I am getting worried about the security of canisters running on non-system subnets, that hold large amounts of monetary value.
I’m not sure enough security precautions have been taken to feel confident that canisters running alongside possibly malicious canisters will be safe.
I did not realize that each canister was running within the same process on each replica within a subnet, at least that seems to be the case.
Perhaps a prerequisite to this project moving forward is process sandboxing, so that even if malicious canisters break out of the Wasm environment, they’ll be stopped by the process boundary.
See here for more information: Enable Canisters to Hold ICP - #30 by lastmjs