Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@agoric/swingset-vat
Advanced tools
This repository contains another proof-of-concept Vat host, like PlaygroundVat. This one is modeled after KeyKOS "Domains": all Vats run on top of a "kernel" as if they were userspace processes in an operating system. Each Vat gets access to a "syscall" object, through which it can send messages into the kernel. Vats receive message from the kernel via a "dispatch" function which they register at startup.
Our goal is to experiment with different serialization/queueing mechanisms. One such mechanism is implemented so far, named "live slots", but we know this is insufficient to provide persistence across restarts.
More docs are in the works. For now, try:
$ npm install
$ npm test
$ bin/vat run demo/encouragementBot
This repository is still in early development: APIs and features are not expected to stabilize for a while.
$ bin/vat shell demo/encouragementBot
vat>
Shell mode gives you an interactive REPL, just like running node
without
arguments. All vats are loaded, and three additional commands are added to
the environment:
dump()
: display the kernel tables, including the run queuestep()
: execute the next action on the run queuerun()
: keep stepping until the run queue is emptyThe main argument to bin/vat
is a "basedir", which contains sources for all
the Vats that should be loaded into the container.
Every file named vat-*.js
(e.g. vat-foo.js
and vat-bar-none.js
) will
create a new Vat (with names like foo
and bar-none
). Each directory named
vat-*/
that has an index.js
will also create a new Vat (e.g.
vat-baz/index.js
).
In addition, a file named bootstrap.js
must be present. This will contain
the source for the "bootstrap Vat", which behaves like a regular Vat except:
bootstrap
method will be invoked, as bootstrap(argv, vats)
argv
value will be an array of strings, from the command line. So
running bin/vat BASEDIR -- x1 x2 x3
will set argv = ['x1', 'x2', 'x3']
.vats
value will be an object with keys named after the other Vats
that were created, and values which are each a Presence for that Vat's root
object. This allows the bootstrap Vat to invoke the other Vats, and wire
them together somehow.The bootstrap()
invocation is the only way to get anything started: all
other Vats are born without external references, and nothing can be invoked
without an external reference. Those Vats can execute code during their
setup()
phase, but without Presences they won't be able to interact with
anything else.
Each Vat source file (like vat-foo.js
or vat-bar.js
) is treated as a
starting point for the rollup
tool, which converts the Vat's source tree
into a single string (so it can be evaluated in a SES realm). This starting
point can use import
to reference shared local files. No
non-local imports are allowed yet.
The source file is expected to contain a single default export function named
setup
. This low-level function is invoked with a syscall
object, and is
expected to return a dispatch
object.
The "Live Slots" layer provides a function to build dispatch
out of
syscall
, as well as a way to register the root object. This requires a few
lines of boilerplate in the setup()
function.
function buildRootObject(E) {
return harden({
callRight(arg1, right) {
console.log(`left.callRight ${arg1}`);
E(right)
.bar(2)
.then(a => console.log(`left.then ${a}`));
return 3;
},
});
}
export default function setup(syscall, state, helpers) {
const dispatch = helpers.makeLiveSlots(syscall, state, buildRootObject, helpers.vatID);
return dispatch;
}
The Live Slots system enables delivery of messages to remote "Callable Objects" objects, as long as those objects are of a particular form. All Callable Objects must follow these rules:
harden()
edThe system can pass-by-copy "Data Objects" with similar rules:
harden()
edThe "Root Object" is a callable object returned by buildRootObject()
. It
will be made available to the Bootstrap Vat.
When a Callable Object is sent to another Vat, it arrives as a Presence. This is a special (empty) object that represents the Callable Object, and can be used to send it messages. If you are running SwingSet under SES (the default), then the so-called "wavy dot syntax" (proposed for future ECMAScript) can be used to invoke eventual send methods.
Suppose Vat "bob" defines a Root Object with a method named bar
. The
bootstrap receives this as vats.bob
, and can send a message like this:
function bootstrap(argv, vats) {
vats.bob~.bar('hello bob');
}
The ~.
operator (pronounced "wavy dot") has the same left-to-right precedence as
the .
"dot" operator, so that example is equivalent to
HandledPromise.applyMethod(vats.bob, 'bar', ['hello bob'])
.
If you are not running under SES and your Javascript environment does not yet support "wavy dot syntax" (i.e. running "abc"~.[2]
results in a syntax error, not a Promise), then the special E()
wrapper can be used to get a proxy from which methods can be invoked, which looks like:
function bootstrap(argv, vats) {
E(vats.bob).bar('hello bob');
}
The main purpose of the wavy dot syntax (and E wrapper) is to provide an "eventual send" operator, in which the message is always delivered on some later turn of the event loop. This happens regardless of whether the target is local or in some other Vat:
const t1 = {
foo() { console.log('foo called'); },
};
t1~.foo()
console.log('wavy dot called');
will print:
wavy dot called
foo called
This is equivalent to:
HandledPromise.applyMethod(t1, 'foo', [])
or
E(t1).foo()
Eventual-sends return a Promise for their eventual result:
const fooP = bob~.foo();
fooP.then(resolution => console.log('foo said', resolution),
rejection => console.log('foo errored with', rejection));
Wavy dot syntax also accepts Promises, just like Promise.resolve
. The
method will be invoked (on some future turn) on whatever the Promise resolves
to.
If wavy dot syntax is used on a Promise which rejects, the method is not invoked, and
the return promise's rejection
function is called instead:
const badP = Promise.reject(Error());
const p2 = badP~.foo();
p2.then(undefined, rej => console.log('rejected', rej));
// prints 'rejected'
If the Promise resolves to something which does not support the method,
the method delivery will reject with a TypeError
.
In fooP = bob~.foo()
, fooP
represents the (eventual) return value of
whatever foo()
executes. If that return value is also a Callable Object, it
is possible to queue messages to be delivered to that future target. The
Promise returned by an eventual-send can be used by wavy dot syntax too, and
the method invoked will be turned into a queued message that won't be
delivered until the first promise resolves:
const db = databaseServer~.openDB();
const row = db~.select(criteria)
const success = row~.modify(newValue);
success.then(res => console.log('row modified'));
If you don't care about them, the intermediate values can be discarded:
databaseServer~.openDB()~.select(criteria)~.modify(newValue)
.then(res => console.log('row modified'));
This can be done outside of SES in legacy Javascript environments with the E()
wrapper:
E(E(E(databaseServer).openDB()).select(criteria)).modify(newValue)
.then(res => console.log('row modified'));
This sequence could be expressed with plain then()
clauses, but by chaining
them together without then
, the kernel has enough information to
speculatively deliver the later messages to the Vat in charge of answering
the earlier messages. This avoids unnecessary roundtrips, by sending the
later messages during "downtime" while the target Vat thinks about the answer
to the first one.
This drastic reduction in latency is significant when the Vats are far away from each other, and the inter-Vat communication delay is large. The SwingSet container does not yet provide complete facilities for off-host messaging, but once that is implemented, promise pipelining will make a big difference.
Presences preserve identity as they move from one Vat to another:
Promises are not intended to preserve identity. Vat code should not compare
objects for identity until they pass out of a .then()
resolution handler.
FAQs
Vat/Container Launcher
The npm package @agoric/swingset-vat receives a total of 5,883 weekly downloads. As such, @agoric/swingset-vat popularity was classified as popular.
We found that @agoric/swingset-vat demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.