@raggi Perhaps I'm being either too optimistic about interpreters or too pessimistic about JITs, but breaking out of a Go/Rust interpreter stepping through your bytecode feels quite a bit harder than finding a subtle mismatch of expectations between th...
-
@raggi Perhaps I'm being either too optimistic about interpreters or too pessimistic about JITs, but breaking out of a Go/Rust interpreter stepping through your bytecode feels quite a bit harder than finding a subtle mismatch of expectations between the host runtime and generated code, and turning that into a ROP chain. It's certainly possible to JIT safely, I just don't personally know how to evaluate whether a particular one is.
-
@danderson i believe wasmtime can run in a mode where it's AOT only, and i'd also be using that, with a surrounding sandbox, for a real 3p deployment in an environment i need to be quite safe - no WX pages nearby
-
@raggi yeah, if I wanted to run these things, I'd end up lifting the compile and execution into separate processes, both sandboxed to within an inch of their lives, and at that point the threat is back to your usual kernel attack surface and/or microarchitectural issues.
... But in my case the code doesn't need to be as fast as it can possibly be, "maybe half the speed of CPython" would be more than fine, and I'd gladly trade in the extra speed for a much more benign execution environment.