> If we can't even trust UID separation to work, then the project of secure computing is hopeless.
Not at all. We have better sandboxing mechanisms now.
> If we can't get it right after all this time, what hope can Sandstorm possibly have of getting a new system right?
UID separation has broken down because the attack surface has grown too large, encompassing:
* The entire ever-growing system call list.
* The huge /proc and /sys filesystems, which let you muck with all kinds of process and system state.
* Devices in /dev, many connected to low-quality device driver code.
* Every setuid-root binary installed on the system.
When the API gets that huge, avoiding bugs across the whole thing gets impossible.
Modern sandboxes work by massively reducing this surface. Sandstorm apps are restricted to a core set of common system calls, do not get /proc or /sys, only get a couple devices in /dev, and cannot use setuid-root binaries. In this situation, security is much easier.
Moreover, we use a capability-based security model to permit apps to talk to each other and the world, rather than an ACL-based one. This model makes it much easier to start from zero and grow, rather than starting from everything being accessible and then shrink.
Not at all. We have better sandboxing mechanisms now.
> If we can't get it right after all this time, what hope can Sandstorm possibly have of getting a new system right?
UID separation has broken down because the attack surface has grown too large, encompassing:
* The entire ever-growing system call list.
* The huge /proc and /sys filesystems, which let you muck with all kinds of process and system state.
* Devices in /dev, many connected to low-quality device driver code.
* Every setuid-root binary installed on the system.
When the API gets that huge, avoiding bugs across the whole thing gets impossible.
Modern sandboxes work by massively reducing this surface. Sandstorm apps are restricted to a core set of common system calls, do not get /proc or /sys, only get a couple devices in /dev, and cannot use setuid-root binaries. In this situation, security is much easier.
Moreover, we use a capability-based security model to permit apps to talk to each other and the world, rather than an ACL-based one. This model makes it much easier to start from zero and grow, rather than starting from everything being accessible and then shrink.
> And it's really the only hope we have.
Luckily, it is not.