[aboodman]

Your current (desktop) operating system allows these binaries to run with your full user privileges. Any software you download and run has complete access to all of the data from your user account, no matter which software created it. Software can interfere with other software (spyware), can affect anything on the account (malware), and can even harm the system itself (e.g., by consuming resources). Worst of all, because there's no isolation you can't get rid of bad software: once you run software from the internet on your PC, you are boned. There is no way you can get rid of something that doesn't want to be gotten rid of since it can literally rewrite other executables to be itself.

Current (desktop) operating systems were not designed for a world where you routinely run code from someone on the other side of the planet who you have no relationship to, and don't trust, so you can see cat pics or read a forum.

Browsers have a lot of problems, but their security model and ephemeral install model are inspired designs, which directly enable the safety of the modern internet.

Having to fall back to classic desktop apps for real speed or power is a terrible thing for end-user security. Either browsers need to get more powerful, or desktop OSes need to take on a browser-like security model.

[mdavidn]

The process model is a sandbox. Every process runs as if alone, with seemingly continuous processor time and memory addresses starting at zero. The ailments you described are all system calls, special access granted by the kernel.

So the process model is not fundamentally different than the browser model, but WebAssembly enjoys two advantages:

1. The browser security model sagely segmented privileges by origin rather than user.

2. Like bytecode, WebAssembly AST does not target a specific processor.

[aboodman]

Totally agree. The process model is actually a better sandbox than, e.g., Firefox per-origin one (because it sandboxes CPU time and memory as well). But the shape of the sandbox is incorrect for the modern era.

[andrewchambers]

It seems like the real solution is to have proper sandboxing in the OS's, though it would take much more coordinated effort to accomplish.

I see no reason why each domain couldn't have a chroot for example, the browser doesn't need to implement those things.

[pjmlp]

> Your current (desktop) operating system allows these binaries to run with your full user privileges.

Actually it can sandbox them already.

[aboodman]

But doesn't, by default. And that's crucial. On the web I can just run any random program from anyone and there's a very strict limit on what it can do to me and to other software.