this post was submitted on 06 May 2026
29 points (93.9% liked)

Security

2077 readers
4 users here now

A community for discussion about cybersecurity, hacking, cybersecurity news, exploits, bounties etc.

Rules :

  1. All instance-wide rules apply.
  2. Keep it totally legal.
  3. Remember the human, be civil.
  4. Be helpful, don't be rude.

Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 2 years ago
MODERATORS
Vacant@programming.dev
29
Your Container Is Not a Sandbox (emirb.github.io)
submitted 2 days ago by codeinabox@programming.dev to c/security@programming.dev
7 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[โ€“] moonpiedumplings@programming.dev 2 points 1 day ago (1 children)

Syd's architecture is similar to gvisor, mentioned in the article. It has similar tradeoffs, although I suspect it is more performant (can't find benchmarks) since it is written in rust, rather than go.

Gvisor has some significant performance hits: https://gvisor.dev/docs/architecture_guide/performance/ . microvm/cloud hypervisor/ other vm solutions, with kvm, are around a 95% performance.

[โ€“] Neptr@lemmy.blahaj.zone 1 points 1 day ago

The advantage of an application kernel is that it reduces the access a running application has to exploit the kernel. Sure, with a VM the guest runs its own kernel. But the KVM hypervisor is still in the host's kernelspace. Implementing syscalls in userspace while using a safer subset of the kernel's syscalls helps prevent certain attacks. The performance hit is real of course. But syd has different goals than gVisor because it prevents apps from running unless they are given the permissions to do so.