My favorites | Sign in
Project Home Downloads Wiki Issues Source
Search
for
HiddenControlFlowHazard  

Attack-Vector
Updated Feb 4, 2010 by erights

Seemingly safe Caja data computations may result in a control-flow transfer to a potential adversary.

Introduction

Reported by Tyler Close.

When the Caja programmer writes, for example, "x + y", where x or y are supplied by another Caja module, this may cause a (surprising and thereby hazardous) control transfer to code determined by that other module. The reason is JavaScript's coercion rules that may cause implicit calls to valueOf() and/or toString() methods.

Our current plans, to fix other bugs, is to prohibit binding of valueOf(), and to allow binding of toString() only to functions as wrapped by asSimpleFunc() or asXo4a() or something. However, because we will still allow toString() to be bound to Caja-determined code, the hazard of the implicit control-flow transfer will remain.

Comment by project member davidsar...@gmail.com, Aug 2, 2008

Jacaranda and ADsafe both prohibit binding of valueOf, but allow binding of toString. So they have this hazard to the same extent as Caja/Cajita, when the built-in operators are used.

The Jacaranda library has non-coercing, non-overloaded functions corresponding to all of the built-in operators. For example $fadd(x, y) does a non-coercing IEEE floating point addition. These functions are ugly and slow, but for programmers who have been convinced that avoiding coercions is a good idea, they are not unusable.


Sign in to add a comment
Powered by Google Project Hosting