Noodling on sandboxing models

Robert Frost:

"Before I built a wall I'd ask to know

What I was walling in or walling out"

With computers, this strategy doesn't work. Inside and outside have a way of switching places.

Sample points

In Unix, the crown jewels were the root user; other user accounts were sandboxed. Code (in C) ran all types erased. As time passed. Root grew vestigial, people stopped sharing computers. The crown jewels moved to user accounts. Processes acquired bolt-on things like ASLR.

(Compare Java, which has strong types within the VM. At least until generics started erasing some types.)

In JavaScript, the crown jewels are the user account. Browsers are sandboxed in a strongly typed VM. As time passed, local hard disks became disposable (chromebook). The crown jewels moved within the browser.

Enter Wasm. Now the browser tab is the crown jewels. Compiling to Wasm erases types. As time passes, people will start living within the Wasm sandbox. And we'll start reinventing things like ASLR.

Lehmann, Kinder and Pradel, "Everything easy is hard again: Binary Security of WebAssembly"

Possible lessons

Sandboxing isn't about a single boundary. When designing VMs for adoption, build for isolation _within_ the VM in addition to the boundary. Allow people to collaborate and run untrusted code within a single sandbox.

Oh, and don't erase types.