[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: safe subset of FFI?
- From: "Robert G. Jakabosky" <bobby@...>
- Date: Tue, 17 May 2011 19:02:43 -0700
On Tuesday 17, Josh Haberman wrote:
> Justin Cormack <justin <at> specialbusservice.com> writes:
> > It is not hard to wrap bounds testing around an ffi structure
> This misses the point: once FFI is loaded, memory safety is gone.
> Any malicious or buggy code that is loaded could buffer overflow.
> If a memory-safe FFI subset existed, you could allow it to be
> loaded (but not FFI) and get some of FFI's benefits without giving
> up memory safety.
You can hide the FFI module from sandboxed code. Wrap FFI up in a safe
interface, then sandbox the unsafe code.
Robert G. Jakabosky