Hacker News new | past | comments | ask | show | jobs | submit login

> In theory a compiler knows every reachable system call and all points of data input that could reach them

Sorta yes, sorta no.

Imagine I'm making a chat client, and I want users to be able to drag and drop images to share. But the OS doesn't have an "open drag-and-dropped file, extension .png or .jpg" function call, it only has "open file" which lets me open ~/.ssh/id_rsa too.

Or if I'm making a web browser and I want to support U2F tokens. But there's no OS "talk to U2F token" call - the browser needs access to the system calls for "talk to arbitrary USB devices".

Sandboxing PC software is tough.




If you end up with "X can open any file" that's something that's worth noting to a consumer. The sandbox capabilities don't have to be perfect in order to expose a scary situation.

Further, you can restrict a process to only open specific files in a number of ways on Linux, including based on path. There's room for improvement, though.


> But the OS doesn't have an "open drag-and-dropped file, extension .png or .jpg" function call, it only has "open file" which lets me open ~/.ssh/id_rsa too.

A programming language doesn't have to expose system calls directly. It arguably it shouldn't, in fact, for exactly this reason.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: