Really informative writing thank you.

How secure does this make a binary? For example would you be able to run untrusted binary code inside a browser using a method like this?

Then can websites just use C++ instead of javascript for example?

▲

lmz 5 hours ago | parent [-]

They already can use C++ if they want to. Emscripten? Jslinux?

▲

ozgrakkurt 4 hours ago | parent [-]

I mean just distributing the regular compiled x86_64 binary and then running it as a normal executable on the client side but just using that syscall shim so it is safe.

	▲	direwolf20 3 hours ago \| parent [-]
		If you think about the fundamentals involved here, what you actually need is for the OS to refuse to implement any syscalls, and not share an address space. A process is already a hermetically sealed sandbox. Running untrusted code in a process is safe. But then the kernel comes along and pokes holes in your sandbox without your permission. On Linux you should be able to turn off the holes by using seccomp.