Techly NewsGet the app

Get the latest tech news

Library Sandboxing for Verona


Library sandboxing for the Verona research language and usable in other contexts. - microsoft/verona-sandbox

Note that the C++ APIs provide the same abstractions for sandbox code invocation that the Verona compiler is expected to use, but the C++ type system lacks viewpoint adaptation and so cannot help you avoid accidentally following pointers that the attacker is able to manipulate. When the child wishes to invoke a system call that is not allowed (for example, open, which would grant access to the entire filesystem if permitted), this is handled by a callback that takes the arguments and returns either an error value or a file descriptor. The Capsicum implementation is the simplest, because the kernel provide exactly the policy required (no direct access to the global namespace, restrictions on the operations permitted on delegated file descriptors.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of Library Sandboxing

Library Sandboxing

Photo of Verona

Verona

« Taiwan’s Exports to Mexico Jump by Almost 500% Before US Tariffs
World's fastest supercomputer 'El Capitan' goes online — it will be used to secure the US nuclear stockpile and in other classified research »