As the title says, I want to run untrusted code in a v8 isolate and I’m wondering if elixir processes provide similar isolation as os processes. One of the risks with v8 sandbox escapes is that they will have access to shared process memory. My understanding of elixir processes is that they don’t share memory so my assumption is a sandbox escape would not have a similar blast radius? If I were to combine elixir process with seccomp filters would I be fine?
Can you explain how you are planning to run this sandbox?
There is no isolation once you go outside of application codebase/runtime, your only bet is to have the sandbox fully controlled by your application code, like luerl does.
I’ve built a rust library that interfaces directly with v8. I only have a high level idea of how this would work with elixir at the moment but my thought process is that the rust library will use rustler as the interface between rust and elixir and the rust code will spawn a separate thread that will contain the isolate, apply seccomp filters, etc.
Normally, the recommendation with v8 isolates is to run them in a separate OS process because v8 isolates can be hacked and a sandbox escape can expose shared memory.
Rustler uses NIFs by default. All the NIFs are being called from schedulers processes that are running usually on each OS thread. There is no possible isolation, as elixir processes are application level abstraction, the VM is a program written in C that executes code.
This can be done easily by making your rust application as a CLI and run it alongside your elixir app. You can take a look at Port for examples.
3 Likes
Got it, thanks for the help.
1 Like
