undefined | Better HN

0 pointslxgr1y ago0 comments

Safe in-process sandboxing is obviously possible and even trivial. It does get harder if you care about performance, though.

0 comments

saagarjha1y ago

If the costs are high enough you’re basically reimplementing multi-process isolation from first principles.

kllrnohj1y ago

"trivial" how do you figure? Remember these exploits bypass your own code's conditionals over a shockingly far duration. Unless you just mean for incredibly restrictive usages such as eBPF?

possible absent any performance concerns at all, yeah sure

lxgrOP1y ago

> Unless you just mean for incredibly restrictive usages such as eBPF?

I was actually thinking something more like a bytecode interpreter that runs one operation and then sleeps until the next full wall clock second, but yes, that's my point: If you don't care about performance, you can make process isolation safe very easily.

tptacek1y ago

I think at the point where you're suggesting 1hz bytecode interpreters the onus is kind of on you to be clear you're not talking about plausible points in the design space.

1 more reply

wbl1y ago

That is actually still not secure. The cache will happily retain the trace of the access forever.

1 more reply

willtemperley1y ago

What I know as a developer is web security is really hard. Last week there was a DOM clobbering gadget deep in my TypeScript world and I really didn't have the energy to understand who wants to clobber my DOM and why they need a gadget. I want to build stuff and what worries me is this stuff is just simply not foreseeable.

lxgrOP1y ago

DOM security is a completely different beast from process isolation with WASM (in a web context or otherwise). The attack surface is vastly greater, due to the much larger API complexity.

j / k navigate · click thread line to collapse

0 comments

saagarjha1y ago

If the costs are high enough you’re basically reimplementing multi-process isolation from first principles.

kllrnohj1y ago

"trivial" how do you figure? Remember these exploits bypass your own code's conditionals over a shockingly far duration. Unless you just mean for incredibly restrictive usages such as eBPF?

possible absent any performance concerns at all, yeah sure

lxgrOP1y ago

> Unless you just mean for incredibly restrictive usages such as eBPF?

tptacek1y ago

I think at the point where you're suggesting 1hz bytecode interpreters the onus is kind of on you to be clear you're not talking about plausible points in the design space.

1 more reply

wbl1y ago

That is actually still not secure. The cache will happily retain the trace of the access forever.

1 more reply

willtemperley1y ago

lxgrOP1y ago

DOM security is a completely different beast from process isolation with WASM (in a web context or otherwise). The attack surface is vastly greater, due to the much larger API complexity.

j / k navigate · click thread line to collapse