Capability spillage

[guybedford]

One class of attacks is when a capability is inadvertantly exposed that wasn't intended to be. I would argue these are actually the most important class of attacks to protect against - that the membrane must protect capabilities from never crossing boundaries unintentionally as its primary goal.

Here's the example case with cytoplasm:

const { Membrane } = require('./dist/index.js');
const createReadOnlyDistortion = require('./src/distortions/readOnly.js');

const membrane = new Membrane();
const graphA = membrane.makeMembraneSpace({ label: 'a', createHandler: createReadOnlyDistortion });
const graphB = membrane.makeMembraneSpace({ label: 'b' });

const objA = {
  set: function (val) {
    this.hack();
  }
};

const privateState = {
  setter: undefined,
  hack () {
    throw new Error('Hacked a private method');
  }
};
const objB = {
  setSetter (setter) {
    privateState.setter = setter;
  },
  runSetter () {
    privateState.setter();
  }
}

const objAWrap = membrane.bridge(objA, graphA, graphB);
const objBWrap = membrane.bridge(objB, graphB, graphA);

objBWrap.setSetter(objAWrap.set);
objBWrap.runSetter();

I understand distinguishing the intent from what is expected here can be hard, and I still need to think through this myself so may well be over-assuming this security property too, but this is where taking a slightly more practical "lossy" approach in the name of improving these sorts of inadvertant cases might be worthwhile?

[guybedford]

I've most certainly misunderstood the complete model so feel free to poke holes in my assumptions here too!