Hacker News new | ask | show | jobs
by codethief 61 days ago
> https://github.com/flatpak/flatpak/security/advisories/GHSA-...

Just yesterday I was thinking about a related attack vector on AI agents: Many harnesses "sandbox" (at the application level) file reads/writes and shell commands by checking whether a given path has been whitelisted. However, I bet there are cases where the agent could simply create a symlink to somewhere else and thus trick the "sandbox" into thinking the agent is authorized?
3 comments
TZubiri 61 days ago
Any attempt to analyze a string that will be executed as a command is a fundamentally unsafe approach, presumably I can make an .sh file and run that and circumvent the mechanism? Off the top of my head. You could say that your analysis will be so deep that it can check the file scripts, it' can do so recursively through bash file chain s of any size, it's so smart in fact it can undecode base64 contents, and even if...

No, stop, if you do that, you have entered a rabbit hole, ignore the command, assume it can be malicious. Path constraints are already fundamentally solved with tech as old as UNIX users, you are 50 years behind in terms of security and should not be concerning yourself with cutting edge issues for that reason.

link
neilv 61 days ago
I bet you're right. This is one kind of thing you need a meticulous programmer to do. But instead, I'd guess most AI-dogfooding engineering organizations in the near future will be taking a vibe-code-it-and-AI-red-team-it approach.

I don't trust sandbox claims from those companies, and only run CLI-ish code on workstation inside a full VM (not even a container).

link
cassianoleal 60 days ago
> not even a container

Genuinely curious, what specific threats are you thinking about when you make this choice?

link
neilv 60 days ago
Mainly routine software supply chain attacks to unexamined dependencies pulled in by a mess of vibe-coding.

(Though it would also give some protection against growth hacking or kludge expedience that goes a little too naughty. We're already seeing some questionable behavior there, as some rush to get their functionality working first.)

Since containers are for fairly trusted code, and relatively easy to break out of, compared to a good VM.

link
adi_kurian 61 days ago
Assume the worst.
link