src/objects/trusted-object.h - v8/v8.git - Git at Google

 // Copyright 2023 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef V8_OBJECTS_TRUSTED_OBJECT_H_
 #define V8_OBJECTS_TRUSTED_OBJECT_H_

 #include "src/objects/heap-object.h"

 // Has to be the last include (doesn't have include guards):
 #include "src/objects/object-macros.h"

 namespace v8 {
 namespace internal {

 #include "torque-generated/src/objects/trusted-object-tq.inc"

 // An object that is trusted to not have been modified in a malicious way.
 //
 // Typical examples of trusted objects are containers for bytecode or code
 // metadata, which often allow an attacker to corrupt (for example) stack
 // memory when manipulated. When the sandbox is enabled, trusted objects are
 // located outside of the sandbox (in one of the trusted heap spaces) so that
 // attackers cannot corrupt these objects and use them to escape from the
 // sandbox. When the sandbox is disabled, trusted objects are treated like any
 // other objects since in that case, many other types of objects (for example
 // ArrayBuffers) can be used to corrupt memory outside of V8's heaps as well.
 //
 // Trusted objects cannot directly be referenced from untrusted objects as this
 // would be unsafe: an attacker could corrupt any (direct) pointer to these
 // objects stored inside the sandbox. However, ExposedTrustedObject can be
 // referenced via indirect pointers, which guarantee memory-safe access.
 class TrustedObject : public HeapObject {
  public:
   DECL_CAST(TrustedObject)
   DECL_VERIFIER(TrustedObject)

   // Protected pointers.
   //
   // These are pointers for which it is guaranteed that neither the pointer-to
   // object nor the pointer itself can be modified by an attacker. In practice,
   // this means that they must be pointers between objects in trusted space,
   // outside of the sandbox, where they are protected from an attacker. As
   // such, the slot accessors for these slots only exist on TrustedObjects but
   // not on other HeapObjects.
   inline Tagged<TrustedObject> ReadProtectedPointerField(int offset) const;
   inline Tagged<TrustedObject> ReadProtectedPointerField(int offset,
                                                          AcquireLoadTag) const;
   inline void WriteProtectedPointerField(int offset,
                                          Tagged<TrustedObject> value);
   inline void WriteProtectedPointerField(int offset,
                                          Tagged<TrustedObject> value,
                                          ReleaseStoreTag);
   inline bool IsProtectedPointerFieldCleared(int offset) const;
   inline bool IsProtectedPointerFieldCleared(int offset, AcquireLoadTag) const;
   inline void ClearProtectedPointerField(int offset);
   inline void ClearProtectedPointerField(int offset, ReleaseStoreTag);

   inline ProtectedPointerSlot RawProtectedPointerField(int byte_offset) const;

 #ifdef VERIFY_HEAP
   inline void VerifyProtectedPointerField(Isolate* isolate, int offset);
 #endif

   static constexpr int kHeaderSize = HeapObject::kHeaderSize;

   OBJECT_CONSTRUCTORS(TrustedObject, HeapObject);
 };

 // A trusted object that can safely be referenced from untrusted objects.
 //
 // These objects live in trusted space but are "exposed" to untrusted objects
 // living inside the sandbox. They still cannot be referenced through "direct"
 // pointers (these can be corrupted by an attacker), but instead they must be
 // referenced through "indirect pointers": an index into a pointer table that
 // contains the actual pointer as well as a type tag. This mechanism then
 // guarantees memory-safe access.
 //
 // We want to have one pointer table entry per referenced object, *not* per
 // reference. As such, there must be a way to obtain an existing table entry
 // for a given (exposed) object. This base class provides that table entry in
 // the form of the 'self' indirect pointer.
 //
 // The need to inherit from this base class to make a trusted object accessible
 // means that it is not possible to expose existing utility objects such as
 // hash tables or fixed arrays. Instead, those would need to be "wrapped" by
 // another ExposedTrustedObject. This limitation is by design: if we were to
 // create such an exposed utility object, it would likely weaken the
 // type-safety mechanism of indirect pointers because indirect pointers are
 // (effectively) tagged with the target's instance type. As such, if the same
 // object type is used in different contexts, they would both use the same type
 // tag, allowing an attacker to perform a "substitution attack". As a concrete
 // example, consider the case of a trusted, exposed byte array. If such a byte
 // array is used (a) to hold some sort of bytecode for an interpreter and (b)
 // some sort of trusted metadata, then an attacker can take a trusted byte
 // array from context (a) and use it in context (b) or vice versa. This would
 // effectively result in a type confusion and likely lead to an escape from the
 // sandbox. This problem goes away if (a) and (b) each use a dedicated object
 // with a unique instance type. It is of course still possible to build new
 // utility objects on top of this class, but hopefully this comment serves to
 // document the potential pitfalls when doing so.
 class ExposedTrustedObject : public TrustedObject {
  public:
   // Initializes this object by creating its pointer table entry.
   inline void init_self_indirect_pointer(IsolateForSandbox isolate);

