Open Bug 811877 Opened 12 years ago Updated 9 years ago

Javascript Taint Support in Firefox

Categories

(mozilla.org :: Security Assurance, task)

Product:
mozilla.org
Component:
Security Assurance
Platform:
Other
Other
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

People

(Reporter: ygjb, Assigned: ialagenchev, Mentored)

References

Details

(Whiteboard: [mentorship][lang=c++][lang=javascript]) 

Description: To get javascript taint mechanism exposed to the devtools provided by Firefox.
Mentor: rforbes / Mark Goodwin / ptheriault
Duration:300 hours
Requirements: C++ and JS knowledge.
Goals: Build a taint mechanism (similar  to that used by DOMinator) to allow data from certain sources to be  identified later on. Expose APIs to allow this to be used from the  debugger (e.g. to be used in conditional breaks) to allow add-on authors  (or ourselves) to easily create tools for searching for content (or  chrome) DOM XSS issues.
Assignee: rforbes → nobody
Whiteboard: [mentorship] → [mentorship][mentor=rforbes@mozilla.com][lang=c++][lang=javascript]
I like this. Can I take it?
Sorry, how do I get assigned to this issue?
(In reply to morsquidsit from comment #2)
> Sorry, how do I get assigned to this issue?

Morsquidsit - talk to mgoodwin. We already have a mentee working on the project, but Mark can best tell you how to get involved.
(In reply to morsquidsit from comment #2)
> Sorry, how do I get assigned to this issue?

I'd be delighted if we can get you involved in some way but Ivan is already working **** this. Maybe we can divide the problem up in some way (we're yet to work out what to do with front ends to this, for example)?

Ivan, what are your thoughts on this?
Flags: needinfo?(alagenchev)
(In reply to Mark Goodwin [:mgoodwin] from comment #4)
> (In reply to morsquidsit from comment #2)
> > Sorry, how do I get assigned to this issue?
> 
> I'd be delighted if we can get you involved in some way but Ivan is already
> working hard on this. Maybe we can divide the problem up in some way (we're
> yet to work out what to do with front ends to this, for example)?
> 
> Ivan, what are your thoughts on this?

I think that anyone interested to help out is welcome to join. Are you interested more in working at the back end, or the front end? If you are more interested about the front end, you can probably start working on the design and conceptual ideas right away. If you are interested in helping out with the internals, I would have to spend some time thinking about ways to separate the responsibilities. I am sure we can work something out. If you contact me off-bugzilla, we can discuss further - alagenchev at gmail dot com
Flags: needinfo?(alagenchev)
If this issue is already taken I think I can find another one. However, it still says "Assigned to: Nobody; OK to take it and work on it".
(In reply to morsquidsit from comment #6)
> If this issue is already taken I think I can find another one. However, it
> still says "Assigned to: Nobody; OK to take it and work on it".

My apologies; that's entirely my fault.

There's much work to be done here so if you're still interested I'm sure you can participate; otherwise, feel free to look for another.
Assignee: nobody → alagenchev
Great that this is being worked on!  For reference, there is similar work that was done by Stefano di Paola, the author of DOMinator, and released on GitHub: https://github.com/wisec/DOMinator
but it would be really useful to have such feature as part of the core Firefox code so that it would be carried over from version to version.  It would probably make sense to make it a compile-time option so that there would not be performance penalty when the feature is not needed.
(In reply to dimisec from comment #8)
> Great that this is being worked on!  For reference, there is similar work
> that was done by Stefano di Paola, the author of DOMinator, and released on
> GitHub: https://github.com/wisec/DOMinator

Indeed. Stefano has been working with us on this (and we're very grateful for his help).
Ok, I think I'd like to work on this issue.
Can you confirm that you're still working on this bug?
Flags: needinfo?(alagenchev)
Yep, I'm still actively working on this. Did you need any additional info?
Flags: needinfo?(alagenchev)
Nope, we're just checking up. Thanks!
Just a quick update. We are now functionally equivalent to DOMinator and we are going to start working on improving the overall architecture and making improvements necessary to make this part of spider monkey. 
Our progress and potential contributions can be followed here: https://github.com/alagenchev/spider_monkey
Hi Ivan - is the project is still alive / are you getting a chance to work on it?  Do you want any help testing it?  I would love to contribute.  Thanks.

Dmitri
(In reply to dimisec from comment #15)
> Hi Ivan - is the project is still alive / are you getting a chance to work
> on it?  Do you want any help testing it?  I would love to contribute. 
> Thanks.
> 
> Dmitri

Hi Dmitri, thank you for showing interest in the project. I'm not contributing to it any longer due to other personal responsibilities. Stephanie Ouillon has picked it up now. You can reach her at stephouillon@mozilla.com
Hi Dmitri, 
Nicolas Pierron did a talk about JS Tainting during the last JS workweek, you can find the slides here : https://github.com/nbp/slides/tree/master/TaintAnalysis

Right now, we're going to have look at jalangi and we'll get back with a more concrete insight.
Mentor: rforbes
Whiteboard: [mentorship][mentor=rforbes@mozilla.com][lang=c++][lang=javascript] → [mentorship][lang=c++][lang=javascript]
Stéphanie, do we have any preliminary results on what it could bring to have such system in the JavaScript engine?
Flags: needinfo?(stephouillon)
I haven't been working on tainting at all recently, so now news for now.
Flags: needinfo?(stephouillon)
Any update on this bug? I would like to know more about it and work if this project still needs contributors. Some other project too would be fine.
Flags: needinfo?(rforbes)
I have not touched this in quite a while.  Possible Mark Goodwin knows more.

-r
Flags: needinfo?(rforbes) → needinfo?(mgoodwin)
Sadly not; Stephanie touched this more recently than I.
Flags: needinfo?(mgoodwin)
COWL is on its way to FWPD: https://w3c.github.io/webappsec-cowl/

I will create a separate bug for COWL once it is in FPWD form, but given the interest on tainting, I figured I should point to this information flow control system.
You need to log in before you can comment on or make changes to this bug.