A Secure Runtime for JavaScript and TypeScript Built with V8, Rust, and Tokio (opens in new tab)

(deno.land)

428 pointsGutenYe6y ago66 comments

66 comments

As a contributor to Deno, I am actually quite surprised that this got resurfaced on Hacker news after the hype June last year.

That being said, I suggest checking out this video (recorded this April) for updated information about Deno, since things have changed quite a bit since the initial announcement: https://youtu.be/z6JRlx5NC9E

(Edit: fixed link, posted the wrong one. Why would YouTube think I want to share ads...)

kreetx6y ago

Curious about deno's development stage: can the brave already run it in production, or there are probably too many breaking changes in the pipe that it's better to wait?

inglor6y ago

The brave? Sure - but there will likely be breaking changes. I actually run a small deno server in production for a non critical service and it's been working out fine :]

MuffinFlavored6y ago

Check out the benchmarks. I'm pretty sure normal usage (aka actual HTTP server, not specialized use cases just for benchmarks) is quite a bit slower than node.js

codewithcheese6y ago

fyi the sound gets much better at the 3 minute mark

LunaSea6y ago

As a long time Node.js developer I took a look at the project but it's still a really half-baked implementation of the security flags. You almost always end up flipping all security switches off because your application needs every feature (network, filesystem, etc).

No package signing, no flags per module, no syscall whitelisting, etc.

kevinkassimo6y ago

You turn all permissions on if you are actually using it as if it is Node for writing servers. But in the case when you are using a (potentially untrusted) code snippet to perform certain operations (like encode/decode base64 values), you do might want a sandbox. (For the case of Node-like usage, we actually also have a basic implementation of whitelisted directories/files for certain permissions, though not perfect atm)

We have also discussed about possibilities of implementing an in-memory file system. (Maybe we will also bring sessionStorage to Deno)

Flags per module is slightly trickier, while whitelisting of certain feature is trivial to implement.

Package signing is indeed a topic that Deno contributors need to discuss further and possibly finding a solution.

LunaSea6y ago

Sure but logic doesn't exist in a vacuum so in most cases you are going to import / export your input data or your results to the filesystem or through the network.

I actually suggested a more granular, per-module approach to this during the Node Forward and IO.js debacle years ago: https://github.com/node-forward/discussions/issues/14

At the time it was deemed to difficult to implement in Node.js after the fact, which makes sense of course. But I'm disappointed that Deno didn't go for a more bolder, more secure approach. The current system seems pretty pointless.

1 more reply

finchisko6y ago

In world of hypervisors, containers, apparmors ..., is sandbox really a significant advantage over nodejs?

Actually I saw yt presentation and it didn't convinced me to switch from nodejs. The differences to nodejs are so little, specially when you're using typescript already. The only significant change is "es modules" with ability to resolve modules from url (plus the sandbox).

Still big kudos to Ryan for nodejs.

1 more reply

fanf26y ago

Yes it’s a real shame it isn’t based on object capability security. The resource ID concept makes it really hard to do per-module restrictions, because resources provide global ambient access to anything. And it sounds to me like the dispatch model based on typed arrays means that this is baked in on a fundamental level (unless there are some unforgeable handles that Ryan didn’t mention in his talk).

qaq6y ago

It's not even 1.0 yet.

LunaSea6y ago

I'm not talking about the maturity of the project but more about the concept of the feature flag for security.

2 more replies

tfolbrecht6y ago

For the inevitably "what differentiates this from node?"

Single executable Allows imports from url File system & network Sandboxing is controlled with flags Dies on uncaught errors

https://deno.land/manual.html#introduction

carlmr6y ago

>Dies on uncaught errors

how can JS programmers deal with this?

PudgePacket6y ago

... catch the errors?

1 more reply

mattlondon6y ago

I would imagine you have a watchdog of some sort (perhaps a special URL) and have something probe that every 15-60 seconds etc to see if it is up, if it does not respond then spin up a new instance and kill the failed instance.

Cattle not pets!

lajawfe6y ago

Watch 10 things I regret about node. js - https://youtu.be/M3BM9TB-8yA from the creator of both node and deno to undersatnd his motivations behind the deno project. A very intriguing talk.

pvg6y ago

It is very interesting although I didn't really understand the 'security' part. The motivation seems to be twofold - some bad things have happened because of compromised npm packages and v8 happens to have a robust sandbox. This sounds like a solution looking for a vaguely defined problem. The illustrative example he gives is 'malicious linter'. Is malicious linter that important a threat?

ricardobeat6y ago

In the example the linter itself is not malicious, but used to deliver a malicious program that can have unrestricted filesystem access. Not vague at all, see recent news on the ‘event-stream’ package being used to steal cryptocurrency wallets.

1 more reply

29athrowaway6y ago

> Access between V8 (unprivileged) and Rust (privileged) is only done via serialized messages defined in this flatbuffer.

