search

rogchap / v8go

Execute JavaScript from Go
https://rogchap.com/v8go
BSD 3-Clause "New" or "Revised" License
3.21k stars 218 forks source link

[Question] untrusted code and protection against side-channel attacks? #79

Open ItalyPaleAle opened 3 years ago

ItalyPaleAle commented 3 years ago

(Premise: these topics are way out of my comfort zone so please forgive me in advance if what I'm saying is complete crap)

As I've been doing some research on V8 Isolates, it seems that one potential risk with them is about side-channel attacks, such as Spectre.

Cloudlfare, which uses V8 Isolates for their Workers, seems to acknowledge this by listing the mitigation they put in place, including limiting the capabilities of the Date method, disallowing multi-threading, etc. Source: https://developers.cloudflare.com/workers/learning/security-model

Given this, how much do you think these concerns apply to v8go?

Or, to put it in other terms: would you trust running untrusted code in this sandbox?

harikb commented 3 years ago

(Not an expert nor repo-contributor yet, but working on similar problems. this is my 2 cents)

  1. No, you can't run untrusted code without some serious mitigations.
  2. As far as I understand, the driver, your code that uses this library or another library can potentially control what methods are available to the Javascript. For example, the node-js equivalent of performance.Now() wouldn't be available here, because your code wouldn't make such a method available for the guest isolate.
  3. You will need to manage "grouping" of your untrusted code and separating OS processes yourself. For example if you intent do run same untrusted code X1.js 10 times, you are better of reusing the same process, but not if you run 10 independent X1 to X10.js ... if one code is not supposed to see after effects of another code (assuming there is a break-in)
  4. You will need to control network access (both inbound and outbound), filesystem access (if any is given)

May be a better way to think is

  1. If you had to run untrusted "C/native" code, what would you do? Do all that - For example, imagine university shared unix systems used to work, new eBPF filters in recent kernels - That CF article talks about this a lot.
  2. On top of it, v8 would give you additional sandboxing and controlling what the JS can call so you limit the chance of it ever hitting the layer above