Can malicious ad js be fixed (from publisher perspective) by fetching & interpreting it with an interpreter written in js rather than directly executing it in the browser?
-
Show this thread
-
Replying to @RichFelker
Probably not because *mumble* *mumble* halting problem
1 reply 0 retweets 0 likes -
Replying to @rqou_
Halting problem is irrelevant. A pure functional language is Turing-equivalent but harmless because it has no side effects.
2 replies 0 retweets 0 likes -
Replying to @RichFelker
I suppose it depends on what exactly you want to protect against. On one hand you can have "may only have an animated image with no JS" and on the other hand you have RowhammerJS/SpectreJS which would be difficult to defend against
1 reply 0 retweets 0 likes -
Replying to @rqou_
Um, blocking rowhammer is trivial. If you implement the vm you can limit store rate however you like.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @rqou_
And if you detected anything nasty, you just abort loading the ad and switch to trying load from a different ad network.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @rqou_
Force the networks to compete on not getting aborted for bad js behavior.
1 reply 0 retweets 0 likes -
Replying to @RichFelker
Are you proposing always running the ad JS through the interpreter (as opposed to trying to check for bad behavior ahead of time)? I think this is possible in theory, but there's no real incentive for a site to do this.
1 reply 0 retweets 0 likes -
Replying to @rqou_
Rich Felker Retweeted Anil Dash
Sure there is. See:https://twitter.com/anildash/status/950097073478819841 …
Rich Felker added,
2 replies 0 retweets 0 likes
And yes, always through the interpreter. Abort & try a different ad as soon as it breaks the rules.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.