bugs in the browser's runtime engine, the browser itself, the anti-virus, or even the processor itself can all compromise JavaScript's security. The system is only as secure as its weakest security. The security of JavaScript is mostly meant to prevent "casual" exploits (such as an 8-year-old learning JavaScript for the first time and accidentally writing an exploit), but doesn't stand a chance against dedicated attackers. JavaScript is complicated enough that there are bound to be bugs, perhaps in weird and unexpected ways.
Those experienced in hacking, pen testing, and security can, and do, browse through source code, debug executables, and do whatever else they can to try and find chinks in the armor. The weak points of the JavaScript implementation. And JavaScript is big enough that such chinks exist to begin with, since it is virtually impossible to even automate all the possible tests that would find these bugs.
Generally speaking, any typical script you might run in to on a typical website is probably "safe", especially those linked to by major search engines. However, once you start going off the beaten path, it is incredibly likely you'll get your system compromised at some point if there's even a single weak point. It only takes one really good exploit, or sometimes two or three in tandem, to completely take over a system.
As it is, only enable JavaScript for sites you trust (I personally use NoScript for this purpose), always keep all your software up to date, and always pay attention to browser warnings like invalid certificates and so on. Even then, you won't be 100% safe, but you'll be taking an active part in your own mitigation strategy.
JavaScript is "relatively safe," but not "absolutely safe." Any code you run on your system has a potential to do harm. There is no perfectly safe system, except for the one that never used. JavaScript is safer than putting an unknown USB device in your computer, and safer than a binary you download from a shady website or get in a suspect email attachment, and much safer than some of the scripts you'll find on websites that tell you to copy-paste them in to your shell.
It has safety features: a sandbox to help isolate the process, a relatively limited API that has security constraints to help avoid running arbitrary computer instructions, and security controls meant to limit exposure of sensitive data like fingerprints or cross-domain data sharing. These are on top of your operating system's controls applied to the browser binary to limit bad behavior, and anti-virus applications that can help stop such attacks.
However, it is not absolutely safe. Bugs in the browser's runtime engine, the browser itself, the anti-virus, or even the processor itself can all compromise JavaScript's security. The system is only as secure as its weakest security. The security of JavaScript is mostly meant to prevent "casual" exploits (such as an 8-year-old learning JavaScript for the first time and accidentally writing an exploit), but doesn't stand a chance against dedicated attackers. JavaScript is complicated enough that there are bound to be bugs, perhaps in weird and unexpected ways.
Those experienced in hacking, pen testing, and security can, and do, browse through source code, debug executables, and do whatever else they can to try and find chinks in the armor. The weak points of the JavaScript implementation. And JavaScript is big enough that such chinks exist to begin with, since it is virtually impossible to even automate all the possible tests that would find these bugs.
Generally speaking, any typical script you might run in to on a typical website is probably "safe", especially those linked to by major search engines. However, once you start going off the beaten path, it is incredibly likely you'll get your system compromised at some point if there's even a single weak point. It only takes one really good exploit, or sometimes two or three in tandem, to completely take over a system.
As it is, only enable JavaScript for sites you trust (I personally use NoScript for this purpose), always keep all your software up to date, and always pay attention to browser warnings like invalid certificates and so on. Even then, you won't be 100% safe, but you'll be taking an active part in your own mitigation strategy.
answered 9 hours ago
phyrfox
4,5471321
4,5471321
add a comment |
add a comment |
up vote
1
down vote
There is nothing inherently safe about JavaScript, in many ways it is less safe than other languages:
- eval statement
- dynamic typing
It is the sandbox where the browser executes the JavaScript that provides the safety. See documentation on the Chrome sandbox here, notice there is no reference to JavaScript or ECMA script.
Today, the great majority of code executing in the browser is written in JavaScript. With the rise of WebAssembly, we will likely see the browser platform switch from the primarily single language lock in of today (like a mainframe of the past) to an open platform where any WebAssembly compliant language can be used. This will, in a way, prove that JavaScript isn't particularly safe/special, as at that point many languages will be executing in the browser. All of these languages will use the sandbox provided by the browser to execute.
New contributor
The eval statement doesn't really make things less safe in this case. Eval poses a threat when an attacker is able to pass unfiltered strings to it, thus allowing them to run arbitrary code on the target system. In this case, the attacker is the one who wrote the Javascript and the target system is the browser on which it runs. The attacker is already running arbitrary code on the target system, and the question is how secure the sandbox is.
