[webkit-dev] RenderArena: Teaching an old dog new tricks
rniwa at webkit.org
Wed Nov 14 22:05:35 PST 2012
On Wed, Nov 14, 2012 at 9:59 PM, Adam Barth <abarth at webkit.org> wrote:
> On Nov 14, 2012 8:59 PM, "Ryosuke Niwa" <rniwa at webkit.org> wrote:
> > On Wed, Nov 14, 2012 at 8:52 PM, Elliott Sprehn <esprehn at chromium.org>
> >> I was present for one of the discussions about the exploit and how an
> arena like allocator could have helped at Google. One proposed solution was
> to allocate all the JS typed buffers in an arena.
> >> Is there a reason we can't just do that? It's much less intrusive to
> allocate ArrayBuffer in an arena than to allocate all DOM objects in one.
> > I don’t think allocating all JS objects in an arena is good enough
> because attackers can inject nearly arbitrary sequence of bytes into DOM
> objects (e.g. text node).
> The text for a text node is stored in a String, not in the Node object
Yeah, I guess text node was not a good example. Now that I think about it,
we can probably get most of security benefits of using RenderArena for DOM
if we can allocate all strings & js objects from arena.
- R. Niwa.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the webkit-dev