undefined | Better HN

0 pointsburfog6y ago0 comments

Put B,C,D on the other side of a privilege boundary.

Most obviously, they can go in the kernel. They can go in a separate process, using the Mach messaging that Apple so loves. There are other designs, as seen in Multics and VMS, with semi-privileged libraries. One could implement semi-privileged libraries on ARM by switching to a different page table when an attempt is made to run the library code.

For secured forms of code like WebAssembly and the JVM, simply validate at load time that there will not be calls to non-whitelisted library functions.

0 comments

1 comments · 1 top-level

scarface746y ago

There is always a performance penalty when switching between “rings”. Private methods are an “implementation detail” that shouldn’t be depended on.

Would you write a C++ program that called private functions using pointers? Would you write a C# program that called a private method using reflection? Should the dependency maintainer have the expectation of people calling private methods and not break your code?

Every suggestion you have leads to performance issues.

j / k navigate · click thread line to collapse