– Ray
6 hours ago
add a comment |
up vote
1
down vote
There is nothing inherently safe about JavaScript, in many ways it is less safe than other languages:
- eval statement
- dynamic typing
It is the sandbox where the browser executes the JavaScript that provides the safety. See documentation on the Chrome sandbox here, notice there is no reference to JavaScript or ECMA script.
Today, the great majority of code executing in the browser is written in JavaScript. With the rise of WebAssembly, we will likely see the browser platform switch from the primarily single language lock in of today (like a mainframe of the past) to an open platform where any WebAssembly compliant language can be used. This will, in a way, prove that JavaScript isn't particularly safe/special, as at that point many languages will be executing in the browser. All of these languages will use the sandbox provided by the browser to execute.
New contributor
The eval statement doesn't really make things less safe in this case. Eval poses a threat when an attacker is able to pass unfiltered strings to it, thus allowing them to run arbitrary code on the target system. In this case, the attacker is the one who wrote the Javascript and the target system is the browser on which it runs. The attacker is already running arbitrary code on the target system, and the question is how secure the sandbox is.
– Ray
6 hours ago
add a comment |
up vote
1
down vote
up vote
1
down vote
There is nothing inherently safe about JavaScript, in many ways it is less safe than other languages:
- eval statement
- dynamic typing
It is the sandbox where the browser executes the JavaScript that provides the safety. See documentation on the Chrome sandbox here, notice there is no reference to JavaScript or ECMA script.
Today, the great majority of code executing in the browser is written in JavaScript. With the rise of WebAssembly, we will likely see the browser platform switch from the primarily single language lock in of today (like a mainframe of the past) to an open platform where any WebAssembly compliant language can be used. This will, in a way, prove that JavaScript isn't particularly safe/special, as at that point many languages will be executing in the browser. All of these languages will use the sandbox provided by the browser to execute.
New contributor
There is nothing inherently safe about JavaScript, in many ways it is less safe than other languages:
- eval statement
- dynamic typing
It is the sandbox where the browser executes the JavaScript that provides the safety. See documentation on the Chrome sandbox here, notice there is no reference to JavaScript or ECMA script.
Today, the great majority of code executing in the browser is written in JavaScript. With the rise of WebAssembly, we will likely see the browser platform switch from the primarily single language lock in of today (like a mainframe of the past) to an open platform where any WebAssembly compliant language can be used. This will, in a way, prove that JavaScript isn't particularly safe/special, as at that point many languages will be executing in the browser. All of these languages will use the sandbox provided by the browser to execute.
New contributor
New contributor
answered 8 hours ago
MattG
1111
1111
New contributor
New contributor
The eval statement doesn't really make things less safe in this case. Eval poses a threat when an attacker is able to pass unfiltered strings to it, thus allowing them to run arbitrary code on the target system. In this case, the attacker is the one who wrote the Javascript and the target system is the browser on which it runs. The attacker is already running arbitrary code on the target system, and the question is how secure the sandbox is.
– Ray
6 hours ago
add a comment |
The eval statement doesn't really make things less safe in this case. Eval poses a threat when an attacker is able to pass unfiltered strings to it, thus allowing them to run arbitrary code on the target system. In this case, the attacker is the one who wrote the Javascript and the target system is the browser on which it runs. The attacker is already running arbitrary code on the target system, and the question is how secure the sandbox is.
– Ray
6 hours ago
The eval statement doesn't really make things less safe in this case. Eval poses a threat when an attacker is able to pass unfiltered strings to it, thus allowing them to run arbitrary code on the target system. In this case, the attacker is the one who wrote the Javascript and the target system is the browser on which it runs. The attacker is already running arbitrary code on the target system, and the question is how secure the sandbox is.
– Ray
6 hours ago
The eval statement doesn't really make things less safe in this case. Eval poses a threat when an attacker is able to pass unfiltered strings to it, thus allowing them to run arbitrary code on the target system. In this case, the attacker is the one who wrote the Javascript and the target system is the browser on which it runs. The attacker is already running arbitrary code on the target system, and the question is how secure the sandbox is.
