Re: Javascript JIT in web browsers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



drago01 wrote:
> The times where javascript is only used for some fancy effects are
> long over ... welcome to 2010 ;)

Some web sites are indeed abusing JavaScript. Why should we promote this 
behavior? It is a vehicle for proprietary software, where people often 
aren't even aware they're using non-Free code, or just ignore the issue.
See also http://www.gnu.org/philosophy/javascript-trap.html . A web site is 
not and should not be an application, an application is not and should not 
be a web site.

> The "problem" is fixable there is a patch that is being discussed
> upstream to fix the issue and allow selinux memory protection it is
> just not merged yet.
> 
> Using a JIT is not a security risk by itself.

Workarounds which make SELinux happy are still not as secure as sticking to 
a pure bytecode interpreter. Exploit code can still write to the memory to 
be executed, with ANY JIT, as this is how a JIT works. It's just that the 
writing has to happen through a different address space window as the 
execution, making the JIT harder, but not impossible, to exploit.

So IMHO the right fix is to disable the JIT altogether.

But the proposed patch would still be better than the crappy solution 
implemented now just to "stick to upstream" (having SELinux ignore the 
problem).

        Kevin Kofler

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux