Can malicious ad js be fixed (from publisher perspective) by fetching & interpreting it with an interpreter written in js rather than directly executing it in the browser?
Halting problem is irrelevant. A pure functional language is Turing-equivalent but harmless because it has no side effects.
-
-
The question is more whether you can virtualize the browser js environment appropriately.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
I suppose it depends on what exactly you want to protect against. On one hand you can have "may only have an animated image with no JS" and on the other hand you have RowhammerJS/SpectreJS which would be difficult to defend against
-
Um, blocking rowhammer is trivial. If you implement the vm you can limit store rate however you like.
-
And if you detected anything nasty, you just abort loading the ad and switch to trying load from a different ad network.
-
Force the networks to compete on not getting aborted for bad js behavior.
-
Are you proposing always running the ad JS through the interpreter (as opposed to trying to check for bad behavior ahead of time)? I think this is possible in theory, but there's no real incentive for a site to do this.
-
Sure there is. See:https://twitter.com/anildash/status/950097073478819841 …
-
And yes, always through the interpreter. Abort & try a different ad as soon as it breaks the rules.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.