– Ray
6 hours ago
add a comment |
up vote
-4
down vote
It's safe because it was designed to be safe. Or at least it's safe to the point where a less than formal "JavaScript is pretty powerful" does suggest the it's probably sufficiently safe to reassure you. In practice, no piece of software is perfectly safe, so it's a matter of degree. Javascript is safe enough that most corporations are willing to let employees visit websites using company hardware.
JavaScript is designed to prevent attackers from gaining access to your files or any private information. For example, it has support to prevent a script on one site from looking at data from another site (known as a cross-site attack).
Of course, this is not perfect. There was a recent scare with Spectre and Meltdown, a pair of exploits which relied on a flaw in some processors to break free of the sandbox JavaScript runs in. That had to be patched with some rather ugly software hacks to cover for the flawed processors.
But in general, it is "safe" to execute such scripts because lots of security experts have spent a lot of time making sure that feeling of safety is justified. But it all depends on your threat model. If you had billions of dollars on the line, you might not even want to trust JavaScript's safety!
So the real question is what is your bar for "safe?" Do you consider Windows to be safe? What about Internet Explorer? Adobe Acrobat Reader? OpenJPEG? The Linux kernel? OpenSSL? Safety and usability are always at odds. You have to use something (or maybe you don't. The Amish haven't been hit with a 0-day yet... unless you count a new strain of Influenza) To really understand if you can call something "safe" or not you need a threat model, defining how someone might attack you, and a usability model defining what usability you need to achieve while mitigating the threat model. Without those, we have to read into your words and your history to guess what "safe" means.
3
To downvoters: an explaination for why you think this correct answer should be downvoted would be appreciated.
– Cort Ammon
yesterday
7
I downvoted because you overestimate the security of JavaScript by a large margin, especially when each and every release of a new browser is needed to fix numerous newly discovered vulnerabilities in the JS engine. The fact that a JS exploit can be purchased for around $30k in some countries shows that it's far too optimistic to assume that it's so safe that it takes a billion dollars of assets for it to be worthwhile to break. Your original premise, that JavaScript is "safe" because it was designed to be safe, is incorrect.
– forest
yesterday
3
I downvoted because it begins with the affirmative statement "It's Safe" which is untrue. It's only relatively safe, as you go on to point out.
– Ben
18 hours ago
@Ben Thank you. That explains a lot. I've added text to point out why I called it "safe," which was with respect to the bar it appeared the OP was drawing.
– Cort Ammon
14 hours ago
add a comment |
up vote
-4
down vote
It's safe because it was designed to be safe. Or at least it's safe to the point where a less than formal "JavaScript is pretty powerful" does suggest the it's probably sufficiently safe to reassure you. In practice, no piece of software is perfectly safe, so it's a matter of degree. Javascript is safe enough that most corporations are willing to let employees visit websites using company hardware.
JavaScript is designed to prevent attackers from gaining access to your files or any private information. For example, it has support to prevent a script on one site from looking at data from another site (known as a cross-site attack).
Of course, this is not perfect. There was a recent scare with Spectre and Meltdown, a pair of exploits which relied on a flaw in some processors to break free of the sandbox JavaScript runs in. That had to be patched with some rather ugly software hacks to cover for the flawed processors.
But in general, it is "safe" to execute such scripts because lots of security experts have spent a lot of time making sure that feeling of safety is justified. But it all depends on your threat model. If you had billions of dollars on the line, you might not even want to trust JavaScript's safety!
So the real question is what is your bar for "safe?" Do you consider Windows to be safe? What about Internet Explorer? Adobe Acrobat Reader? OpenJPEG? The Linux kernel? OpenSSL? Safety and usability are always at odds. You have to use something (or maybe you don't. The Amish haven't been hit with a 0-day yet... unless you count a new strain of Influenza) To really understand if you can call something "safe" or not you need a threat model, defining how someone might attack you, and a usability model defining what usability you need to achieve while mitigating the threat model. Without those, we have to read into your words and your history to guess what "safe" means.
3
To downvoters: an explaination for why you think this correct answer should be downvoted would be appreciated.
– Cort Ammon
yesterday
7
I downvoted because you overestimate the security of JavaScript by a large margin, especially when each and every release of a new browser is needed to fix numerous newly discovered vulnerabilities in the JS engine. The fact that a JS exploit can be purchased for around $30k in some countries shows that it's far too optimistic to assume that it's so safe that it takes a billion dollars of assets for it to be worthwhile to break. Your original premise, that JavaScript is "safe" because it was designed to be safe, is incorrect.