Expect to see this in "n things I regret about deno"

kevinkassimo6y ago

Replying to Flatbuffers concerns:

You are right, we will try to get rid of it for some faster serialization mechanisms (after some huge internal refactor lands). See the talk I posted, Ryan mentioned about it near the end.

spraak6y ago

Can you explain why?

1 more reply

xtreak296y ago

Ryan Dahl, creator of node.js started this project and is also a lead contributor.

dlbucci6y ago

Is this a new site, or did the project recently reach a milestone, or is this just resurfacing?

I'm really excited about this project, especially the first-class TypeScript. Could easily see it replacing node for me!

anaphor6y ago

What makes this different from something like https://github.com/Agoric/SES ?

inglor6y ago

SES builds on capability theory to let you run "adversarial" code together with your trusted code safely.

Deno is a runtime that aims to isolate the code from the system amongst other issues.

SES uses a proof over the JS grammar with induction, Deno does isolation by not giving any OS level access to your code.

Neither are particularly complete and are mostly orthogonal. Both are looking for people to help with them :]

anaphor6y ago

Thanks, that's a great summary!

qaq6y ago

It is being actively developed. Has a large pool of active contributors.

inglor6y ago

Both the SES people and the Deno people are active. I'd guess there are ~2-10 active people in both projects.

1 more reply

kodablah6y ago

I admittedly haven't researched too deeply, but are there any examples/docs on embedding Deno in another Rust program and/or writing/exposing Rust libs with a TS API?

limsup6y ago

https://crates.io/crates/deno

siempreb6y ago

> A Secure Runtime for JavaScript and TypeScript

So, does it support a specific ECMAscript version? Or am I restricted to the Typescript JS definition? This is confusing..

JeremyBanks6y ago

Nobody's support strictly matches a specific ECMAScript version.

ComodoHacker6y ago

Does "secure" implies some protections against Spectre-like attacks?

fanf26y ago

No, it is about how v8 is sandboxed

snek6y ago

V8 provides some protections against spectre-like attacks, but that's not specific to deno, as Node.js uses V8 as well.

"Secure" in this case refers to being able to not give deno access to the network or filesystem.

unictek6y ago

Careful with Deno, performance is still low: https://user-images.githubusercontent.com/3397140/48649635-8...

inglor6y ago

That's just FUD through a synthetic benchmark by the person who wrote uWS after he approached Ryan and Ryan wouldn't do everything he asked for...

unictek6y ago

Running a local benchmark to compare Node.js and Deno gave me the same magnitude of performance difference. I like the concepts behind Deno but the performance should stay a top priority. Even more for a new technology that is looking for future adoption. If Deno gets faster than Node.js, I adopt it. If it stays 5x less performant than Node.js, I skip it.

1 more reply

PudgePacket6y ago

That bench has deno at 0.2, it's now at 0.10, though I have no idea how much performance work has been done.

Performance should improve over time, there's no fundamental reason from what I understand that it shouldn't be as fast or faster than node.

node has had 10 years of work and performance effort from so many people and organisations.

xvilka6y ago

Would be nice also to have the V8 implementation in Rust as well.

wereHamster6y ago

You mean JavaScript implementation in Rust. V8 is one of the many implementations that is written in C++.

spraak6y ago

I think the parent means they wish V8 were in Rust instead of C++

johnhenry6y ago

https://www.youtube.com/watch?v=_uD2pijcSi4

kbumsik6y ago

You can post your opinion here: https://github.com/ansuz/RIIR/issues/

austincheney6y ago

Instead I would rather a SpiderMonkey written in Rust.

j / k navigate · click thread line to collapse

66 comments

kevinkassimo6y ago

As a contributor to Deno, I am actually quite surprised that this got resurfaced on Hacker news after the hype June last year.

(Edit: fixed link, posted the wrong one. Why would YouTube think I want to share ads...)

kreetx6y ago

Curious about deno's development stage: can the brave already run it in production, or there are probably too many breaking changes in the pipe that it's better to wait?

inglor6y ago

The brave? Sure - but there will likely be breaking changes. I actually run a small deno server in production for a non critical service and it's been working out fine :]

MuffinFlavored6y ago

Check out the benchmarks. I'm pretty sure normal usage (aka actual HTTP server, not specialized use cases just for benchmarks) is quite a bit slower than node.js

codewithcheese6y ago

fyi the sound gets much better at the 3 minute mark

LunaSea6y ago

No package signing, no flags per module, no syscall whitelisting, etc.

kevinkassimo6y ago

We have also discussed about possibilities of implementing an in-memory file system. (Maybe we will also bring sessionStorage to Deno)

Flags per module is slightly trickier, while whitelisting of certain feature is trivial to implement.

Package signing is indeed a topic that Deno contributors need to discuss further and possibly finding a solution.

