Post B79cZ7tYidrZdVY9NA by david_chisnall@infosec.exchange
 (DIR) More posts by david_chisnall@infosec.exchange
 (DIR) Post #B79cZ7tYidrZdVY9NA by david_chisnall@infosec.exchange
       2026-06-09T10:36:18Z
       
       1 likes, 1 repeats
       
       One of the things that was drummed into my head repeatedly working with the late Ross Anderson was that most security problems are usability problems.  It doesn't matter how secure your cryptosysetm is if people send unencrypted messages because they can't understand how to do key exchange.  It doesn't matter how secure and fine-grained your sandboxing is if it has a user-prompted privilege elevation mechanism and users are trained to just hit 'approve' every time a dialog pops up.This is why #CHERIoT focused so heavily on building a usable programmer model from the start.  Compartments communicate with other compartments by calling functions.  Compartments share objects by passing pointers to them.  Compartments have a mechanism to expose type-safe opaque types and that's surfaced directly in the source languages.  There is no look-aside policy that you have to read to know whether a compartment exercises some right: it's all explicit in the source code.  WebAssembly makes it easy to do the same kind of isolation, but not the sharing.  A C pointer in WebAssembly is a 32-bit offset into a memory.  If you want an object that's shared between two WebAssembly sandboxes, that's a totally different kind of pointer.  Early CHERI work tried this and we gave up because the cognitive load and porting effort of having two kinds of pointer was too painful.  #cheri