I was dubious about Google’s new Fuchsia operating system, but it has some very interesting ideas, including capability-based execution. Programs that can do nothing until you grant them capabilities are so much better – I hate downloading some Windows .EXE game editor or utility that could literally do anything to my computer. But similar functionality is coming to existing operating systems:
- Sandboxing of random binaries is getting easier, though still way too fiddly.
- More programs are being written or recompiled to run in a browser, where I’m confident they can’t read and write random files.
- Flatpak‘s sandboxing of portable Linux application binaries by default is good, and the innovation of programs invoking user-controlled portals implemented by the toolkit that provide well-defined functionality to open or save documents, print, turn on the camera, etc. is great.
- The WASI WebAssembly System Interface defines a runtime with capability-based security for portable WebAssembly programs. “Write Once Run Anywhere” lives again 😉!
Or write a new operating system
If you’re looking for O.S. innovation besides Fuchsia, Redox OS is a very interesting micro-kernel O.S. written in Rust based around I/O access where every path is a URL in a scheme (e.g.
initfs:, etc. schemes in its kernel and
ip:, etc. schemes running in userspace). And now there’s Theseus OS also written in Rust, which trusts the security guarantees of Rust code to “execute everything in a single address space and at a single privilege level” 😮. The former is close to being able to run emulators and the latter can now run Wasm/WASI programs, which helps with the problem of few programs that can run on a new O.S. And there’s progress in writing safer Rust stdlib implementations that use capabilities and/or can’t open random files (everything is an
openat2() that can only opens files under file descriptors that the environment provides).
There’s lots of good interesting stuff happening at multiple levels. Disclaimer: I only have a weak understanding of all of this.