The Core Sandbox
There are inherent risks with loading unknown and potentially malicious code into a process. In doing so you lose much of the protection offered by the operating system such as individual virtual address spaces, memory protection, segregated execution flow and COW access to shared code. For these reasons an application's sensitive information should never reside within the window server and information such as passwords or other input that must pass through the window server should be obfuscated and purged as soon as possible. Despite the loss of many operating system protections in exchange for speed, extensibility and a shared OpenGL context, these protections are still not out of reach. Using existing operating system tools and features, protective sandboxes can be built for client processes' code to run in which will provide robust protection for both the server modules themselves and the window server from damage or intrusion both unintentional and malicious. These sandboxes place restrictions on the kinds of things that code in server modules can do but are still flexible enough to allow any kind of programming required for a user interface. The protective features are outlined below with respect to the kinds attacks/damage they are meant to defend against. Some of these protections are already implemented in Vision and as more potential security holes are discovered no doubt more countermeasures will be deployed.