Isolation without containers

Description

Software fault isolation (SFI) is a way of preventing errors or unexpected behavior in one program from affecting others. Sandboxes, processes, containers, and VMs are all forms of SFI. SFI is a deeply important part of not only operating systems but also browsers and even server software.

The ways in which SFI can be implemented vary widely. Operating systems take advantage of hardware capabilities, like the MMU (memory management unit). Others, like processes and containers, use facilities provided by the operating system kernel to provide isolation. Some types of sandboxing even use a combination of the compiler and runtime libraries in order to provide safety. Each of these methods has advantages and disadvantages, but we don’t often think of them as different options toward a similar end goal. However, when we consider the growing prevalence of things like edge computing and the internet of things, our common patterns start to falter.

Tyler McMullen offers an overview of sandboxing compilers, which provide important benefits but are also challenging to make both safe and fast. Tyler covers machine code generation and optimization, trap handling, and memory sandboxing and illustrates how to integrate them into an existing system—all based on a real compiler and sandbox, currently in development that is designed to run many thousands of sandboxes concurrently in server applications.