The closest thing I know of might be CreateRestrictedToken, AdjustTokenGroups, and AdjustTokenPrivileges, but those doesn't quite fit the bill. There's a bit more info on Pico processes at https://fourcore.io/blogs/how-a-windows-process-is-created-part-1 that you might find interesting.

Expand full comment

I have only read this article and the comments section. And I'm not a systems programmer so I know basically nothing about OS'es. So, what I'm asking might be trivial or just nonsense...

1. You said that chrome doesn't use anything like this right now, and if such a thing existed it would allow someone to execute arbitrary code written as javascript or wasm in a safe way without doing any security checks. So, do you mean that one can actually try to make a system call like (acquire lock on camera) through javascript/wasm in chrome and it will only be stopped because there are security checks?

I have tried to read the code of the v8 engine with limited success. I have not seen anything that would be along the lines of checking for syscalls. All I saw was the language they have (torque) implementing the ecma spec in phrasing that is close to the spec itself, and then c++ implementations of the the algorithms that support functions like 'indexOf`, `replace` etc.

So, I was under the impression that it would actually be impossible to do something malicious inside javascript or wasm itself because it doesn't have any privileges. The only system access is possible through the html5 apis which the person writing the arbitrary code has very little control over. Is this not true? Is it possible to try to inject a syscall through v8 that will only be stopped because v8 would do a security check on the source code?

2. How did you know where to look for determining that chromium doesn't use anything like a process you are suggesting? I also tried to read the code of chromium, but its so huge I couldn't figure out where to even start. I guess if I had to look for it I could grep the whole project for something like a platform layer and look in those files. I think I saw at least one switch statement somewhere that looked like it was checking for macos, windows and linux. Is that what you did?

Expand full comment

A simple communication API would be to make the thread inside the sandbox terminate any time it tries to do a illegal instruction and have that be notified to the main thread. (like a thread join)

Then the main thread can investigate the memory and perhaps see that a designated area for doing syscalls communication has been filled out, execute the psuedo syscall and then restart the sandbox thread (possibly only allow restarting from specific entry points).

This then won't rely on platform specific knowledge for inspecting the registers or syscall number and only 1 bit of assembly or intrinsic when doing the syscal. Adding the register inspection machinery can still be done but that wold only be useful for debugging I believe.

Expand full comment

The name "CreateUnprivilegedProcess" would be more descriptive. Then you could have "RequestPrivilege" and "RelinquishPrivilege" as other calls.

Expand full comment