Don't know about you, but I am getting Mach flashbacks.
Next at #LinuxPlumbers, Barret Rhoden provides an update on Google's Ghost kernel scheduler class and describes a new BPF-only CPU scheduler as an example.
Last year's references: https://twitter.com/pchaigno/status/1439965320056344577
There have been enough sandbox escape vulnerabilities at this point that same-process sandboxing is no longer considered a viable technique for running completely untrusted code. But it can still be used in MOO's security model, where users have to demonstrate some amount of trustworthiness to get programmer bits, and only well-known and trusted users get wizbits.
I've managed to build a proof-of-concept system with fine-grained sandboxing using Lua, but I ran out of motivation on that project because there's not much of an existing Lua ecosystem to use compared to JS. I would have built it on Duktape had Duktape existed at the time. And once Duktape came along WASM was on the horizon.
I doubt there will be a WASM runtime designed for same-process sandboxing anytime soon. But there appears to be some momentum toward making WASM-GC OCAP-safe, which at least would make it possible to run semi-mutually-untrusting code, though it would not protect against memory or CPU-time DoS.
Server-side WASM appears to be fairly mature at this point. While this doesn't give same-process sandboxing or finer-grained concurrency, it does support one of the "holy grails" we had back in the ColdC/Genesis days: language agnosticism. While that mostly only means Rust and C++ at the moment, Rust is certainly preferable to JS, it has a sufficiently large community and ecosystem, and the ability to target WASM has been a goal of Rust for a long time (always?).
I think I'll spend some time checking out Wasmtime.
Super neat blog post about the #Webassembly component model and wit-bindgen interop. https://wasmcloud.com/blog/webassembly_components_and_wasmcloud_actors_a_glimpse_of_the_future/
Enarx is an open source framework for running WebAssembly applications in TEEs (Trusted Execution Environments).
Enarx is completely written in Rust and includes an SGX shim, an X86_64 unikernel via KVM with SEV-SNP support.
Our contributions to Rust include:
* static-pie support
* x86_64-unknown-none Tier 2 target
* stabilization of naked functions
* network support for wasm32-wasi
* bindeps feature for cargo
The „State of #WebAssembly 2022“ Survey: help Setting the direction for future development of the #wasm ecosystem!
I am fleeing the unleashing of the trolls in the impending Musk-alypse.
With >41K blocks and <3K follows on Twitter the noise to signal ratio is trending the wrong way. And it will get worse.
If you follow the rules, you are welcome to join. Here we are trying to build a curated network of respectful professionals in the tech industry. We are hackers, professionals, enthusiasts, and are passionate about life, respect, and freedom. We believe in peace. Safe space. Tech Industry. Economics. OSINT/News. Linux. Kubernetes. Infrastructure. Security. Hackers. Respect. LGTBQIA+. Pets. Hobbies.