Hacker News new | past | comments | ask | show | jobs | submit login

That is not ignored, the article includes a simple architecture diagram that explains the standard solution to problems like this. In the diagram, you can see that there is a privileged process (labeled parent) and a sandboxed process (labeled child). The sandboxed process inherits a readonly handle to the file to scan and a handle to a pipe to communicate the scan result to the parent.

If the sandboxed process is compromised, all you can do is read a file that you already had access to (because it's your exploit), and lie about the scan result. That is not terribly exciting.

As the parent process doesn't do very much other than setup handles and read simple results from the sandboxed process, it is significantly harder to compromise.

This is the same model that browsers use. Your browser needs access to all your files to manage Downloads and so on, but all the dangerous stuff happens in the sandboxed renderer process. It is not "easier to hide from it", because the process that intercepts i/o still runs at the same privilege.

I was wrong. Thanks for your clear explanation, taviso.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact