instances of isolated-vm in a different nodejs process

[pedrolvr]

First, congratulations for this module! I have considered it, and I have a doubt from Security instructions: "It's a good idea to keep instances of isolated-vm in a different nodejs process than other critical infrastructure.". Does this mean using isolated-vm from a child process (child_process module)?

[y21]

as i understand it, it's trivial to crash (or hang) v8 (#107 #202), which takes down the whole process with it. if there's critical things (eg business logic in the main isolate) running alongside untrusted js code in the same process, then crashing v8 from within any isolate brings down everything on the same process (including business logic). by running untrusted js code using isolated-vm in a separate process (using child_process as you said), it can only bring down that specific process it is running in, but not the main process that spawns it. that way your main process is safe from any attack that involves crashing the process. (also i've found it's much easier to guard against other kinds of attacks (e.g. DoS) if you can just kill the process running untrusted js code, as opposed to the api that v8 offers for stopping execution, which doesn't guarantee that it immediately stops doing whatever it's doing)

[laverdet]

In the wake of Spectre and Meltdown the v8 team began recommending full process isolation of v8 isolates. The assumption here should be that an attacker may have full access to the entire process's memory space, even with isolated-vm in place. These attacks are still a topic of ongoing research and are remarkably difficult to implement, but you need to asses this possibility against your own threat profile.