Friday, October 12th, 2007
The first approach is to use a verifier. That is how ADsafe works. A verifier statically analyzes a program, and certifies that the program does not use any of the unsafe features of the language. This does not guarantee that the program is safe, but it makes it possible to make programs that are safe. Any program can compromise its own security. The improvement here is that a program’s security is not compromised by the language it is written in.
The second approach is to use a transformer. A transformer verifies, but it also modifies the program, adding indirection and runtime checks. The advantage of transformers is that they allow the use of a larger subset of the language. For example, ADsafe does not allow the use of the this parameter. A transformer can allow this because it can inject code around it and its uses to ensure that it is never used unsafely. The benefit is that it is more likely that existing programs could run in a safe mode with little or no modification. I think that is a dubious benefit because programs that are not designed to be safe probably are not. The downside is that the final program will be bigger and slower, and debugging on the transformed program will be more difficult.
Both approaches work. But we still need to fix the browser.
A new project, Google Caja, is trying to do source-to-source translation to secure things:
Using Caja, web apps can safely allow scripts in third party content.
FBJS is also trying to do some of this too. Got some time on Friday to look around some code? Take a look at some Caja.
Posted by Dion Almaer at 10:58 am