That's why they should all be sandboxed. Just compile them to wasm and this greatly reduces the surface area of exploits in practice; or, run them in a separate process and sandbox with seccomp (and talk to them with IPC). The former approach actually has less overhead for small components, or at least that's what Firefox devs found out https://hacks.mozilla.org/2020/02/securing-firefox-with-weba...
Relying on the compiler to do sandboxing is theoretically possible, as done by the Singularity and Midori operating systems from Microsoft (they ran all user programs in kernel mode, without paging, relying only on the compiler to prevent an user from reading memory from another user). But in practice this can't be done with a compiler full of holes like rustc, you would need a compiler that was designed for this from the ground up.
nextaccountic|1 year ago
Relying on the compiler to do sandboxing is theoretically possible, as done by the Singularity and Midori operating systems from Microsoft (they ran all user programs in kernel mode, without paging, relying only on the compiler to prevent an user from reading memory from another user). But in practice this can't be done with a compiler full of holes like rustc, you would need a compiler that was designed for this from the ground up.