{"id":1520,"date":"2022-08-29T15:50:20","date_gmt":"2022-08-29T22:50:20","guid":{"rendered":"https:\/\/www.skierpage.com\/blog\/?p=1520"},"modified":"2022-11-02T17:37:34","modified_gmt":"2022-11-03T00:37:34","slug":"software-making-it-safer-to-run-random-programs","status":"publish","type":"post","link":"https:\/\/www.skierpage.com\/blog\/2022\/08\/software-making-it-safer-to-run-random-programs\/","title":{"rendered":"software: making it safer to run random programs"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">I was dubious about Google&#8217;s new Fuchsia operating system, but it has some <a href=\"https:\/\/fuchsia.dev\/fuchsia-src\/concepts\">very interesting ideas<\/a>, including capability-based execution. Programs that can do nothing until you grant them capabilities are so much better \u2013 I hate downloading some Windows .EXE game editor or utility that could literally do anything to my computer. But similar functionality is coming to existing operating systems:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Sandboxing of random binaries is getting easier, though still way too fiddly.<\/li>\n\n\n\n<li>More programs are being written or recompiled to run in a browser, where I&#8217;m confident they can&#8217;t read and write random files.<\/li>\n\n\n\n<li><a href=\"https:\/\/flatpak.org\/\">Flatpak<\/a>&#8216;s sandboxing of portable Linux application binaries by default is good, and the innovation of programs invoking user-controlled <a href=\"https:\/\/docs.flatpak.org\/en\/latest\/desktop-integration.html#portals\">portals<\/a> implemented by the toolkit that provide well-defined functionality to open or save documents, print, turn on the camera, etc. is great.<\/li>\n\n\n\n<li>The WASI WebAssembly System Interface defines a runtime with capability-based security for portable WebAssembly programs. &#8220;Write Once Run Anywhere&#8221; lives again \ud83d\ude09!<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Or write a new operating system<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">If you&#8217;re looking for O.S. innovation besides Fuchsia, <a href=\"https:\/\/www.redox-os.org\/\">Redox OS<\/a> is a very interesting micro-kernel O.S. written in Rust based around I\/O access where every path is a URL in a scheme (e.g. <code>pipe:<\/code>, <code>initfs:<\/code>, etc. schemes in its kernel and <code>disk:<\/code>, <code>file:<\/code>, <code>ip:<\/code>, etc. schemes running in userspace). And now there&#8217;s <a href=\"https:\/\/www.theseus-os.com\/Theseus\/book\/design\/design.html\">Theseus OS<\/a> also written in Rust, which trusts the security guarantees of Rust code to &#8220;execute everything in a single address space and at a single privilege level&#8221; \ud83d\ude2e. The former is close to being able to run emulators and the latter can <a href=\"https:\/\/www.theseus-os.com\/2022\/06\/21\/wasmtime-complete-no_std-port.html\">now run Wasm\/WASI programs<\/a>, which helps with the problem of few programs that can run on a new O.S. And there&#8217;s progress in writing safer Rust stdlib implementations <a href=\"https:\/\/github.com\/bytecodealliance\/cap-std\">that use capabilities<\/a> and\/or can&#8217;t open random files (everything is an <code>openat2()<\/code> that can only opens files under file descriptors that the environment provides).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">There&#8217;s lots of good interesting stuff happening at multiple levels. Disclaimer: I only have a weak understanding of all of this.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I was dubious about Google&#8217;s new Fuchsia operating system, but it has some very interesting ideas, including capability-based execution. Programs that can do nothing until you grant them capabilities are so much better \u2013 I hate downloading some Windows .EXE &hellip; <a href=\"https:\/\/www.skierpage.com\/blog\/2022\/08\/software-making-it-safer-to-run-random-programs\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","footnotes":""},"categories":[14,18],"tags":[],"class_list":["post-1520","post","type-post","status-publish","format-standard","hentry","category-open-source","category-software"],"_links":{"self":[{"href":"https:\/\/www.skierpage.com\/blog\/wp-json\/wp\/v2\/posts\/1520","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.skierpage.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.skierpage.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.skierpage.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.skierpage.com\/blog\/wp-json\/wp\/v2\/comments?post=1520"}],"version-history":[{"count":6,"href":"https:\/\/www.skierpage.com\/blog\/wp-json\/wp\/v2\/posts\/1520\/revisions"}],"predecessor-version":[{"id":1555,"href":"https:\/\/www.skierpage.com\/blog\/wp-json\/wp\/v2\/posts\/1520\/revisions\/1555"}],"wp:attachment":[{"href":"https:\/\/www.skierpage.com\/blog\/wp-json\/wp\/v2\/media?parent=1520"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.skierpage.com\/blog\/wp-json\/wp\/v2\/categories?post=1520"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.skierpage.com\/blog\/wp-json\/wp\/v2\/tags?post=1520"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}