Comment by 0x0
10 years ago
When he asks for a sandbox to provide "a secure drawing API (including 3D, which, yes, is hard). You need a secure file system. You need secure network, and microphone, and webcam, and probably even USB. (It should also be possible to block or control access to each of these.)"
... isn't that the job of a normal OS kernel? The article may call it a "sandbox" but it sounds like normal access control in any OS, not much sandboxing left when asking for all the apis?
In-browser applications and virtual machine technology are both poor work-arounds to the same problem: that the design of modern operating systems gets it so badly wrong. If I can run completely different operating systems on top of another inside a VM application, why shouldn't I be able to run those other operating systems as applications? If I can run Javascript downloaded from the internet that is JIT-compiled to native code inside a browser application, why can't I just run native code downloaded from the internet directly (with the same security - such as it is - as Javascript code). Why should I be able to access one set of APIs from Javascript code, and a different set of APIs from native C++ applications, etc.? Why should I be able to set up and migrate a development environment in a VM and transfer it between computers but I can't set up a separate development environment natively in the OS for just one or a few applications and export it and all its dependencies just as easily as exporting a VM? In other words, if what I care about is about 15MB of customized files and 100KB of OS settings customization, why should I have to put 1.2GB of operating system files and other junk into a VM to make it sandboxed and portable? (I'm speaking in this latter example a Linux project called Code Data and Environment which accomplishes something like this by analyzing what files and shared libraries a running application accesses and packaging just those.)
This is a good comment. Operating systems were originally designed to protected people from each other. My process can't interfere with your home directory. My process can't mess up the entire OS (unless I'm admin). There was a time when most programs were not actively hostile to the user running them.
These days just about every application is user-hostile in some way. Even open source Windows applications, depending on where you download them from, might come with a hostile installer. Programs install background tasks. Programs track you.
Mobile operating systems have been a step in the right direction. But a good operating system should allow us to run whatever binaries we find anywhere on the Internet and not be able to do anything harmful to us.
Exactly. Better to improve the OS level sandboxing rather than duct-taping it all together with another layer of indirection via hypervisors. But it'll take a lot of work.
Three guesses what the second worst sandbox is. :)