Comment by rvern
10 years ago
The sandbox written in Rust can only be secure if the libraries it depends on, the compiler that was used to compile it, and the kernel as well as the compiler used to compile it and the libraries it depends on were all written in Rust.
Furthermore, even if applications are sandboxed, that only prevents vulnerabilities from being exploited with other applications. A web page able to compromise my web browser would still be able to get all my browsing history, my usernames, my passwords… The sandbox would not help with that.
This does not necessarily make it worth it to rewrite everything in Rust, but it is worth considering writing any new software in Rust instead of C, especially if this new software is at a low level like compilers, the kernel, and libraries. Other applications can be written in a higher-level language with garbage collection and static typing instead of C.
A sandbox like NaCl doesn't depend on the kernel for security. In fact, it shields the kernel, which is good, because common OS kernels tend to have large attack surfaces of their own. The compiler of the sandbox needs to be reliable (so like CompCert, until Rust matures in this regard), but the compiler(s) of the software inside the sandbox don't matter.
You're right that stuffing all of Chromium into a single sandbox would not be very good, because pages would be able to attack the browser (history, passwords, etc) and each other. You'd want to run each renderer in its own sandbox (which to some extent Chrome already does).
Even then, the Rust implementation may not be immune to DRAM rowhammer attacks or side-channel attacks, like how http://arxiv.org/abs/1502.07373 used Javascript.