Securing JavaScript by Douglas Crockford (OWASP AppSecUSA Keynote Review)

douglas crockfordAt OWASP AppSecUSA this year, I attended Douglas Crockford talk on Securing JavaScript. Doug is a JavaScript developer and also discovered JSON.

I was looking forward to this talk with great anticipation because this guy is one of the elder statesman of microcomputers (“elder” not quite the affront to vanity it may seem given how quickly this industry has evolved) and I am pretty sure I have enjoyed a few programs of his since I was a kid (how many Douglas Crockfords are there in the world who are computer guys and the right age to have been the author of these programs?).

Like Alan Kay and other luminaries, if I am right, he did a stint at Atari where he wrote some really cool 3d ball bouncing demos and a 3d tunnel demo. Besides being perspective-correct immersive 3d on an 8 bit computer, the ball demos also employed anti-aliasing which was pretty rare at the time. The Lucasfilm games that came out for that computer a few years later for that computer (Atari 8 bit) are the only other examples that occur to me off the top of my head.  Well anyway, I was not disappointed by the talk.

He began by pointing out what I would call the classic security versus usability tradeoff. For example, any browser that does not allow XSS vulnerabilities is not standards compliant.  There are and will continue to be ever more standards such that no developer can be expected to encompass the lot of them in his/her mind and thereby code securely. I was particularly amused by Crockford’s characterization of the browser wars in the 1990’s.  Basically, by making them as fault tolerant as possible of badly formed HTML and other faults, the companies were essentially in a race to see who could produce the most insecure expose-the-user-to-maximum-risk browser. Usability was the priority and security was an afterthought.

Tossing in my own 2¢ on that: this is also a fine description of Windows and the internet. Windows started on rather limited micros so one kind of expects that and I do not think it is any disparagement of Microsoft.  In any alternate history, whatever company got to be the 900 pound gorilla of 80’s micros, the same thing would have evolved I think. But the internet is a bit ironic since packet switching communications protocols, i.e. TCP/IP, were invented specifically to be virtually immune to Soviet attack by having no single point of failure, so one would think those designers would be hyper-security-minded. So there is my offering of historical framework.

Crockford went on to elucidate the problems with Javascript that make it insecure. Things like reliance on global variables and the fact that it is conducive to being coded by poseur-nerds who are not computer scientists. Then he posited a subset that would redress these problems. My favourite language is C++ (as long as Von-Neumann architecture continues to be the dominant computer architecture) and I could propose a similar thing for that.  Crockford’s proposals included static validation only, no code rewriting (self writing, self modifying code), adsafe rules (do not give ads/external-domain entities same rights as script), restricted operator, restricted access to DOM, no document.write, no dynamic script tags. All this is preaching to the choir that is me. Summarizing the talk, he said in so many words that languages emerge at first driven by utility and then we all do a collective “holy crap” when we gather enough knowledge as to what the security problems are and then we must go back and revise the languages/protocols accordingly.

About M. J. Power 22 Articles
Connect with Mike on Google+

Be the first to comment

Leave a Reply

Your email address will not be published.