Four go wild for wasm: Corporate quartet come together to build safe WebAssembly sandbox

Chipzilla, Mozilla, Fastly, and IBM's red-hatted stepchild plot browser-breakout

boy with sandbox dirty hands

On Tuesday Fastly, Intel, Mozilla, and Red Hat teamed up to form the Bytecode Alliance, an industry group intent on making WebAssembly work more consistently and securely outside of web browsers.

WebAssembly is a form of low-level bytecode that can be created by passing code in higher-level languages, like C/C++ and Rust, through a compiler. It's been described as an assembly language for a conceptual machine rather than a physical one. That means it can be run on various processor architectures and operating systems. It's a bit like Java, but for a structured stack machine rather than the JVM's fully-general stack machine.

Wasm, as WebAssembly is known to its friends, is faster than JavaScript – about 20x by one measure – and has other advantages in terms of security, portability, size, and load-time efficiency. It's been implemented in at least four major browsers – Chrome, Edge, Firefox, and Safari – and now Bytecode Alliance members aim to help it move beyond the browser.

Many of the use-cases for wasm involve in-browser applications, such as running games or other performance-sensitive tasks. But wasm also has potential outside the browser, for content distribution, server-side handling of untrusted code, hybrid native apps on mobile devices, and multi-node computation.

The Bytecode Alliance thus is backing open source projects like Wasmtime and WebAssembly Micro Runtime so that wasm code can be embedded in servers, IoT devices, and cloud applications.

The group's initial focus is on shoring up the security of the current developer ecosystem, where those creating applications rely on libraries of uncertain provenance.

"As an industry, we’re putting our users at risk more and more every day," said Lin Clark, staff engineer at Mozilla, in a blog post. "We’re building massively modular applications, where 80 per cent of the code base comes from package registries like npm, Pypy, and crates.io."

Package registries allow developers to upload code modules that others can download and include in their applications so they don't have to implement functions that have already been done by someone else. Package registries save software developers a tremendous amount of time but they come with a risk: Downloaded modules, or other people's libraries that come along for the ride as dependencies, may not be secure.

In the past few years, miscreants have had some success exploiting the misplaced assumption that software fetched from public registries can be trusted. Recent examples include a Ruby software package called rest-client that leaked credentials, and another called strong_password v0.0.7 that was hijacked. And the npm Registry has seen problems with various modules including the purescript-installer, electron-native-notify and event-stream.

Clark points to a research paper from earlier this year that found up to 40 per cent of npm packages rely on code with at least one publicly reported vulnerability.

The One Ring from Lord of the Rings

Mozilla tries to do Java as it should have been – with a WASI spec for all devices, computers, operating systems

READ MORE

The various code module registries have stepped up their security measures but the Bytecode Alliance contends it can use wasm sandboxing contain untrusted code, effectively limiting the potential for malicious modules to do much damage.

Clark maintains WebAssembly allows an architecture that uses many small processes isolated from one another, but without the weight of microservices.

"In technical terms, we’re planning to use a fine grained form of per-module virtualization," she explains.

An embedded wasm module could thus be configured to allow certain API interactions while blocking access to the filesystem or network. Or it could allow calculations based on data in a database without allowing that data to be read over the network.

That's the theory. Getting this to work may require buy-in from other industry players and significant development effort. Without Apple, Google, and Microsoft on board yet, it's difficult to guess whether wasm will soar or sink for lack of support. But perhaps it's worth a try given the sorry state of current security practices. ®

Sponsored: From CDO to CEO

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER




Biting the hand that feeds IT © 1998–2019