(queue.acm.org)

182 points yarapavan | 1 comments | 07 Apr 25 18:04 UTC | HN request time: 0.218s | source

Show context

mlinksva ◴[07 Apr 25 18:31 UTC] No.43614464[source]▶

Good article for what it covers, but sadly does not cover isolation/sandboxing/least privilege.

bitwize ◴[07 Apr 25 19:34 UTC] No.43615031[source]▶

Indeed. In 2020s, if you're not sandboxing each thing, and then sandboxing each library the thing depends on, you're running with way too many opportunities for vulnerability.

replies(1): >>43615529 #

LtWorf ◴[07 Apr 25 20:19 UTC] No.43615529[source]▶

>>43615031 #

Well said! How?

replies(3): >>43615593 #>>43617134 #>>43617404 #

bitwize ◴[07 Apr 25 20:26 UTC] No.43615593[source]▶

>>43615529 #

I have no freaking idea. Needless to say I don't think our current operating systems are up to the task of actually being secure. You have to be able to somehow dynamic-link in a library whilst only giving calls into that library certain permissions/capabilities... which I don't think even Windows can do.

replies(4): >>43615767 #>>43615910 #>>43616588 #>>43617962 #

GuinansEyebrows ◴[07 Apr 25 21:03 UTC] No.43615910[source]▶

>>43615593 #

Ignorant reply here, but would openbsd's `pledge` and `unveil` sorta cover what you're talking about?

replies(1): >>43616075 #

1. LtWorf ◴[07 Apr 25 21:21 UTC] No.43616075[source]▶

>>43615910 #

At the library level? Not as far as I know…

↑

Fifty Years of Open Source Software Supply Chain Security