LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Gnash, Lightspark, and Shumway

Gnash, Lightspark, and Shumway

Posted Nov 25, 2012 20:26 UTC (Sun) by kripkenstein (subscriber, #43281)
In reply to: Gnash, Lightspark, and Shumway by khim
Parent article: Gnash, Lightspark, and Shumway

It is possible to sandbox C++ to some extent, yes. However,

1. It was not designed for that from the beginning, so the result has some tradeoffs (not all C++ code can run in a sandbox, performance is not quite the same, etc.).

2. Practically speaking, if you have a web browser with one sandbox that you spent huge efforts on (and all do), adding another sandbox means a lot of additional effort and risk. The risk comes from the fact that each sandbox will have vulnerabilities, so having more sandboxes means more of them.

(Log in to post comments)

Gnash, Lightspark, and Shumway

Posted Nov 25, 2012 21:22 UTC (Sun) by khim (subscriber, #9252) [Link]

It was not designed for that from the beginning, so the result has some tradeoffs

Well, of course.

not all C++ code can run in a sandbox

That's kinda definition of sandbox, you know. If all code (including malicious code) can run in sandbox then why will you need any sandbox at all? All correct ANSI C/C++ code should work in sandbox (as long as it does not try to do anything forbidden, that is).

performance is not quite the same, etc.

Without sandbox it's 100 times faster, with sandbox it's only 50 times faster. Not a big deal, really.

Practically speaking, if you have a web browser with one sandbox that you spent huge efforts on (and all do), adding another sandbox means a lot of additional effort and risk. The risk comes from the fact that each sandbox will have vulnerabilities, so having more sandboxes means more of them.

Not all sandboxes are created equal. If you compare 100'000 LOC of JS sandbox (with some handwaving which should explain that it works... if you are lucky) and formally proven C++ sandbox... I'm not sure amount of effort is relevant, really.

Chrome example is pretty convincing: JS sandbox had more known vulnerabilities then C++ one, but, more importantly, most vulnerabilities are not in JS-specific parts or C++-specific parts but in common parts which work with WebKit.

Gnash, Lightspark, and Shumway

Posted Nov 25, 2012 21:35 UTC (Sun) by kripkenstein (subscriber, #43281) [Link]

You are right that a small sandbox for C++ can be safer than a big one for JS. It's a fact that sandboxing a JS engine is a hard problem, it requires PICs and so forth to be fast.

But the web platform *forces* everyone to have a JS engine. So that work is already done (and the sandboxing is quite good these days). Adding another sandbox is a net increase in vulnerabilities. You can't not have the JS sandbox, but you can not have the C++ one.

Regarding 100x vs 50x - try 6x vs. 3x in modern JS engines on modern codebases.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds