(queue.acm.org)

182 points yarapavan | 2 comments | 07 Apr 25 18:04 UTC | HN request time: 0.545s | source

Show context

mlinksva ◴[07 Apr 25 18:31 UTC] No.43614464[source]▶

Good article for what it covers, but sadly does not cover isolation/sandboxing/least privilege.

bitwize ◴[07 Apr 25 19:34 UTC] No.43615031[source]▶

Indeed. In 2020s, if you're not sandboxing each thing, and then sandboxing each library the thing depends on, you're running with way too many opportunities for vulnerability.

replies(1): >>43615529 #

LtWorf ◴[07 Apr 25 20:19 UTC] No.43615529[source]▶

>>43615031 #

Well said! How?

replies(3): >>43615593 #>>43617134 #>>43617404 #

1. mlinksva ◴[07 Apr 25 23:56 UTC] No.43617134[source]▶

>>43615529 #

I don't really know because I haven't put work in to investigate, but some things in that direction seem to be, possibly in order of some combination of maturity and comprehensiveness.

  - CHERI compartmentalisation
  - LavaMoat (js)
  - Scala "capture checking"
  - Java "integrity by default"

replies(1): >>43618873 #

2. LtWorf ◴[08 Apr 25 06:24 UTC] No.43618873[source]▶

>>43617134 (TP) #

I haven't really understood how lavamoat works (if it works).

↑

Fifty Years of Open Source Software Supply Chain Security