Hacker News new | ask | show | jobs
by hackcasual 690 days ago
If you think using containers provides improved security over WASM I don't think you understood the paper. At no point did they demonstrate compromising the host of the WASM program, just corrupting the state of POC's. There are obviously risks associated with that, but nothing that improves by going with isolated/containerized native code.

Yes currently lacking ASLR and read-only memory sites increase some risks, but strongly typed function pointers, control flow restricted to function entry points and call stack isolation more than make up for it
1 comments
pjmlp 690 days ago
I think a lot about security, during the last 30 years, and worshiping WASM sales pitch isn't one of them.

Also I explicitly mentioned that is the first paper of many others, that are starting to appear on cyber security conferences.

link
hackcasual 690 days ago
It's a 4 year old paper, and the biggest issue it brought up, malleable read-only data, is currently being addressed with the memory control proposal. The fact that a virtual environment can't prevent all types of erroneous program behavior is not particularly noteworthy. The fact of the matter, in particular when comparing WASM against containers, WASM is a generational step forward in terms of permissioning and isolation.

For my bonafides, this is me discussing this class of vulnerabilities 8 years ago: https://groups.google.com/g/emscripten-discuss/c/gGjklbJiX1c...

link