Jo's two-world architecture to solve the fine-grained sandboxing problem at compile-time

Jo is a secure programming language that intends to addressing the fine-grained sandboxing problem at compile-time. To make secure programming practical it ends up with a two-world architecture : - confined world : not trusted, no FFI transitively, disciplined, standard library is not trusted - trusted world : trusted, FFI, type cast, language runtime is trusted The two-world architecture makes it possible to establish a security wall inside the language : that makes it easy to confine an untrusted program to arbitrarily fine-grained permission, e.g., only access certain rows or columns of a database table. The language-level confinement remove the need for runtime sandboxing because compile-time confinement is more fine-grained. It also makes security auditing easier. For resource quota, it still needs to be combined with ulimit/cgroups. We believe the two-world design addresses both the need for security and usability in secure programming. Comments are welcome on the design or alternatives to address the same problem. Link: https://jo-lang.org/security/two-worlds.html submitted by /u/liufengyun [link] [comments]