   // Returns the 'self' indirect pointer of this object.
   // This indirect pointer references a pointer table entry (either in the
   // trusted pointer table or the code pointer table for Code objects) through
   // which this object can be referenced from inside the sandbox.
   inline IndirectPointerHandle self_indirect_pointer_handle() const;

   DECL_CAST(ExposedTrustedObject)
   DECL_VERIFIER(ExposedTrustedObject)

 #ifdef V8_ENABLE_SANDBOX
   // The 'self' indirect pointer is only available when the sandbox is enabled.
   // Otherwise, these objects are referenced through direct pointers.
 #define FIELD_LIST(V)                                                   \
   V(kSelfIndirectPointerOffset, kIndirectPointerSize)                   \
   V(kUnalignedHeaderSize, OBJECT_POINTER_PADDING(kUnalignedHeaderSize)) \
   V(kHeaderSize, 0)                                                     \
   V(kSize, 0)

   DEFINE_FIELD_OFFSET_CONSTANTS(TrustedObject::kHeaderSize, FIELD_LIST)
 #undef FIELD_LIST
 #else   // V8_ENABLE_SANDBOX
   static constexpr int kHeaderSize = TrustedObject::kHeaderSize;
 #endif  // V8_ENABLE_SANDBOX

   OBJECT_CONSTRUCTORS(ExposedTrustedObject, TrustedObject);
 };

 }  // namespace internal
 }  // namespace v8

 #include "src/objects/object-macros-undef.h"

 #endif  // V8_OBJECTS_TRUSTED_OBJECT_H_
	// Copyright 2023 the V8 project authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef V8_OBJECTS_TRUSTED_OBJECT_H_
	#define V8_OBJECTS_TRUSTED_OBJECT_H_

	#include "src/objects/heap-object.h"

	// Has to be the last include (doesn't have include guards):
	#include "src/objects/object-macros.h"

	namespace v8 {
	namespace internal {

	#include "torque-generated/src/objects/trusted-object-tq.inc"

	// An object that is trusted to not have been modified in a malicious way.
	//
	// Typical examples of trusted objects are containers for bytecode or code
	// metadata, which often allow an attacker to corrupt (for example) stack
	// memory when manipulated. When the sandbox is enabled, trusted objects are
	// located outside of the sandbox (in one of the trusted heap spaces) so that
	// attackers cannot corrupt these objects and use them to escape from the
	// sandbox. When the sandbox is disabled, trusted objects are treated like any
	// other objects since in that case, many other types of objects (for example
	// ArrayBuffers) can be used to corrupt memory outside of V8's heaps as well.
	//
	// Trusted objects cannot directly be referenced from untrusted objects as this
	// would be unsafe: an attacker could corrupt any (direct) pointer to these
	// objects stored inside the sandbox. However, ExposedTrustedObject can be
	// referenced via indirect pointers, which guarantee memory-safe access.
	class TrustedObject : public HeapObject {
	public:
	DECL_CAST(TrustedObject)
	DECL_VERIFIER(TrustedObject)

	// Protected pointers.
	//
	// These are pointers for which it is guaranteed that neither the pointer-to
	// object nor the pointer itself can be modified by an attacker. In practice,
	// this means that they must be pointers between objects in trusted space,
	// outside of the sandbox, where they are protected from an attacker. As
	// such, the slot accessors for these slots only exist on TrustedObjects but
	// not on other HeapObjects.
	inline Tagged<TrustedObject> ReadProtectedPointerField(int offset) const;
	inline Tagged<TrustedObject> ReadProtectedPointerField(int offset,
	AcquireLoadTag) const;
	inline void WriteProtectedPointerField(int offset,
	Tagged<TrustedObject> value);
	inline void WriteProtectedPointerField(int offset,
	Tagged<TrustedObject> value,
	ReleaseStoreTag);
	inline bool IsProtectedPointerFieldCleared(int offset) const;
	inline bool IsProtectedPointerFieldCleared(int offset, AcquireLoadTag) const;
	inline void ClearProtectedPointerField(int offset);
	inline void ClearProtectedPointerField(int offset, ReleaseStoreTag);

	inline ProtectedPointerSlot RawProtectedPointerField(int byte_offset) const;

