Context
In #813 / #933 we made the vat global allowlist configurable and expanded it with host/Web API endowments. The current implementation passes raw globalThis references (e.g. globalThis.setTimeout, globalThis.Date) as endowments.
MetaMask Snaps has battle-tested endowment factories that provide attenuated versions of these globals with security and lifecycle improvements. We opened MetaMask/snaps#3957 to export them via @metamask/snaps-execution-environments/endowments.
What to do
Once snaps#3957 is merged and released, update packages/ocap-kernel/src/vats/endowments.ts to import and use the Snaps factories:
Replace with attenuated versions
setTimeout / clearTimeout → timeout.factory() — handle isolation (vats can't clear each other's timers), type checking, teardown function for vat terminationDate → date.factory() — Date.now() adds ~1ms noise (anti-timing-attack, monotonic)
Add new endowments
setInterval / clearInterval → interval.factory() — same attenuation as timeoutcrypto / SubtleCrypto → crypto.factory() — hardened Web Crypto APIMath → math.factory() — replaces Math.random() with crypto-backed RNG
Integrate teardown
The timeout and interval factories return a teardownFunction. Wire these into VatSupervisor.terminate() to clean up pending timers when a vat is stopped.
Keep as-is
TextEncoder, TextDecoder, URL, URLSearchParams, atob, btoa, AbortController, AbortSignal — Snaps' versions just do harden(X) which is effectively what we already do.
Location
packages/ocap-kernel/src/vats/endowments.tspackages/ocap-kernel/src/vats/VatSupervisor.ts (terminate method)
Context
In #813 / #933 we made the vat global allowlist configurable and expanded it with host/Web API endowments. The current implementation passes raw
globalThisreferences (e.g.globalThis.setTimeout,globalThis.Date) as endowments.MetaMask Snaps has battle-tested endowment factories that provide attenuated versions of these globals with security and lifecycle improvements. We opened MetaMask/snaps#3957 to export them via
@metamask/snaps-execution-environments/endowments.What to do
Once
snaps#3957is merged and released, updatepackages/ocap-kernel/src/vats/endowments.tsto import and use the Snaps factories:Replace with attenuated versions
setTimeout/clearTimeout→timeout.factory()— handle isolation (vats can't clear each other's timers), type checking, teardown function for vat terminationDate→date.factory()—Date.now()adds ~1ms noise (anti-timing-attack, monotonic)Add new endowments
setInterval/clearInterval→interval.factory()— same attenuation as timeoutcrypto/SubtleCrypto→crypto.factory()— hardened Web Crypto APIMath→math.factory()— replacesMath.random()with crypto-backed RNGIntegrate teardown
The
timeoutandintervalfactories return ateardownFunction. Wire these intoVatSupervisor.terminate()to clean up pending timers when a vat is stopped.Keep as-is
TextEncoder,TextDecoder,URL,URLSearchParams,atob,btoa,AbortController,AbortSignal— Snaps' versions just doharden(X)which is effectively what we already do.Location
packages/ocap-kernel/src/vats/endowments.tspackages/ocap-kernel/src/vats/VatSupervisor.ts(terminate method)