[webkit-dev] Regarding malicious javascript detection

Mike Marchywka marchywka at hotmail.com
Sat Apr 17 03:39:57 PDT 2010

> Date: Sat, 17 Apr 2010 15:19:16 +0530
> From: 
> To: webkit-help at lists.webkit.org; webkit-dev at lists.webkit.org
> Subject: [webkit-dev] Regarding malicious javascript detection
> Hi
> I have one doubt about javascript that does malicious things. Consider following javascript.

Just one? LOL. I would mention, esp in regards to things like rendering
on UI thread, any arbitrary code can do anything without reading
the mind of the author ( malicious or stupid intent ) , and needs to
be executed with no assumptions about its "goodness" in any sense and in some way it can't kill the app through programmatic means or simple resource depltion ( programmatic including execution of data or calling some OS exit thing, resource depltion being stack overflow, cpu etc) . Having stated the obvious,
I would ask if there is a tutorial or links in the code to references
on generally how JS is implemented- leaving through code it looked like
there was a bunch of stuff about a bytecode compiler etc. Interpretted
byte code languages like java usually can be made much more safe than
native code executors but there are still issues with resource wasters
that kill entire app or machine ( you get those pop ups about " a script 
is causing computer to run slowly, do you want to terminate it?"). 
Memory waste in heap or I guess even stack, depletion of CPU, IO or even graphics resources ( I swear sometimes my java applets had problems due to underlying
native grappics resource leaks that sometimes got reported as OutOfMemoryError) and other resource mis-allocations can cause lots of
performance issues before a crach or lock up occurs. You might want
to consider these "security" issues in a larger context. 
> Above code causes exception and there by causing crash. Though Chrome doesnt close. I am not sure what this scrpt does, but i think this is something to do with 'throw' in JavaScript.
> Maybe something to do with overflow.
> My doubt is,
> Is there any kind of handling done for above scenario which are potential for hacking ?
> I have Chrome (42898) áon which above script crashes Chrome page.
The New Busy is not the old busy. Search, chat and e-mail from your inbox.

More information about the webkit-dev mailing list