– forest
yesterday
3
I downvoted because it begins with the affirmative statement "It's Safe" which is untrue. It's only relatively safe, as you go on to point out.
– Ben
18 hours ago
@Ben Thank you. That explains a lot. I've added text to point out why I called it "safe," which was with respect to the bar it appeared the OP was drawing.
– Cort Ammon
14 hours ago
add a comment |
up vote
-4
down vote
up vote
-4
down vote
It's safe because it was designed to be safe. Or at least it's safe to the point where a less than formal "JavaScript is pretty powerful" does suggest the it's probably sufficiently safe to reassure you. In practice, no piece of software is perfectly safe, so it's a matter of degree. Javascript is safe enough that most corporations are willing to let employees visit websites using company hardware.
JavaScript is designed to prevent attackers from gaining access to your files or any private information. For example, it has support to prevent a script on one site from looking at data from another site (known as a cross-site attack).
Of course, this is not perfect. There was a recent scare with Spectre and Meltdown, a pair of exploits which relied on a flaw in some processors to break free of the sandbox JavaScript runs in. That had to be patched with some rather ugly software hacks to cover for the flawed processors.
But in general, it is "safe" to execute such scripts because lots of security experts have spent a lot of time making sure that feeling of safety is justified. But it all depends on your threat model. If you had billions of dollars on the line, you might not even want to trust JavaScript's safety!
So the real question is what is your bar for "safe?" Do you consider Windows to be safe? What about Internet Explorer? Adobe Acrobat Reader? OpenJPEG? The Linux kernel? OpenSSL? Safety and usability are always at odds. You have to use something (or maybe you don't. The Amish haven't been hit with a 0-day yet... unless you count a new strain of Influenza) To really understand if you can call something "safe" or not you need a threat model, defining how someone might attack you, and a usability model defining what usability you need to achieve while mitigating the threat model. Without those, we have to read into your words and your history to guess what "safe" means.
It's safe because it was designed to be safe. Or at least it's safe to the point where a less than formal "JavaScript is pretty powerful" does suggest the it's probably sufficiently safe to reassure you. In practice, no piece of software is perfectly safe, so it's a matter of degree. Javascript is safe enough that most corporations are willing to let employees visit websites using company hardware.
JavaScript is designed to prevent attackers from gaining access to your files or any private information. For example, it has support to prevent a script on one site from looking at data from another site (known as a cross-site attack).
Of course, this is not perfect. There was a recent scare with Spectre and Meltdown, a pair of exploits which relied on a flaw in some processors to break free of the sandbox JavaScript runs in. That had to be patched with some rather ugly software hacks to cover for the flawed processors.
But in general, it is "safe" to execute such scripts because lots of security experts have spent a lot of time making sure that feeling of safety is justified. But it all depends on your threat model. If you had billions of dollars on the line, you might not even want to trust JavaScript's safety!
So the real question is what is your bar for "safe?" Do you consider Windows to be safe? What about Internet Explorer? Adobe Acrobat Reader? OpenJPEG? The Linux kernel? OpenSSL? Safety and usability are always at odds. You have to use something (or maybe you don't. The Amish haven't been hit with a 0-day yet... unless you count a new strain of Influenza) To really understand if you can call something "safe" or not you need a threat model, defining how someone might attack you, and a usability model defining what usability you need to achieve while mitigating the threat model. Without those, we have to read into your words and your history to guess what "safe" means.
edited 14 hours ago
answered 2 days ago
Cort Ammon
6,37531820
6,37531820
3
To downvoters: an explaination for why you think this correct answer should be downvoted would be appreciated.
– Cort Ammon
yesterday
7
I downvoted because you overestimate the security of JavaScript by a large margin, especially when each and every release of a new browser is needed to fix numerous newly discovered vulnerabilities in the JS engine. The fact that a JS exploit can be purchased for around $30k in some countries shows that it's far too optimistic to assume that it's so safe that it takes a billion dollars of assets for it to be worthwhile to break. Your original premise, that JavaScript is "safe" because it was designed to be safe, is incorrect.
– forest
yesterday
3
I downvoted because it begins with the affirmative statement "It's Safe" which is untrue. It's only relatively safe, as you go on to point out.
– Ben
18 hours ago
@Ben Thank you. That explains a lot. I've added text to point out why I called it "safe," which was with respect to the bar it appeared the OP was drawing.
