Comment by greenspot
10 years ago
Anyone can help?
He is writing that the current browser sandbox model is not secure–all in a dramatic, clickbaity manner.
After many esoteric lines, then he says (maybe it's the tl;dr)...
"We need a highly secure (ideally provably secure) sandbox that doesn’t have any features! Then, you can run an insecure browser inside, where security doesn’t matter."
Then again some more lines of confusion.
So, what does he suggest? Putting the browser in a VM?
Put the browser in a VM/sandbox, yes.
tl;dr: Right now there is a competition between features and security, and security is losing. By separating them, they wouldn't need to compete, and we could have both. It isn't a good idea for a sandbox to directly handle things like CSS transforms.
Is my writing really esoteric?
Thanks for your reply and apologies for the 'esoteric'. Maybe not the right wording but I read your post few times and I would have liked to get more details about the idea.
The idea sounds ok once you clarified at the first glance but how does it work, will it work, what would be the implications. And many more questions. Currently I see the core idea surrounded by many vague statements.
And btw you can do this today already: just start a VM with a browser (might be a bit resource heavy and the integration into the main OS subpar). Or Docker with a browser. Not sure though if latter fulfills your security requirements.
But at the end, the browser is more then an isolated piece of software in a VM. An integration on OS-level is required and trivial stuff like a full-screen mode is possible but might complicate matters within a VM. Or 3d acceleration and everything where a direct access to the API is required. And suddenly the VM is piping everything through the main OS because a browser just needs access to all the OS APIs and then you end at square 1. So, I also find your idea a bit confusing.