On 7/11/12 10:09 AM, Ian Melven wrote:
Also, in general, i'm pretty curious about Servo's process model and its security architecture, maybe that's best discussed in a new thread though (I really need to take some time to understand Rust better as well). My particular interest is in how Servo relates to the process sandboxing project I'm working on and any ideas around what Servo's possible addon model might be - Servo is often proposed as a solution to the needs driving the sandboxing project but it seems there will still be unsafe, possibly exploitable code in certain parts of it.
The memory safety and type safety of Rust isn't a substitute for a sandbox. Even with memory safety, it's still possible for someone to call os::exec("calc.exe"). And it's still potentially possible to exploit kernel32.dll, user32.dll, d3d9.dll, etc.
So we will need to use a sandbox. I think this sandboxing code should be part of the Rust cargo ecosystem, so that Rust programs can generally use it and the Rust community can contribute to it.
That said, memory safety definitely helps security in a big way. I think of memory safety and type safety as just one particularly powerful layer of protection. Just like any security layer, it rules out many sources of exploits, but other layers of protection are needed.
Patrick _______________________________________________ dev-servo mailing list dev-servo@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-servo
