Hacker News new | ask | show | jobs
by wstuartcl 1234 days ago
yeah even if they are wrapping with near noop guards all over the ast/codebase as its being compiled and the secret sauce is just to tickle the guard to log at those specific points dynamically you would think this would have huge overheads for the no log states as those guards get bypassed for hot code blocks. (kind of like running in a debugger env).

They note that this is patented -- I wonder how. Every way I can imagine this being implemented in the languages they support seems to be clearly prior well known art. Patent office granting more "RED -- we own compressing raw" type patents?

Looking at the patent seems like they are monkey patching either dynamically or into ast injected nodes at compile time. what the heck is the PO doing. also who in their right mind would open their prod services to an external party for code injection lol.
1 comments
tomgs 1234 days ago
Great questions form all ends. Let me try and clarify.

This is not monkey-patching or hot-swapping, but a different approach - we call it dynamic instrumentation. This amounts to having an agent (an SDK/library, in essence) perform the addition of Lightrun Logs, Snapshots and Metrics, then (potentially) pipe the information where it needs to go. We've got a nice diagram here [0].

I think that the mechanism itself - which changes by runtime, naturally - is well explained in the link above. However, the core security mechanisms we have are enabled by another component of the agent we dub the Sandbox.

In essence, we've got a (patented) way to verify everything that we do at runtime. That means we ensure that each evaluated expression does not have side effects (like changing the value of a member of an array, or editing a variable value), every metric we could think of is throttled and rate-limited (that includes our usage of CPU, RAM, the rate of I/O and a bunch of other things).

Given this sandbox mechanism, and the way the networking requirements look like (again, look at [0] - no need to open a debug port / inbound ports, and a pretty agnostic deployment model) I think we've got a pretty robust defense layer against a variety of failures. Also see my comment a few comments above regarding data security.

[0] https://docs.lightrun.com/more-about-lightrun/#how

link