LunaSea6y ago

Sure but logic doesn't exist in a vacuum so in most cases you are going to import / export your input data or your results to the filesystem or through the network.

I actually suggested a more granular, per-module approach to this during the Node Forward and IO.js debacle years ago: https://github.com/node-forward/discussions/issues/14

1 more reply

finchisko6y ago

In world of hypervisors, containers, apparmors ..., is sandbox really a significant advantage over nodejs?

Still big kudos to Ryan for nodejs.

1 more reply

fanf26y ago

qaq6y ago

It's not even 1.0 yet.

LunaSea6y ago

I'm not talking about the maturity of the project but more about the concept of the feature flag for security.

2 more replies

tfolbrecht6y ago

For the inevitably "what differentiates this from node?"

Single executable Allows imports from url File system & network Sandboxing is controlled with flags Dies on uncaught errors

https://deno.land/manual.html#introduction

carlmr6y ago

>Dies on uncaught errors

how can JS programmers deal with this?

PudgePacket6y ago

... catch the errors?

1 more reply

mattlondon6y ago

Cattle not pets!

lajawfe6y ago

Watch 10 things I regret about node. js - https://youtu.be/M3BM9TB-8yA from the creator of both node and deno to undersatnd his motivations behind the deno project. A very intriguing talk.

pvg6y ago

ricardobeat6y ago

1 more reply

29athrowaway6y ago

> Access between V8 (unprivileged) and Rust (privileged) is only done via serialized messages defined in this flatbuffer.

Expect to see this in "n things I regret about deno"

kevinkassimo6y ago

Replying to Flatbuffers concerns:

You are right, we will try to get rid of it for some faster serialization mechanisms (after some huge internal refactor lands). See the talk I posted, Ryan mentioned about it near the end.

spraak6y ago

Can you explain why?

1 more reply

xtreak296y ago

Ryan Dahl, creator of node.js started this project and is also a lead contributor.

dlbucci6y ago

Is this a new site, or did the project recently reach a milestone, or is this just resurfacing?

I'm really excited about this project, especially the first-class TypeScript. Could easily see it replacing node for me!

anaphor6y ago

What makes this different from something like https://github.com/Agoric/SES ?

inglor6y ago

SES builds on capability theory to let you run "adversarial" code together with your trusted code safely.

Deno is a runtime that aims to isolate the code from the system amongst other issues.

SES uses a proof over the JS grammar with induction, Deno does isolation by not giving any OS level access to your code.

Neither are particularly complete and are mostly orthogonal. Both are looking for people to help with them :]

anaphor6y ago

Thanks, that's a great summary!

qaq6y ago

It is being actively developed. Has a large pool of active contributors.

inglor6y ago

Both the SES people and the Deno people are active. I'd guess there are ~2-10 active people in both projects.

1 more reply

kodablah6y ago

I admittedly haven't researched too deeply, but are there any examples/docs on embedding Deno in another Rust program and/or writing/exposing Rust libs with a TS API?

limsup6y ago

https://crates.io/crates/deno

siempreb6y ago

> A Secure Runtime for JavaScript and TypeScript

So, does it support a specific ECMAscript version? Or am I restricted to the Typescript JS definition? This is confusing..

JeremyBanks6y ago

Nobody's support strictly matches a specific ECMAScript version.

ComodoHacker6y ago

Does "secure" implies some protections against Spectre-like attacks?

fanf26y ago

No, it is about how v8 is sandboxed

snek6y ago

V8 provides some protections against spectre-like attacks, but that's not specific to deno, as Node.js uses V8 as well.

"Secure" in this case refers to being able to not give deno access to the network or filesystem.

unictek6y ago

Careful with Deno, performance is still low: https://user-images.githubusercontent.com/3397140/48649635-8...

inglor6y ago

That's just FUD through a synthetic benchmark by the person who wrote uWS after he approached Ryan and Ryan wouldn't do everything he asked for...

unictek6y ago

1 more reply

PudgePacket6y ago

That bench has deno at 0.2, it's now at 0.10, though I have no idea how much performance work has been done.

Performance should improve over time, there's no fundamental reason from what I understand that it shouldn't be as fast or faster than node.

node has had 10 years of work and performance effort from so many people and organisations.

xvilka6y ago

Would be nice also to have the V8 implementation in Rust as well.

wereHamster6y ago

You mean JavaScript implementation in Rust. V8 is one of the many implementations that is written in C++.

spraak6y ago

I think the parent means they wish V8 were in Rust instead of C++

johnhenry6y ago

https://www.youtube.com/watch?v=_uD2pijcSi4

kbumsik6y ago

You can post your opinion here: https://github.com/ansuz/RIIR/issues/

austincheney6y ago

Instead I would rather a SpiderMonkey written in Rust.

j / k navigate · click thread line to collapse