[bitwize]

I have no freaking idea. Needless to say I don't think our current operating systems are up to the task of actually being secure. You have to be able to somehow dynamic-link in a library whilst only giving calls into that library certain permissions/capabilities... which I don't think even Windows can do.

[gizmo686]

Forget OS support, is that something that modern CPUs can support efficiently? As far as I can tell, enforcing a security boundary across libraries would require changing the page table twice for every library call, which seems like a big performance hit.

[izacus]

Then maybe your notion of security is useless in the real world and needs a rethink.

Security, when practiced, is a fundamentally practical discipline that needs to work with the world as is, not with dreams of putting people in basements in chains.

[GuinansEyebrows]

Ignorant reply here, but would openbsd's `pledge` and `unveil` sorta cover what you're talking about?

[LtWorf]

At the library level? Not as far as I know…

[huijzer]

Didn’t Jess Frazelle have most of her dependencies running inside lots of Docker containers for a while? She went pretty far and also kept it up for a long time. E.g., https://blog.jessfraz.com/post/docker-containers-on-the-desk...

[LtWorf]

How would that protect you from a library?