[JoachimS]

Not to claim that they are remotely the same, but this reminds me of Microsoft Drawbridge.

Drawbridge classifies syscalls into groups and the syscalls an application is allowed to use is registered. When the application is executed a runtime gateway verifies that the application only uses the syscalls that was registered. Drawbridge does more things (generates a library that maps the 800+ syscalls to the group equivalent one etc.). But there are similar ideas.

I thought Drawbridge was neat, but seems not to have moved much beyond MSR.

http://research.microsoft.com/en-us/projects/drawbridge/

[joveian]

Interesting... Drawbridge sounds like rump kernels (which can be used in userland processes as well as in VMs), where everything the application does is turned into a small number of hypercalls (12ish IIRC). It seems like there are RISC and CISC forms of higher security system call interfaces (e.g. pledge needing sendsyslog(2) and SOCK_DNS). It is good to see both approaches getting more use :). I hope pledge is adopted widely as it seems like a good approach to easily get significant improvement (particularly when exec is not needed, since restrictions are not inherited).

A link to the pledge man page since I haven't seen it mentioned yet: http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/...

[pjmlp]

Some of the research went into Windows containers in Windows 10, where you can run containers directly on top of Hyper-V instances.

Eventually even how the sandboxing works in Windows 8/10 for store applications.