Follow

I've been noodling on sandboxing models

Robert Frost:

"Before I built a wall I'd ask to know
What I was walling in or walling out"
(poetryfoundation.org/poems/442)

With computers, this strategy doesn't work. Inside and outside have a way of switching places.

In Unix, the crown jewels were the root user; other user accounts were sandboxed. Code (in C) ran all types erased.

Time passed. Root grew vestigial, people stopped sharing computers. The crown jewels moved to user accounts.

· · Web · 2 · 5 · 4

Compare Java, which has strong types within the VM. (At least until generics started erasing some types.)

In JavaScript, the crown jewels are the user account. Browsers are sandboxed in a strongly typed VM.

More time passed. Local hard disks became disposable (chromebook). The crown jewels moved within the browser.

Enter Wasm. Now the browser tab is the crown jewels. Compiling to Wasm erases types.

As time passes, people will start living within the Wasm sandbox.

unibw.de/patch/papers/usenixse

Some possible lessons to draw from these sample points.

Sandboxing isn't about a single boundary. When designing VMs for adoption, build for isolation _within_ the VM in addition to the boundary. Allow people to collaborate and run untrusted code within a single sandbox.

Oh, and don't erase types.

@akkartik EcmaScript decorators have an idea of metadata, but it's voluntary, & these evil conniving small minded fucks think decoration has to be at load only, erased. cause these small minded fucks don't get what fucking shit type erasure is & are too fucking idiotic brain dead dumb or worse are cavalier "erase all the types" shit nuggets to do the right thing & have decorators actually express themselves in the language. I hate this standards body. conservative fucking jerkoffs.

@jauntywunderkind420 @akkartik word. Fucking backwards-compatibility means systems must be secure-at-construction, it can never be added.

@akkartik in contrast to these observations, the most interesting web platform work to me is the file-system-access & low level wasm oriented (but not backed by the real user fs) byte level native wasm oriented low level web fs api, whose name right now escapes me.

@jauntywunderkind420 Mu also goes against this. Mu's not chasing adoption, and the model is explicitly geared against running untrusted code. The eventual vision is to share whole stacks, and to run untrusted stacks in separate VMs that are isolated from your "home" computer.

But I'm going through one of my periodic bouts of self-doubt 😄

@akkartik wasm is the answer, so long as it’s never paired with ambient authorities again. Opaque inter-module references, message sends and capability-based security.

Sign in to participate in the conversation
Merveilles

Merveilles is a community project aimed at the establishment of new ways of speaking, seeing and organizing information — A culture that seeks augmentation through the arts of engineering and design. A warm welcome to any like-minded people who feel these ideals resonate with them.