Payload generation can be a challenge, so the team was musing on what payload generation could look like if we wanted to limit "shelling out" (i.e., "selling out") as much as possible. @terrorbyte previously went so far as to use WASM to generate entire VMs that were embeddable into Go at one point, which was "no good and very evil," in his words.
Some ideas Cale thought about as paths forward:
- Support direct calling out to compiling, but make it some sort of serializable format so that we can call out to containers/VMs arbitrary execution with something that understands how to generate payloads.
- Directly patching Go standard library to expose the compiler functions and directly compile Go payloads from inside of the framework (likely requires us maintaining a patchset or fork of Go stdlib, which is suboptimal).
- Build our own sandboxing with landlock and friends and create escape hatches for platforms or systems without it.
- Investigate the WASM VM path
Not urgent, but good topic for long-term discussion!
Payload generation can be a challenge, so the team was musing on what payload generation could look like if we wanted to limit "shelling out" (i.e., "selling out") as much as possible. @terrorbyte previously went so far as to use WASM to generate entire VMs that were embeddable into Go at one point, which was "no good and very evil," in his words.
Some ideas Cale thought about as paths forward:
Not urgent, but good topic for long-term discussion!