#sandstorm on 2022-06-15 — irc logs at libera.irclog.whitequark.org

2021-05-26 15:17 ChanServ changed the topic of #sandstorm to: Welcome to #sandstorm: home of all things Sandstorm and Cap'n Proto. Say hi! | Have a question but no one is here? Try asking in the discussion group: https://groups.google.com/group/sandstorm-dev | Channel logs available at https://libera.irclog.whitequark.org/sandstorm

08:00 xet7 has joined #sandstorm

13:37 xet7 has quit [Remote host closed the connection]

18:04 xet7 has joined #sandstorm

18:58 mnutt_ has quit []

19:00 mnutt has joined #sandstorm

22:04 cwebber` has joined #sandstorm

22:04 jfred_ has joined #sandstorm

22:05 jfred-linode_ has joined #sandstorm

22:07 Corbin has quit [Ping timeout: 250 seconds]

22:07 jfred has quit [Ping timeout: 250 seconds]

22:07 jfred-linode has quit [Ping timeout: 250 seconds]

22:07 cwebber has quit [Ping timeout: 250 seconds]

22:07 jfred_ is now known as jfred

22:18 Corbin has joined #sandstorm

22:26 xet7 has quit [Ping timeout: 240 seconds]

22:38 xet7 has joined #sandstorm

23:14 <torhex-pasmul[m]> what's the future of process-isolated units like sandstorm grains vs VM isolation? seeing sentiment against the former lately https://news.ycombinator.com/item?id=31760151

23:28 <isd> There's no intrinsic reason that process isolation should be less safe than VM isolation. I would even say in principle the opposite should be true, since it's a bit easier to fuss with the syscall API to make it easy to get right & minimize attack surface than it is to fuss with the ISA in the same way (fwiw, the same argument goes up the stack to language-level isolation). But, docker has given containers a bad reputation because it hasn't

23:28 <isd> really done that -- it tries to expose something that looks like pretty normal linux, and LPE vulnerabilities are as much of a concern there as they are elsewhere more or less. Sandstorm has a much better track record, mainly because we expose a lot less; even just banning /proc and userns alone dodges a huge number of LPEs.

23:36 <Corbin> I respect the commenter's experience here, but there are fundamental barriers to making VMs exactly as cheap as native processes, which ruins the "cheaper and cheaper" claim, so containers are *always* going to be scheduled in packed configurations.

23:37 <Corbin> (Generally, when a VM is fast, it's because the underlying processor is cheating somehow, and that cheating leads to security issues.)

23:40 <Corbin> Ah, here we go: https://news.ycombinator.com/item?id=31759105

23:48 <isd> The main intrinsic advantage of moving isolation down the stack is compatibility; if you do isolation with VMs, you can run basically any existing software. With process isolation, you're limited to userspace software that uses the right syscall API. Language level isolation you're now restricted to a particular language, etc.

23:50 <isd> In practice, today, it's sometimes also nice to have an extra layer of isolation (regardless of what's on top of it) just for defense in depth reasons. But people seem to have this intuition that hardware isolation is somehow easier to get right, since we don't hear about rampant problems with hardware zero-days. But that mostly reflects the effort hardware manufacturers put into correctness, not the intrinsic difficulty of the problem. Verifying

23:50 <isd> software is probably easier, we just don't do it because the cost of having to ship a hotfix isn't that high usually.

23:52 <isd> (I might have this on the brain right now; I've been working through https://softwarefoundations.cis.upenn.edu/)