Reading through this question on multi-threaded javascript, I was wondering if there would be any security implications in allowing javascript to spawn mutliple threads. For example, would there be a risk of a malicious script repeatedly spawning thread after thread in an attempt to overwhelm the operating system or interpreter and trigger entrance into ‘undefined behavior land’, or is it pretty much a non-issue? Any other ways in which an attack might exploit a hypothetical implementation of javascript that supports threads that a non-threading implementation would be immune to?
Update: Note that locking up a browser isn’t the same as creating an undefined behavior exploit.
No, multiple threads would not add extra security problems in a perfect implementation. Threaded javascript would add complexity to the javascript interpreter which makes it more likely to have an exploitable bug. But threads alone are not going to add any security issues.
Threads are not present in javascript because ‘Threads Suck’ – read more from the language designer (http://weblogs.mozillazine.org/roadmap/archives/2007/02/threads_suck.html)