Glossary

This glossary provides definitions for terms used in the context of LavaMoat and related technologies.

Compartment

Compartments are a mechanism for isolating and providing limited power to programs within a shared realm. Compartments are necessary for Hardened JavaScript and are described in the Compartments Proposal.

ECMA-262

See ECMAScript.

ECMAScript

ECMAScript is the standard upon which JavaScript is based. The standard is defined in the ECMA-262 specification. The specification is maintained by the TC39 technical committee.

Endo

Endo is an open source project providing a distributed sandbox for JavaScript. The foundation of Endo is Hardened JavaScript.

Hardened JavaScript

a.k.a. Secure ECMAScript or SES

A standards-track JavaScript proposal concerned with safely running untrusted code. The ses package is a shim of JavaScript features proposed for ECMAScript.

SES can also be conceptualized as a subset of JavaScript.

SES is the backbone of both Endo and LavaMoat.

Resources

• SES on GitHub, part of the Endo project
• Secure ECMAScript TC39 proposal
• Compartment TC39 proposal
• Video: Hardened JavaScript, an introduction by Kris Kowal
• Secure computing guide to learn more about the risks of untrusted JavaScript
• Programming guide for an introduction
• A helpful diagram showing SES as a subset of JavaScript

Intrinsic

A built-in value that is required by the ECMA262 specification.

If an intrinsic is accessible to ECMAScript code, it is a primordial.

See the TC39 glossary for more information.

LavaMoat

An open source suite of tools for securing JavaScript projects against software supply chain attacks. LavaMoat uses Hardened JavaScript in tandem with user-configurable policies to secure the development, build, and runtime environments of JavaScript applications.

Lockdown

The lockdown() function introduced by SES, when called creates a hardened JavaScript environment that protects against prototype pollution.

Resources

• Lockdown on GitHub, part of the ses package
• What Lockdown does to JavaScript in the Programming Guide
• Lockdown() in the Programming Reference

Powers

There’s a concept in Hardened JavaScript called powers. Powers are the capabilities that a compartment has access to. The compartment can only access the powers that it has been granted. For the specific use-case that LavaMoat Policy provides, Powers are effectively the globals and built-in (in case of Node.js programs) modules that are available to the compartment.

Object Capability Programming

a.k.a. OCAP or object-capability model

Object capability programming is a security model that uses the concept of object capabilities to control access to resources. In this model, an object’s authority to access resources is determined by the capabilities it holds. This approach is used in Hardened JavaScript to provide a secure environment for running untrusted code.

Resources

• Object-capability model on Wikipedia
• Awesome OCAP on GitHub
• Video: OCAP Programming in Secure JavaScript by Mark S. Miller
• Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control by Mark S. Miller

OCAP

See Object Capability Programming.

Override Mistake

ECMAScript behavior wherein a TypeError is thrown (in strict mode) for code T[K] = ... when K is a non-writable property in the prototype of T.

See TC39’s definition for further details.

Primordial

An intrinsic value that is accessible to ECMAScript code and required to exist before any ECMAScript code runs.

See the TC39 glossary for more information.

Prototype poisoning

See Prototype pollution.

Prototype pollution

A class of JavaScript vulnerabilities and bugs where a modification is inadvertently made on an object prototype. For example, using unsanitized user input for keys, the following:

myObj[key] = {};
myObj[key].totallySafe = true;

could result in overriding functions on the global Object prototype:

myObj['__proto__'].totallySafe = val;
const uncheckedObj = {};
console.log(uncheckedObj.totallySafe); // true

Realm

A Realm is:

• a set of intrinsic objects
• an ECMAScript global environment
• all of the ECMAScript code that is loaded within the scope of that global environment
• other associated state and resources (i.e. a global object and an associated set of primordial objects).

See the ECMAScript Spec for more information.

Scuttling

TODO

SES

See Hardened JavaScript.

Secure ECMAScript

See Hardened JavaScript.

Supply Chain Attack

A software supply chain attack occurs when attackers infiltrate the development or distribution process of software to insert malicious code into legitimate software packages or updates. This type of cyber attack exploits the trust relationship between software vendors and their customers, aiming to compromise user systems or steal data when the tainted software is deployed or updated.

Shim

A shim is a library that transparently intercepts API calls and changes the arguments passed, handles the operation itself or redirects the operation elsewhere. In JavaScript, shims typically provide standards-track APIs to JavaScript environments which do not yet implement them.

TC39

A technical committee which maintains the ECMAScript standard.

Resources

• TC39 maintains its own glossary of terms used when designing the ECMAScript specification; some of these terms are referenced in this glossary.
• Read about TC39’s scope.