Hi, I'm Fumavez from Metamask.Today I'm going to be talking about Lava Mode.It's a set of security tools for JavaScript apps.I'm going to be talking really, really fast.So if you don't catch everything, please come after me questions later.日本語もできるから、日本人の方もどうぞ気軽に日本語で質問してください。ジョン・ウェンダー、ジョン・ウェンダー。いや、 I quit, I quit.OK, so if you...isn't it in your building anything with JavaScript?Front and back end, wallet, DAB, anything?A couple of people?OK, you really need to understand the security situation with JavaScript and dependencies.Recently there was the BitPage, Open Source Wallet, OK.Bitcoin Wallet was hacked by its dependenciesand there was a few vulnerable versions of the wallet publishedand there was some loss associated with that.OK, so I'm going to be talking about Lava Mode.Lava Mode is a set of security tools for any JavaScript appto mitigate software supply chain risk.We're talking about Google dependencies.It's relevant for any JavaScript appespecially relevant for DAQ-I's and wallets.Dependence Stream, this is the co-paywallet hack.It made a big splash when it happened in 2018.Essentially, so, Detective Palmer,Cover of Dogecoin Wallet, summed it up very well.BitPage essentially trusted all the upstream dependencies,the MPM dependencies and their developersto never inject malicious code into their wallet.So if dependencies can go back, how can we fix that?There's a bunch of discussion around it.Some people said never use dependencies.I think this is kind of terriblebecause the joy of technology is that it builds on technologyand we all get to move forward.And it kind of maybe ruins the wholelike different Google Manager on crypto.So dependencies can be nice.The other side was audit all dependencies always.And of course this is a good idea,but it's not always practical.Especially let's say you have somepotentially lost causing bug in productionand you've got a push a hot fix.Do you have time to audit all the dependenciesand how they interact with other dependencies?Hopefully,but we've done it.So is there nothing else that we can doto improve the situation?So Mark Miller from agorihas been working on securityand languages for over 30 years.He's been working with JavaScriptfor over 10 years.If you've heard of promises,weekmats, strict mode,you're familiar with some of this work.This is a great quote.Don't add security,remove insecurity.This is referring to object capabilities.Set me less gracefully,remove everything,and then only add what you needto do your feature.This feature is in the handsof the guys that arebasically attack vectors.So they're working,he's the brother of the chiefsiders at agori.They're working onsecure and constrict,also known as sets.And it's basically asecure eval statementwhere you can controlwhat that code that'saccessed to,what it evaluates.It works through frozenintrinsics,so it freezes downlike things like objectsthat arrays.You may not know it,but you can overridewhat a rate-up map does.And that might ruinyour assumptionsabout what has accessto what data.So the simple versionof the solutionis just to freezeit at runtimeso your pensiesare at bootso your pensiescan't mess with things.And then alsoexplicitlyundown.Like I saidwhen you doeval you getto pass inwhat it hasaccessed to.So that mightlook likeyour evaluatingmodule.You pass injust the platformapisthat arerelevant.Solovemodebuilds on top ofthat.Toprideso runtimecollectionfor bundles.So you getthose basictime.So comeask me about thismore.Thanks.