Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document Compartment availability and OOM limitations #2742

Open
mhofman opened this issue Mar 17, 2025 · 0 comments
Open

Document Compartment availability and OOM limitations #2742

mhofman opened this issue Mar 17, 2025 · 0 comments
Labels
documentation Improvements or additions to documentation enhancement New feature or request

Comments

@mhofman
Copy link
Contributor

mhofman commented Mar 17, 2025

What is the Problem Being Solved?

Compartments enables sandboxing of code, but since all compartment code still runs in the same agent, it inherits some limitations that should be documented:

  • Code running in a compartment can deny availability to any other code executing in that agent, e.g. by going into an infinite loop.
  • Because the JS spec doesn't guarantee that OOM panics the agent, code exported by a compartment can be attacked by another compartment setting it up for OOM failures (either stack or heap). This can result in an integrity compromises instead of an availability one.

Description of the Design

Update Endo and SES documentation to make these limitations clear.

Security Considerations

Better documentation of security assumptions
@mhofman mhofman added documentation Improvements or additions to documentation enhancement New feature or request labels Mar 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mhofman