Capability security enables the concise composition of powerful patterns of cooperation without vulnerability. For a quick 3 minute intro, see:
- Opening Statement on SOSP 50th Anniversary Panel by Mark Miller, 2018-10
Because so much software does not take advantage of capability security, the Open Web Application Security Project (OWASP) defines Code Injection as …
… the general term for attack types which consist of injecting code that is then interpreted/executed by the application.
But code injection isn’t the problem. Excess authority is the problem.
In fact, since Hardened JavaScript provides capability security so that we can provide each component with the least authority it needs, the Agoric chain uses code injection as a flexible extension to cosmos governance: swingset.CoreEval.
One way we use this mechanism is to start new instances of the PSM contract to enable more tokens to trade for IST. We tested this feature shortly before launch:
That proposal contains this JavaScript code:
const anchorOptions = {
keyword: 'USDC_axl',
proposedName: 'USD Coin',
decimalPlaces: 6,
denom: 'ibc/4B53406F2FD21ABE4EF15977D0585D0C1B9C1DBBA1F911BD1463F42B067FB4D8',
};
const config = {
options: { anchorOptions },
WantMintedFeeBP: 2n,
GiveMintedFeeBP: 5n,
MINT_LIMIT: 16_000_000000n,
};
const main = async permittedPowers => {
console.log('starting PSM:', anchorOptions);
const {
consume: { feeMintAccess: _, ...restC },
...restP
} = permittedPowers;
const noMinting = { consume: restC, ...restP };
await Promise.all([
startPSM.makeAnchorAsset(noMinting, {
options: { anchorOptions },
}),
startPSM.startPSM(permittedPowers, config),
]);
console.log('started PSM:', config);
};
// "export" from script
main;
When the voting period ends, provided the proposal passes, that code is evaluated and passed just the permittedPowers specified in another part of the proposal. Since the PSM contract needs to mint new IST, the permitted powers includes that capability, called feeMintAccess from its name in the Zoe API. (Note that feeMintAccess is stripped out of the powers passed to makeAnchorAsset, since that function does not need it.) BLD stakers should be very careful with proposals that permit feeMintAccess!
For reference: the startPSM.makeAnchorAsset and startPSM.startPSM functions come from packages/inter-protocol/src/proposals/startPSM.js.
To dig a little deeper on capability security, check out:
- Navigating the Attack Surface to achieve a multiplicative reduction in risk 15min
- Foundations for Hardened JavaScript 28min
- How Agoric Solves Reentrancy Hazards and Other Platform Features 32min
Acknowledgement: the swingset.CoreEval feature started with a Jan 2021 design sketch by Michael Fig: