Why not object capability languages?

Forks in the road Here are some problems you’ll have to solve in order to sandbox libraries: What is your threat model? How do you stop components tampering with each other’s memory? Do you inter-twingle your plan with other unrelated requirements, like cross-language interop? How much of humanities existing codebase can you reuse, if any? Let’s start with the threat model, or stated more plainly, what exact problem are you trying to solve? Sandbox designers often disagree on how far they need to go. Do you care about resource exhaustion or DoS attacks? For example, is it OK if a library can call exit(0) and tear down your process, or deliberately segfault it? Do you care about Spectre attacks? Maybe! Every time you make your threat model stronger it becomes harder to work with. The right thing to do here is deeply unclear. Regardless of what model you choose, libraries expect to share memory with the code that uses them. An object capability system therefore can’t just be dropped ... Read full article.