This project implements a generic, policy-agnostic sandboxing mechanism for Node.js. The system is inspired by the Hails project (hence the name), but turned out to be more general than the information flow control system implemented by Hails. The basic idea behind the project is to provide code with confined workers. A confined worker is a fresh context, similar to Node's vm, but implemented with slightly more paranoia: the worker can only communicate with the parent using message passing. Specifically, it can perform a synchronous upcall, or send an asynchronous message and respectively register message handlers. See Intermediate layer: confined workers.
On top of this very simple model we can expose libraries (to the worker) that are very similar to the standard node libraries, but can additionally be restricted by the parent (that created the worker). Below we show some examples on how to use the sandboxing system to enforce different kinds of policies.
more here.............https://github.com/deian/hails.js
On top of this very simple model we can expose libraries (to the worker) that are very similar to the standard node libraries, but can additionally be restricted by the parent (that created the worker). Below we show some examples on how to use the sandboxing system to enforce different kinds of policies.
more here.............https://github.com/deian/hails.js