[FabricPaul]

Using pointers adds a certain amount of complexity, and they also introduce the possibility of security problems. This was particularly important for the work we were doing on the browser plug-in. For the type of work that developers use KL for, they aren't needed.

[d1plo1d]

On that topic, I wasn't able to find any information on the security of Fabric or the sandboxing it uses. Short of going through the source code is there documentation on this topic?

NACL, which is only somewhat similar in that it runs native code via the browser, went to great lengths to demonstrate how their sandboxing worked to address the FUD of running native code in the browser. I have a very similar FUD about executing Fabric LLVM code from arbitrary websites.

To clarify where I'm coming from, I am a javascript / ruby dev and although I have worked in C I do not claim to understand the inner workings of LLVM or have ever worked with it. If there is an implicit reason why building on LLVM would sandbox code written in fabric it is not implicit to me. I doubt I am alone in this and would greatly appreciate an explanation of Fabric's sandboxing.

[FabricPaul]

As promised: Security was an important part of the design of Fabric.  What security means depends on whether Fabric is running standalone from the command-line or as a browser plugin.

When Fabric is run from the command line, we are in general unconcerned with security.  This is because Fabric is run like any other program on a computer where the software is deliberately installed by the user.  Fabric runs as a module for Node.js or for Python, and runs with the same security credentials as Node.js and Python.  Like Node.js and Python, Fabric will only do what you explicitly tell it to.  Let us be clear: this is the context in which you might use Fabric for server-side work, much as one does with Node.js, Python or Ruby.

When Fabric is run as a browser plugin, security is a major concern because a Fabric application (or, more precisely, an in-broswer application that wants to use the computer the browser is running on to run code) specifies code that is compiled and executed on the machine running the browser.  To prevent the usual types of exploits, the language KL in which the Fabric operator code is written is both pointer-free (like Ruby, Javascript and Python) and provides bounds checks for all array accesses, throwing an exception for any out-of-bounds accesses (like Ruby and Python).  Access to third-party code, which does not adhere to the same pointer-free and bounds-checked rules, is done through our extension mechanism, and extensions, besides the default extensions provided with Fabric (that are just wrappers for common open-source libraries), must be explicitly installed by the user -- it is not possible to make the user's browser automatically "download" an extension.

Of course, you are wise to question whether you can "trust" our security model.  Fortunately, if you're really in doubt, you can simply look at our code, which is open-source; we believe this already places us ahead of common browser plugins, such as Flash, to which could be posed the same questions but for which one cannot audit the code.

[d1plo1d]

Thank you Paul for both of your replies, that was exactly the information I was looking for.

[FabricPaul]

I've asked one of my colleagues to write a longer response to this (we may post it on the developer blog), but I'll give you a short answer in the meantime. We don't do sand-boxing - I think a look at the amount of money that's gone into NaCl shows that a startup would have no chance of pulling that off.

By being pointer-less, we block a lot of potential malicious code. If you don't have access to memory, it's hard to write anything dangerous. Our bigger concern with the plug-in is around our extension system - it allows us to include existing libraries, which of course means it's opening up to C/C++. Consequently, we force explicit install of extensions - if a developer builds a custom extensions, then the end user has to install it, the same as if you were choosing to install a local application.