– Cort Ammon
14 hours ago
add a comment |
3
To downvoters: an explaination for why you think this correct answer should be downvoted would be appreciated.
– Cort Ammon
yesterday
7
I downvoted because you overestimate the security of JavaScript by a large margin, especially when each and every release of a new browser is needed to fix numerous newly discovered vulnerabilities in the JS engine. The fact that a JS exploit can be purchased for around $30k in some countries shows that it's far too optimistic to assume that it's so safe that it takes a billion dollars of assets for it to be worthwhile to break. Your original premise, that JavaScript is "safe" because it was designed to be safe, is incorrect.
– forest
yesterday
3
I downvoted because it begins with the affirmative statement "It's Safe" which is untrue. It's only relatively safe, as you go on to point out.
– Ben
18 hours ago
@Ben Thank you. That explains a lot. I've added text to point out why I called it "safe," which was with respect to the bar it appeared the OP was drawing.
– Cort Ammon
14 hours ago
3
3
To downvoters: an explaination for why you think this correct answer should be downvoted would be appreciated.
– Cort Ammon
yesterday
To downvoters: an explaination for why you think this correct answer should be downvoted would be appreciated.
– Cort Ammon
yesterday
7
7
I downvoted because you overestimate the security of JavaScript by a large margin, especially when each and every release of a new browser is needed to fix numerous newly discovered vulnerabilities in the JS engine. The fact that a JS exploit can be purchased for around $30k in some countries shows that it's far too optimistic to assume that it's so safe that it takes a billion dollars of assets for it to be worthwhile to break. Your original premise, that JavaScript is "safe" because it was designed to be safe, is incorrect.
– forest
yesterday
I downvoted because you overestimate the security of JavaScript by a large margin, especially when each and every release of a new browser is needed to fix numerous newly discovered vulnerabilities in the JS engine. The fact that a JS exploit can be purchased for around $30k in some countries shows that it's far too optimistic to assume that it's so safe that it takes a billion dollars of assets for it to be worthwhile to break. Your original premise, that JavaScript is "safe" because it was designed to be safe, is incorrect.
– forest
yesterday
3
3
I downvoted because it begins with the affirmative statement "It's Safe" which is untrue. It's only relatively safe, as you go on to point out.
– Ben
18 hours ago
I downvoted because it begins with the affirmative statement "It's Safe" which is untrue. It's only relatively safe, as you go on to point out.
– Ben
18 hours ago
@Ben Thank you. That explains a lot. I've added text to point out why I called it "safe," which was with respect to the bar it appeared the OP was drawing.
– Cort Ammon
14 hours ago
@Ben Thank you. That explains a lot. I've added text to point out why I called it "safe," which was with respect to the bar it appeared the OP was drawing.
– Cort Ammon
14 hours ago
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f198780%2fwhy-is-javascript-safe-to-run-in-the-browser%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
33
Can you specify your definition of safe? The design is safe, when you consider modifying files on the disk. The implementation can be unsafe, more often than allowing disk access the problem here is allowing cross-domain access to web-data. Having a bitcoin-miner running in your browser could be considered as the result of a unsafe feature. So the answer depends on the risk you want to avoid when having a "safe" javascript-runtime.
– allo
Nov 30 at 12:17
14
Not an answer /per se/, but: it is not Javascript who runs in the browser, is the browser who runs the Javascript. From an implementation point of view, Javascript code doesn't run autonomously but only inside the infrastructure set by the browser.
– MariusSiuram
Nov 30 at 13:54
2
@JakeGould I understood what you meant; I'm saying none of it is relevant and that running JS server side is hardly its "main power." The OP is almost certainly just describing the fact that it's a full blown programming language rather than mark up, making it practical to implement very complex logic in it.
– jpmc26
2 days ago
2
@MooingDuck Yes. And JavaScript the language has nothing to do with sandboxing. They could have taken python and it would have worked the same. Nothing about JavaScript really makes it safer than other languages. Sure, given that it's 20 years that it has been used in that way has driven implementation choices in that direction more so than for other languages, but in a parallel world they are running Haskell in browser with the safe safety concerns as us.
– Bakuriu
yesterday
2
@MooingDuck How exactly is JavaScript designed to be in a sandbox any more than any other language? I mean, you can run Perl and Awk in a sandbox mode...
– forest
23 hours ago