1. 14
  1.  

  2. 3

    Can be run in 400kb of memory or less.

    Now attached to a group of processes consuming no less than 200 megabytes. That’s progress.

    It’s a bit amazing that this works, but a part of me really wishes that we could just make distributing and sandboxing native code work better, instead of putting more and more into web browsers.

    1. 1

      The whole Google Native Client stuff was a good example of that, as is Ford and Cox’s VX32 stuff (the same technique is used for both on IA32).

      The other option, and one that I’d like to play with, is to leverage the operating system’s built-in process separation functionality, but it would require the OS to support very good sandboxing and not all do. Allow browsers to spawn a process, allow there to be a shared memory segment between the browser and that new process, give it two pipes, and don’t let it make any syscalls other than writing to those pipes, and things would be as fast as can be.

      The problem, of course, is that then every page has to have code for Linux-(ARM(64)?|x86(_64)?|MIPS(LE)?(64)….What WebAssembly gives you is a format that can be executed/interpreted in-place, and also relatively easily translated to safe native code. Google’s Native Client gets around this problem by distributing LLVM bitcodes.

      1. 1

        You can with separation kernels but it will require work on the browser to integrate with the native app outside the VM. That’s what high-assurance did in commercial sector and most CompSci:

        http://os.inf.tu-dresden.de/papers_ps/nizza.pdf

        http://genode.org/about/index

        Some also designed high-assurance browsers or browsing kernels. Chrome’s security was a weaker version of one called OP browser. IBOS does kernelized approach.

        https://www.usenix.org/legacy/event/osdi10/tech/full_papers/Tang.pdf

        There’s just little commercial or FOSS investment in such things. Plus the legacy system effect for existing browsers' methods. So, we get this other bullshit instead of a stronger, even simpler approach to isolation.

        1. 1

          Well, if you can manage to extract the wasm compiler/interpreter from the browser i suppose you have a pretty portable and efficient jail/vm.

          1. 1

            I think this is where we’re going towards with things like Servo.

            Right now it’s extremely hard to share anything between processes/tabs, mainly because everything is this hard-to-track, memory-sharing mess with no language-level safety.

            The next generation of browser tech will likely drastically cut down on waste by virtue of having better tools to ensure stateful/statelessness.