Hacker News new | ask | show | jobs
by 7373737373 298 days ago
WebAssembly with its sandboxing-by-default paradigm is pretty much halfway there, just need a well defined interface to transfer data and access rights between instances, and creating new instances from others.
3 comments
cpuguy83 298 days ago
https://microsoft.github.io/wassette/ does just this, using wasi components.
link
spankalee 298 days ago
That's what WASI components already are.
link
saagarjha 297 days ago
This is a technical solution to a social problem
link
7373737373 297 days ago
This is NOT (just) a social problem! See: supply chain attacks and https://en.wikipedia.org/wiki/Confused_deputy_problem

No number of signature schemes and trust networks will be able to prevent the effects of actual misuse of security breaches and problems arising from programming errors, only a technical solution can!

It's stupid to rely on trust when one doesn't have to, to grant programs, imported modules or even individual functions more permissions than they need. Technical systems should give the best guarantees they can, and not risk the security of the entire system by default just because something failed at the social layer, or some component somewhere in the system misused (perhaps even by accident!) its https://en.wikipedia.org/wiki/Ambient_authority

The attack surface of even individual programs can, and therefore SHOULD be minimizable. It's just that contemporary popular programming languages do not give programmers any methods (high level or even primitive) to achieve interior compartmentalization and utilize https://en.wikipedia.org/wiki/Capability-based_security in order to implement the https://en.wikipedia.org/wiki/Principle_of_least_privilege

A program does what it does, and it always potentially could do everything it is allowed to. Especially at scale, when you use code from thousands of developers, along the depth and breadth of your tech stack, social trust doesn't scale. Reifying and making explicit the access rights the components of a program have does. Then, ill effects are limited to the rights that have been explicitly given, and the effects of the results that are further processed by other components of the program.

Social assurances are practically worthless because they may be misinterpreted, bypassed, subverted or coerced. Technical guarantees instead can be formalized and verifiable.

link
lucketone 296 days ago
> Technical systems should give the best guarantees they can, and not risk the security of the entire system by default

True and at the same time this has the social aspect - somebody needs to list all the required capabilities/accesses, and developer might opt for requesting for too many permissions and casual user might allow that (caused by mix of incompetence and lack of interest)

link
saagarjha 296 days ago
I view a breach to be a socially-determined outcome, though. Yes, your library might be sandboxed, but for it accessing the internet might be OK and for you that means you are leaking PII. This is a difficult problem to solve.
link