Am 21.04.21 um 15:36 schrieb Sven Panne:
That's not totally correct: You can use anything you like when you have a sandbox while executing it. This is even much more safe than relying on a language (which can have conceptual and/or implementation bugs) alone.
Actually Sandboxes have a just as complicated attack surface as languages. I also believe they are different domains. Secure languages deal with making guarantees about what a program does and, more importantly, what it does not do. So you can control things like IO effects, Capabilities, and the language can even make these guarantees statically. A sandbox deals more with API objects. This is a much more complicated surface because today's APIs tend to be large, complex, and interact in unexpected fashions; on the other hand, it is much nearer to the actual objects being protected. I.e. I believe the two approaches, while they have some overlap, they serve different purposes and need to complement each other.
The attack surface of any non-trivial language, its implementation and its runtime is just too big for anything serious. Sandboxes are complex, too, but less so,
I believe the opposite is true. APIs change over time. Languages do that, too, but to a much lesser extent, and type system guarantees tend to hold for decades. Even filesystem APIs are less stable than that (think NFS, or filesystem-dependent ACLs). Regards, Jo