	#ifdef VERIFY_HEAP
	inline void VerifyProtectedPointerField(Isolate* isolate, int offset);
	#endif

	static constexpr int kHeaderSize = HeapObject::kHeaderSize;

	OBJECT_CONSTRUCTORS(TrustedObject, HeapObject);
	};

	// A trusted object that can safely be referenced from untrusted objects.
	//
	// These objects live in trusted space but are "exposed" to untrusted objects
	// living inside the sandbox. They still cannot be referenced through "direct"
	// pointers (these can be corrupted by an attacker), but instead they must be
	// referenced through "indirect pointers": an index into a pointer table that
	// contains the actual pointer as well as a type tag. This mechanism then
	// guarantees memory-safe access.
	//
	// We want to have one pointer table entry per referenced object, not per
	// reference. As such, there must be a way to obtain an existing table entry
	// for a given (exposed) object. This base class provides that table entry in
	// the form of the 'self' indirect pointer.
	//
	// The need to inherit from this base class to make a trusted object accessible
	// means that it is not possible to expose existing utility objects such as
	// hash tables or fixed arrays. Instead, those would need to be "wrapped" by
	// another ExposedTrustedObject. This limitation is by design: if we were to
	// create such an exposed utility object, it would likely weaken the
	// type-safety mechanism of indirect pointers because indirect pointers are
	// (effectively) tagged with the target's instance type. As such, if the same
	// object type is used in different contexts, they would both use the same type
	// tag, allowing an attacker to perform a "substitution attack". As a concrete
	// example, consider the case of a trusted, exposed byte array. If such a byte
	// array is used (a) to hold some sort of bytecode for an interpreter and (b)
	// some sort of trusted metadata, then an attacker can take a trusted byte
	// array from context (a) and use it in context (b) or vice versa. This would
	// effectively result in a type confusion and likely lead to an escape from the
	// sandbox. This problem goes away if (a) and (b) each use a dedicated object
	// with a unique instance type. It is of course still possible to build new
	// utility objects on top of this class, but hopefully this comment serves to
	// document the potential pitfalls when doing so.
	class ExposedTrustedObject : public TrustedObject {
	public:
	// Initializes this object by creating its pointer table entry.
	inline void init_self_indirect_pointer(IsolateForSandbox isolate);

	// Returns the 'self' indirect pointer of this object.
	// This indirect pointer references a pointer table entry (either in the
	// trusted pointer table or the code pointer table for Code objects) through
	// which this object can be referenced from inside the sandbox.
	inline IndirectPointerHandle self_indirect_pointer_handle() const;

	DECL_CAST(ExposedTrustedObject)
	DECL_VERIFIER(ExposedTrustedObject)

	#ifdef V8_ENABLE_SANDBOX
	// The 'self' indirect pointer is only available when the sandbox is enabled.
	// Otherwise, these objects are referenced through direct pointers.
	#define FIELD_LIST(V) \
	V(kSelfIndirectPointerOffset, kIndirectPointerSize) \
	V(kUnalignedHeaderSize, OBJECT_POINTER_PADDING(kUnalignedHeaderSize)) \
	V(kHeaderSize, 0) \
	V(kSize, 0)

	DEFINE_FIELD_OFFSET_CONSTANTS(TrustedObject::kHeaderSize, FIELD_LIST)
	#undef FIELD_LIST
	#else // V8_ENABLE_SANDBOX
	static constexpr int kHeaderSize = TrustedObject::kHeaderSize;
	#endif // V8_ENABLE_SANDBOX

	OBJECT_CONSTRUCTORS(ExposedTrustedObject, TrustedObject);
	};

	} // namespace internal
	} // namespace v8

	#include "src/objects/object-macros-undef.h"

	#endif // V8_OBJECTS_TRUSTED_OBJECT_H_