Alex is right, i promise you if it made sense to do seccomp-bpf like things for Windows we would have done it by now. Windows is a different beast entirely. Hyper-v/WDAG containers are the best way we currently have to abstract away attack kernel surface.https://twitter.com/aionescu/status/1092263015699730437 …
Things are recalculated all the time, just loading a DLL has to recalculate offsets and relocations. I think I don't understand the complaint, the developer writes a policy, everything else can be automated.
-
-
that sounds very dynamic for a sandbox; does it introduce overhead?
-
Not significantly, miniscule load time overhead and then miniscule syscall overhead. The alternative being pitched here is spinning up a HV container.... now that's overhead

- 4 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.