1. 13

  2. 10

    They talk like language-based security is new. Yeah, there’s a ton of these in the literature. Anything enforcing memory safety (eg Softbound+CETS or SAFEcode), control-flow integrity (esp Code-Pointer Integrity w/ segments), data-flow integrity, information-flow control, etc might be useful to build on here. Many are designed for C, too, which is closer to metal than Javascript, has tons of automated checkers (eg RV-Match from RVI), and a certifying compiler (CompCert).

    The other drawback is you have less layers of protection if operating in process with language-based and/or tactical mitigations. The MMU can isolate what we call known unknowns where something goes wrong (eg bitflip or RAM decay on protection mechanism), the app goes rogue, and it’s still contained a bit. That’s why the strongest approach from high-assurance security is still separation kernels: microkernels designed specifically for security that fit into L1 caches, are often mathematically verified in some way, support individual apps running in own address space optionally on a language runtime, and support VM’s for legacy apps. Muen is an example of that approach for x86, seL4 an example for ARM (mainly ARM), and INTEGRITY-178B a commercial example for PPC (beware marketing hype).

    1. 3

      The only reason this was possible at all is the open-source nature of V8, and its standing as perhaps the most well security tested piece of software on earth.

      Seems they have convinced themselves that extensive testing is good enough.

      1. 2

        Yeah, their solution seems great until it doesn’t work. With v8 in the browser, a sandbox escape compromises the environment of a single process/context. Really bad for sure. However, on their platform, sandbox escape seems like it would be /worse/, having the potential to compromise multiple contexts, and thus multiple customers.

        Let’s just hope nothing bad happens I guess?

        1. 3

          A new attempt at Software-Isolated Processes being harder to get right than a parser? Nah. They’ll prolly be safe. ;)

          1. 3

            On a nicer note, the author just showed up on HN: it’s kentonv from Sandstorm and Cap n’ Proto. Gives me a little more confidence that it will be designed and/or implemented well. I still stand by original comment, though, since it’s the same stuff I told him when he was doing Sandstorm. Although more projects exist, the fundamentals of what worked and didn’t are still the same.

        2. 3

          @garybernhardt’s post-apocalyptic future couldn’t come fast enough.

          1. 3

            I have been thinking about something like this myself because it is promising technology for edge computing ideas. I would not have chosen V8 though. It is too complex. Simplicity is a prerequisite for security.

            My idea would be to use binary translation like Qemu does. The biggest problem is not the code itself though. The bigger attack surface is the interface for IO. Code is useless without IO after all. The interface will probably grow a lot to make development convenient.

            I think Google tried something like this for browser plugins if I remember correctly.

            edit: That was Native Client (NaCl, PNaCl). Now only used for ChromeOS.

            1. 2

              Looking further somebody already did that. I would like to see a comparison of Cloudflare Workers to http://www.zerovm.org/.

              I guess the primary argument is: ZeroVM is dead since four years.