Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Open discussion about VM module #811

Closed
UlisesGascon opened this issue Jul 8, 2022 · 6 comments
Closed

Open discussion about VM module #811

UlisesGascon opened this issue Jul 8, 2022 · 6 comments
Assignees
@UlisesGascon
Labels
security-wg-agenda

Comments

@UlisesGascon
Copy link
Member

Hi all!

I want to start an open discussion about VM as agreed in the last meeting (#810 ).

We already know that VM can't be considered a security mechanism.

The node:vm module is not a security mechanism. Do not use it to run untrusted code.
Node.js official documentation

But there is an intense misunderstanding around this in the community. In this discussion, we want to achieve some solid arguments that can clarify why we can't consider VM a security mechanism.
@UlisesGascon UlisesGascon self-assigned this Jul 8, 2022
@mcollina
Copy link
Member

mcollina commented Jul 8, 2022

Due to the issue's sensitivity, I can provide some examples of why we can not do so privately.

On top of technical issues, there is also a people problem: very few people are capable and willing to volunteer to run triage & fix these kinds of issues.

@matt-
Copy link
Contributor

matt- commented Jul 8, 2022

There are a few public examples escapes like this https://gist.github.com/domenic/d15dfd8f06ae5d1109b0 (7 year old) that is referenced in other sandbox projects like VM2.

@naugtur
Copy link

naugtur commented Jul 8, 2022

By looking at what SES does, it's easy to estimate how much work is needed to provide a secure environment on top of context isolation

https://github.com/endojs/endo/tree/master/packages/ses

What do we want to achieve here? Explain definitely how using VM for security is a lost cause?
How about we point them at SES/Endo ? Especially once Endo is closer to done 😅

@mhdawson mhdawson mentioned this issue Jul 18, 2022
Closed
@RafaelGSS
Copy link
Member

What do we want to achieve here? Explain definitely how using VM for security is a lost cause?
How about we point them at SES/Endo ? Especially once Endo is closer to done

The idea is to clarify in the threat document that vm shouldn't be used as a security mechanism. It sounds a bit weird to say just: don't consider vm as a security mechanism.

Once it creates a new V8 Context, and I see people arguing that it can avoid prototype pollution.

const vm = require('node:vm');

vm.createContext(context);
const code = 'String.prototype.toString = function () { return "tamper" }';
vm.runInContext(code, context);

console.log('X'.toString()) // X

I mean, we just need to make that statement clear/strong with a few examples.

@UlisesGascon
Copy link
Member Author

I found this article as a great and clear demonstration:

  1. DoS Attack:

Remember the VM will run the js code in new V8 Virtual Machine context but in the same process and the same event loop

const vm = require('vm');
const code = 'while(true){}';
vm.runInNewContext(code,{});
console.log('Never gets executed.')
  1. Escaping the Sandbox (this.constructor.constructor)
const vm = require('vm');
code = 'var x = this.constructor.constructor("return this")()';
let context = {y : 1}
vm.runInNewContext(code,context);
console.log(context.x);

BTW.. I found a very good discussion about VM in this issue too

@RafaelGSS
Copy link
Member

All the suggestions made in the WG Meeting will be applied in the Threat Model document. Thanks everybody

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@UlisesGascon UlisesGascon

Labels
security-wg-agenda
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@mcollina @matt- @naugtur @UlisesGascon @RafaelGSS