Towards Fine-grained, Automated Application Compartmentalization.

The rise of language-specific, third-party packages simplifies application development. However, relying on untrusted code poses a threat to security and reliability. In this work, we propose exploiting module boundaries --and the general trend towards more and smaller modules --to achieve fine-grained compartmentalization. Automated transformations can hide compartment boundaries and minimize developer effort. Optional policy expressions can decouple security assumptions at development time from requirements during composition and runtime. Using JavaScript's flourishing ecosystem, we discuss a wide range of risks and sketch how the use of language-level solutions coupled systemic mechanisms can protect against them.