src: perform integrity checks on built-in code cache by joyeecheung · Pull Request #22152 · nodejs/node
added
c++
labels
Aug 6, 2018
Currently V8 only checks that the length of the source code is the
same as the code used to generate the hash, so we add an additional
check here:
1. During compile time, when generating node_javascript.cc and
node_code_cache.cc, we compute and include the hash of the
(unwrapped) JavaScript source in both.
2. At runtime, we check that the hash of the code being compiled
and the hash of the code used to generate the cache
(inside the wrapper) is the same.
This is based on the assumptions:
1. `internalBinding('code_cache_hash')` must be in sync with
`internalBinding('code_cache')` (same C++ file)
2. `internalBinding('natives_hash')` must be in sync with
`process.binding('natives')` (same C++ file)
3. If `internalBinding('natives_hash')` is in sync with
`internalBinding('natives_hash')`, then the (unwrapped)
code used to generate `internalBinding('code_cache')`
should be in sync with the (unwrapped) code in
`process.binding('natives')`
There will be, however, false positives if the wrapper used
to generate the cache is different from the one used at run time,
and the length of the wrapper somehow stays the same.
But that should be rare and can be eased once we make the
two bootstrappers cached and checked as well.
joyeecheung
added
the
author ready
label
Aug 17, 2018joyeecheung added a commit that referenced this pull request
Aug 17, 2018
Currently V8 only checks that the length of the source code is the
same as the code used to generate the hash, so we add an additional
check here:
1. During compile time, when generating node_javascript.cc and
node_code_cache.cc, we compute and include the hash of the
(unwrapped) JavaScript source in both.
2. At runtime, we check that the hash of the code being compiled
and the hash of the code used to generate the cache
(inside the wrapper) is the same.
This is based on the assumptions:
1. `internalBinding('code_cache_hash')` must be in sync with
`internalBinding('code_cache')` (same C++ file)
2. `internalBinding('natives_hash')` must be in sync with
`process.binding('natives')` (same C++ file)
3. If `internalBinding('natives_hash')` is in sync with
`internalBinding('natives_hash')`, then the (unwrapped)
code used to generate `internalBinding('code_cache')`
should be in sync with the (unwrapped) code in
`process.binding('natives')`
There will be, however, false positives if the wrapper used
to generate the cache is different from the one used at run time,
and the length of the wrapper somehow stays the same.
But that should be rare and can be eased once we make the
two bootstrappers cached and checked as well.
PR-URL: #22152
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Gus Caplan <me@gus.host>
targos pushed a commit that referenced this pull request
Aug 19, 2018
Currently V8 only checks that the length of the source code is the
same as the code used to generate the hash, so we add an additional
check here:
1. During compile time, when generating node_javascript.cc and
node_code_cache.cc, we compute and include the hash of the
(unwrapped) JavaScript source in both.
2. At runtime, we check that the hash of the code being compiled
and the hash of the code used to generate the cache
(inside the wrapper) is the same.
This is based on the assumptions:
1. `internalBinding('code_cache_hash')` must be in sync with
`internalBinding('code_cache')` (same C++ file)
2. `internalBinding('natives_hash')` must be in sync with
`process.binding('natives')` (same C++ file)
3. If `internalBinding('natives_hash')` is in sync with
`internalBinding('natives_hash')`, then the (unwrapped)
code used to generate `internalBinding('code_cache')`
should be in sync with the (unwrapped) code in
`process.binding('natives')`
There will be, however, false positives if the wrapper used
to generate the cache is different from the one used at run time,
and the length of the wrapper somehow stays the same.
But that should be rare and can be eased once we make the
two bootstrappers cached and checked as well.
PR-URL: #22152
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Gus Caplan <me@gus.host>
targos pushed a commit that referenced this pull request
Sep 3, 2018
Currently V8 only checks that the length of the source code is the
same as the code used to generate the hash, so we add an additional
check here:
1. During compile time, when generating node_javascript.cc and
node_code_cache.cc, we compute and include the hash of the
(unwrapped) JavaScript source in both.
2. At runtime, we check that the hash of the code being compiled
and the hash of the code used to generate the cache
(inside the wrapper) is the same.
This is based on the assumptions:
1. `internalBinding('code_cache_hash')` must be in sync with
`internalBinding('code_cache')` (same C++ file)
2. `internalBinding('natives_hash')` must be in sync with
`process.binding('natives')` (same C++ file)
3. If `internalBinding('natives_hash')` is in sync with
`internalBinding('natives_hash')`, then the (unwrapped)
code used to generate `internalBinding('code_cache')`
should be in sync with the (unwrapped) code in
`process.binding('natives')`
There will be, however, false positives if the wrapper used
to generate the cache is different from the one used at run time,
and the length of the wrapper somehow stays the same.
But that should be rare and can be eased once we make the
two bootstrappers cached and checked as well.
PR-URL: #22152
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Gus Caplan <me@gus.host>
This was referenced
Sep 6, 2018This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters