SES: Securing JavaScript in the Real World

Mark S. Miller, 4-Dec-2019

JavaScript applications use and rely on a lot of third-party code, including modules, packages, libraries, and in some cases even user-provided code for extensions and plug-ins. Too often, applications are fully vulnerable to these code dependencies, so not only do their current security vulnerabilities impact the applications, so do future vulnerabilities. Over night, any dependency could get “upgraded” into an exploit, resulting in a security breach like the event-stream incident.

This is where SES comes in. SES is a JavaScript runtime library for running such third-party code safely inside a featherweight compartment. SES stands for Secure ECMAScript, where ECMAScript is the standards name for JavaScript. SES addresses JavaScript’s lack of security. SES supports practicing of the Principle of Least Authority (or POLA), so that the risk from most third-party code can be substantially reduced.

Early JavaScript provided no such compartmentalization. Essentially any software component could completely compromise any other component. However, starting in 2009 with ES5 (ECMAScript version 5), we introduced enablers such as Object.freeze, strict-mode, Promise, and Proxy to start securing JavaScript, so we could use it as an object-capability (ocap) secure programming language. The decade of work since ES5 means you can load a small SES library into any conforming JavaScript system to create a safer programming environment. The library in turn enforces that further JavaScript code loaded into the system must stay within ocap rules. Read more