Hacker News new | ask | show | jobs
by nextaccountic 439 days ago
There is a way to sandbox native code without forking to a new process, and it looks like this

https://hacks.mozilla.org/2020/02/securing-firefox-with-weba...

Firefox employs processes for sandboxing but for small components they are not worth the overhead. For those they employed this curious idea: first compile the potentially unsafe code to wasm (any other VM would work), then compile the wasm code to C (using the wasm2c tool). Then use this new C source normally in your program.

All UB in the original code becomes logical bugs in the wasm, that can output incorrect values but not corrupt memory or do things that UB can do. Firefox does this to encapsulate C code, but it can be done with Rust too
2 comments
panstromek 438 days ago
That's actually a pretty clever idea, I never realized you can that. Thanks for sharing.
link
int_19h 438 days ago
Note that the reason why this works for sandboxing is that wasm code gets its own linear memory that is bounds-checked. Meaning that the generated C code will contain those checks as well, with the corresponding performance implications.
link
dmitrygr 438 days ago
You can skip all this nonsense with

    -fsanitize=undefined
link
Georgelemental 438 days ago
Not foolproof, doesn’t catch everything.
link
rcxdude 438 days ago
The sanitize tools are not intended to be hardening tools, just debugging/testing tools. For instance, they may introduce their own vulnerabilities.
link
cyberax 438 days ago
It won't do anything for data races, for example.
link