|
|
|
|
|
|
by naasking
1302 days ago
|
|
|
> And so on and so on. I just wished that the LUA approach of "if I don't give you a hook, you cannot do that" were just the default. Yes, because languages are still not capability-secure. Memory-safe languages are inherently secure up until you introduce mutable global state, and that's how they typically leak all kinds of authority. If you had no mutable global state, then you can eval() all the live-long day and you wouldn't be able to escape the sandbox of the parameters passed in. Examples of mutable global state: * APIs: you can make any string you like, but somehow you can access any file or directory object using only File.Open(madeUpString). This is called a "rights amplification" pattern, where your runtime permits you to somehow amplify the permissions granted by one object, into a new object that gives you considerably more permissions. * Mutable global variables: as you point out, eval() can access any mutable global state it likes, thus easily escaping any kind of attempt to sandbox it. If these holes are closed then memory-safe languages are inherently sandboxed at the granularity of individual objects. |
|
|