Rust for Web Programming? Or a language with Sandbox functionalities

help
1

Hello,

in other programming languages like Nodejs it is very easy to use a sandbox to isolate the code and increase security. In Rust this doesn't seem to be so easy, does it?
For example, does Nodejs (+Sandbox) thus provide more security than Rust in web development?

2

Do you mean in the context of WebAssembly? If so, that's always sandboxed

3

You can run your Rust code in a Docker container with as few privileges as you like. I would argue that is better than what node provides, unless you also run node in a container.

4

thank you for the quick reply.

@Cyborus
thank you for the quick reply.
I don't mean webassembly but:

  • Web server
  • Offline Client Software with Web GUI (Windows / Linux)
  • Handling of untrusted files and content (Upload and Download files / resize images / pdf parsing / email parsing)

@bes
I think this is a good approach only on server side. For an offline client software I think docker is not a solution.

5

You mention sandbox in the title, but uses you describe don't always need a sandbox. To make it clear, there are two kinds of security barriers:

  1. Sandbox shielding from untrusted code, or limiting damage caused by hacked applications.
  2. Safety of handling untrusted data (e.g. parsing without creating vulnerabilities).

Rust's safety helps with the case 2. With some care, and if you don't overuse unsafe, then you could rely on Rust to be sufficient to safely parse data and handle untrusted inputs. Even small implementation errors typically cause non-exploitable panics, not buffer overflows.

For the case 1, Rust has no sandbox. There is no isolation within the process. Everything within the program is assumed to be trusted, and has maximum privileges.

If you're deploying your own software, and want to add defense in depth for risky parts of the code, it's usually done externally in a language-agnostic way by isolating the whole process (e.g. Linux seccomp and containers). A more cautious option is to compile Rust to WASM+WASI and run it in a WASM emulator/VM (or an experimental middle-ground of RLBox).

There's no safe option for running other people's untrusted Rust code, like you would run JavaScript in a browser. The closest is compiling to WASM, but be careful, because the compilation itself is unsafe — proc macros can execute arbitrary code during compilation, and include_bytes! macro can be used to exfiltrate files from the host machine.

4 Likes
6

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.