feat(ses,pass-style): use non-trapping integrity trait for safety

[erights]

Staged on #2673

Closes: #XXXX
Refs: #XXXX

Description

Use of the non-trapping integrity level, as provided by the ponyfill and shim at #2673 , for additional safety of both the ses-shim and @endo/pass-style.

• Extends permits.js to permit the extra properties introduced by feat(non-trapping-shim): opt-in shim of the non-trapping integrity trait #2673 . This includes both
  • the trap support ({Object,Reflect}.{isNoTrapping,suppressTrapping})
• Modify harden to suppressTrapping at each step, rather than merely freeze
• Modify passStyleOf so that it checks isNoTrapping where it currently checks isFrozen.

Security Considerations

The point. By having passStyleOf ensure that copyData (copyList, copyRecord, tagged) is non-trapping, we enable programming patterns that check this pass-style early on suspect parameters. Once those checks pass, we now know we can operate on such copy-data within the function body without the possibility that these operations cause interleaving with foreign code, and thus without vulnerability to reentrancy hazards or attacks.

Scaling Considerations

In addition to those documented at #2673:

• Until we get the native harden of XS to do suppressTrapping at each step, we need to remove the shortcut to use the native harden if there is one. This will be expensive. Likely too expensive to use in production.
  • Update: We now make the harden bypass conditional on whether the opt-in shim has been enabled. By default, it is disabled, avoiding the cost for the default case.
• In fact, avoiding the native hardener is so expensive that for this PR to proceed at all, the main changes will need to be switched by a new config option, likely starting with a default of off.
  • Update: The shim has indeed been made opt-in
• fix(ses): dont use native harden #2677 doesn't use the native harden, but its CI shows a bunch of resulting errors to be understood and fixed.
  • Update: fix(ses): dont use native harden #2677 now passes, and its changes have been incorporated into this PR.

Documentation Considerations

Other than those documented at #2673, none

Testing Considerations

• Because our checks for acyclic package dependencies does not distinguish between dependencies and devDependencies, if we want to continue to use ses-ava to test @endo/non-trapping-shim, but also have ses depend on @endo/non-trapping-shim for enhancing harden, we will need to move the @endo/non-trapping-shim tests somewhere else. Or find another way to avoid the package-dependency-cycle diagnostic.

  • Update: Avoiding this problem rather than fixing it. The shim now just uses plain ava.

• We should also write tests that fail with the prior freeze-only harden behavior, especially tests that demonstrate reentrancy attacks, and see that those test newly pass with this PR.

• Because this PR's CI is for testing in the shim's default opt-out state, we need to do something else to run all these CI tests when the shim is opted into. We use DO NOT MERGE flip non trapping shim default #2699 as a temporary placeholder to do so. It flips the shim to opt-out, so that it defaults to 'enabled'. If CI passes in that PR, we take that as confirmation that this PR is compat with both states. However, this duality is not itself something we can automatically retest for future PRs.

  • Update: DO NOT MERGE flip non trapping shim default #2699 CI succeeded. I'll take that as verification and am checking this off.

Compatibility Considerations

In addition to those documented at #2673:

Proxies on frozen almost-empty targets often still do useful work in their trap handlers. This is because get and has, for example, if about non-own property names, are still general traps. In addition, apply can ignore the call behavior of its target and just do its own thing. For these cases, we need to be careful not to harden the target or proxy. We need to find and convert these cases to explicitly freeze.

Going the other way, some tests would freeze some inputs to passStyleOf, depending on these freeze calls to make the known-input-structure hardened, or hardened enough. But now that passStyleOf requires non-trapping, this should usually be changed to harden.

Upgrade Considerations

Other than those documented at #2673, none

[erights]

@michaelfig Adding you as an additional reviewer. Please look at least at the changes to eventual-send and captp. Thanks!

[michaelfig]

Your changes to eventual-send and captp LGTM.

Is it too late to change all occurrences of "no-trapping" to "non-trapping"? That would be more consistent with other terms in the integrity levels, like "non-frozen".

[erights]

So I have 2 concerns after looking at this PR and its adoption in agoric-sdk (Agoric/agoric-sdk#10795):

• Given the early nature of the non-trapping proposal, I would like SES and endo packages to avoid taking a hard dependency on it. Can we instead feature detect and use non-trapping only if available? Then we can move the shim application to @endo/init?
• The changes to harden (and to some extend passStyleOf) are presenting a potential upgrade hazard. We generally consider harden to be part of the platform, which means it may get upgraded independently of the code using it. The problem is that we have some code with harden usages that are no longer valid after this change: any code that was hardening proxies or their target. That means we will not be able to use the same user code with updated XS and/or lockdown bundles that include this change. I am really not sure how we work around this one, besides accepting this breaking change / incompatibility, and require that platforms like agoric-sdk use "repaired" lockdown bundles to skip/undo this change if it needs to load incompatible user code.

The shim is now opt-in, i.e., disabled by default. It has no effect unless explicitly opting in to the new behavior via env-options SES_NON_TRAPPING_SHIM=enabled

[erights]

Converting to draft while we wait for draft #2684 to settle down

No longer any need to wait on that. This PR is again Ready for Review. PTAL