tags:

views:

370

answers:

4
+2  Q: 

Security implications of multi-threaded javascript

Reading through this question on multi-threaded javascript, I was wondering if there would be any security implications in allowing javascript to spawn mutliple threads. For example, would there be a risk of a malicious script repeatedly spawning thread after thread in an attempt to overwhelm the operating system or interpreter and trigger entrance into "undefined behavior land", or is it pretty much a non-issue? Any other ways in which an attack might exploit a hypothetical implementation of javascript that supports threads that a non-threading implementation would be immune to?

Update: Note that locking up a browser isn't the same as creating an undefined behavior exploit.

A: 

Well I think that the only major example of multi-threaded javascript is Google's chrome (WOULD THEY RELEASE IT ALREADY JEEZ) and if I understand it the javascript will only one process per tab, so unless it started spawning tabs (popups) I would assume this would be a null issue, but I think that Google has that under wraps anyway, the are running all the javascript in a sandbox.

Unkwntech  2008-09-02 16:50:03
A: 

Again, we need to make a distinction between 1) multithreaded support in the language (which I don't think is seriously being discussed as something that will happen) and 2) usage of multiple threads in the JavaScript engine/interpreter in the browser.

For #2, I can't see how this can really add any possible security concerns to the engine/interpreter, unless there are flaws in the implementation.

matt b  2008-09-02 16:51:01
+1  A: 

Well, you can already lock up a browser and seriously slow down a system with badly-behaved JS. Enlightened browsers have implemented checks for this sort of thing, and will stop it before it gets out of hand.

I would tend to assume that threads would be dealt with in a similar manner.

Perhaps you could explain what you mean by "undefined behavior" then? An interpreter that allowed untrusted script to directly control the number of OS-native threads being run would be incredibly naive - i don't know how Gears runs things, but since the API is centered around Workers in WorkerPools, i would be very surprised if they aren't limiting the total number of native threads in use to some very low number.

Shog9  2008-09-02 16:55:14
+1  A: 

No, multiple threads would not add extra security problems in a perfect implementation. Threaded javascript would add complexity to the javascript interpreter which makes it more likely to have an exploitable bug. But threads alone are not going to add any security issues.

Threads are not present in javascript because "Threads Suck" - read more from the language designer (http://weblogs.mozillazine.org/roadmap/archives/2007/02/threads_suck.html)

Nathaniel Reinhart  2008-11-27 01:41:46

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript