The Bytecode Alliance: Building a secure, composable future for WebAssembly

I&#x27;m one of the folks working with the Alliance, and I&#x27;m incredibly excited about WebAssembly outside the browser. Happy to answer questions.<p>Imagine extensions for applications or databases, written in any language you want, with no ability to exfiltrate data. Imagine supporting a safe plugin API that isn&#x27;t just for C and languages that FFI to C, but works natively with safe datatypes.<p>Today, if you want to be extensible, you typically expose a C API for people to link to, or you embed a specific language like Lua or Python. Imagine embedding a WebAssembly runtime like wasmtime, and telling people they can write their extensions in any language they want.

I was talking with a colleague today who mentioned that he had looked at WASM for a particular use-case (file-verification IIRC) and had concluded that for now the overhead of copying memory made it run worse than well-written JavaScript. It is also my experience that the overhead of memory copying can really put a damper on performance improvements.<p>Now, I get that sharing memory is a huge safety issue - it kind of inherently breaks the sandbox, but when I see the &quot;nanoprocesses&quot; bit in the article I worry about death by a thousand paper cuts (lots of tiny WASM module spending more time copying data than processing it). Are there ways&#x2F;plans to minimize memory copies that don&#x27;t conflict with the safety concerns?

In my opinion this is a fascinating approach, and it may end up transforming our industry.<p>But the main question I&#x27;ve had is how big the overhead is, specifically since modules don&#x27;t share their wasm Memory. That means data will be constantly copied between them. Compared to regular static or even dynamic linking, that may be a noticeable slowdown.

This is great. I&#x27;ve been waiting for a module-level permissions system for a while now; it definitely seems like the best approach to mitigate supply chain attacks.<p>Hopefully once WASM has demonstrated the principle other languages will follow. This seems like it&#x27;d be especially useful in the JS ecosystem, where many modules are already small enough that they&#x27;d likely be able to run with no permissions at all.

JVM was supposed to be this. Gosling said publicly that JVM is more important than Java. .<p>Many things went wrong. Microsoft was actively sabotaging JVM. They implemented very fast JVM for Explorer and their operating system that intentionally broke the JVM 1.1 standard. See Sun vs Microsoft 1997. Microsoft lost and paid damages. .NET was created to do more damage.

There should not be a &#x27;browser wasm&#x27; and a &#x27;non browser&#x27; wasm.<p>The wasm committee made many mistakes by treating it as an idea on paper, and not writing the actual implimenting software.<p>This has resulted in significant fragmenting of implimentation, each less trustworthy than the last.<p>If any software is going to advertise safety, it must prove it. That&#x27;s done through the feedback cycle and careful development. The only ones that have this are in browsers.<p>Yet browsers have their own dubious implimentation, integrated with their JavaScript environment.<p>Unless wasm decides on a set of standard runtimes that become trustworthy there will not be a wasm outside the browser.<p>For example, when I search for python, I get python. There&#x27;s still other pythons, but there&#x27;s <i>the</i> python. This is true of all other software used. Wasm is failing to do that.

Super cynical, I realize, but whenever I see the description “secure by default” for something computer related, and they don’t mean, “we unplugged it,” I assume what they really mean is, “we made the code so complex we can’t find the problems.”

Don&#x27;t take it bad, but it looks like the java launch a (long) while ago. What makes wasm better than java ?

And a key point: &quot;Our founding members are Mozilla, Fastly, Intel, and Red Hat&quot;<p>Where are Google, Microsoft and the other big names you would expect?

First of all, congrats on forming the alliance!<p>&gt; Imagine extensions for applications or databases, written in any language you want, with no ability to exfiltrate data<p>That&#x27;s what we are working towards on Wasmer, the server side WebAssembly runtime - <a href="https:&#x2F;&#x2F;github.com&#x2F;wasmerio&#x2F;wasmer" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;wasmerio&#x2F;wasmer</a><p>In fact, we already have a lot of different language integrations (maintained by us and the community) and our software is the pioneer on the space.<p>Is there any reason on why you think is a good idea to do a side-alliance instead of collaborating with us and the community so users and developers can be the ultimate beneficiaries? (it&#x27;s good, it just seems is not an alliance made for the users, which it&#x27;s a bit weird from my perspective)

Does this mean we&#x27;ll also have a mechanism like pledge(2) to assert that the root nanoprocess or any privileged brokers only needs access to certain APIs, and permanently close them?<p>¹ - <a href="https:&#x2F;&#x2F;man.openbsd.org&#x2F;pledge.2" rel="nofollow">https:&#x2F;&#x2F;man.openbsd.org&#x2F;pledge.2</a>

This is getting complicated. OS process management, threads and lightweight pocesses, green field process control, virtual machines, containers, sandboxing in n browsers with m different technologies, now this WASM stuff..and orchestrating this all across the cloud and the global internet, ending in homes and corporate machine rooms.<p>Enverywhere you have to think: who can load&#x2F;run a module&#x2F;process and from where, how to authenticate and authorize, which API to give to it, etc...<p>A historical note:<p>Bell Labs Plan 9 had a universal OS level solution, that Linux has somewhat adopted, but could not make general enough, partly due to the higher lever ecosystem being stuck to old ways:<p>- per process name spaces with mountable&#x2F;inheritable&#x2F;stackable union directories and optionally sharebale memory (Linux light-weight process, LWP, comes close, it was also historically copied from Plan 9)<p>- Almosty all APIs (even &quot;system calls&quot;) as synthetic file systems (Where do you think &#x2F;proc came from?)<p>- which you could mount and access (efficiently) locally or through a secure unified network protocol (9P)<p>On Plan 9 you could just run different parts of the browser (JavaScript engine, WASM or anything) in a tailored limited LWP with limited mounts as synthetic file system APIs...<p>Note that Docker kind of retro-fits Plan 9 ideas in Linux kernel to embrace and extend the original ideas of Plan 9...

The primary use case for WebAssembly is malware.[1] We&#x27;re probably going to regret letting WebAssembly into the browser. Because vendors won&#x27;t let it be locked down so much that it can&#x27;t be used for ads and tracking. Which means it has to allow malware.<p>[1] <a href="https:&#x2F;&#x2F;www.tu-braunschweig.de&#x2F;Medien-DB&#x2F;ias&#x2F;pubs&#x2F;2019-dimva.pdf" rel="nofollow">https:&#x2F;&#x2F;www.tu-braunschweig.de&#x2F;Medien-DB&#x2F;ias&#x2F;pubs&#x2F;2019-dimva...</a>

One of my next projects is to create a Tcl package for webassembly that will let other extension authors compile their packages targeting WebAssembly and be able to use those compiled binaries on any platform.

Real worried when I see phrases like &quot;secure by default&quot; that this will involve some sort of security certificate or formal verification process which a government or other malicious actor can use as a weapon against its enemies.<p>Is the security limited to sandboxing of the code itself or is there some sort of verification process involved?

&gt;So how can you protect your users against these threats in today’s software ecosystem?<p>&gt;You could subscribe to a monitoring service that alerts you when a vulnerability is found one of your dependencies. But this only works for those that have been found. <i>And even once a vulnerability has been found, there’s a good chance the maintainer won’t be able to fix it quickly. For example, Snyk found in the npm ecosystem that for the top 6 packages, the median time-to-fix (measured starting at the vulnerability’s inclusion) was 2.5 years.</i><p>Sometimes it looks like writers think that the average reader is complete idiot. How is that supposed to be example? First they say that it takes long time fix once the bug is found and as illustration they give period starting with introduction of vulnerability?

I saw a comment about this on HN before, forgot who it was by. But it was interesting, someone mentioned the spec for WebAssembly is generic enough to apply outside of the web. I&#x27;m suspecting we&#x27;ll see languages converting on node.js a la web assembly for back-end logic in your preferred language, but in any runtime this includes NodeJS but also excludes it as we see future runtimes. What&#x27;s your view on this? Also, Aside from WebAssembly being in every modern browser what do you think will be the next killer feature for WebAssembly?<p>It would also be interesting to have an embedded WebAssembly plugin runtime, much like Lua is used all over now that you mention all those examples.

How can I learn more about how nanoprocesses and the wasmtime sandbox work under the hood? Searching the repo on github for common keywords doesn&#x27;t turn up much. Are nanoprocesses like Windows picoprocesses somehow, or are multiple &quot;processes&quot; running in the same address space? If so, you can probably exfiltrate data between nanoprocesses with spectre. Additionally, if you get RCE in the wasm JIT (this happens all the time in javascript JITs), there&#x27;s nothing to stop you from ropping to gadgets to open your own sockets without going through any in-process checks.

Been working with web tech since 2000... something about WASM rubs me the wrong way, at least for use in the web. It&#x27;s probably the lack of human readable source code (I&#x27;m not a big fan of minified code for the same reason).<p>If it wasn&#x27;t so impossible to work with W3C, I think it would probably make more sense for the web to work towards something like more strict, compilable typescript. Then sites could download the source, compile, and cache.

Stupid question from a non specialist. I see Intel in the list of parties. Does that mean hardware acceleration for wasm?

This is historically the kind of thing that people think is very cool and important, but has turned out to not matter at all. &quot;Languages matter&quot; must be the biggest enduring fallacy of computer programming. It has an obvious corollary in believing processor architectures are important.

Wait... I thought the CLR was supposed to do this? Or was it the JVM?<p>What&#x27;s old is new again!

Can you use wasm instead of regular js&#x2F;html? I&#x27;m thinking for rich GUIs it would be great, even just for company internal sites. I can&#x27;t find any good examples though.

One pretty annoying thing with WASM is that it is pretty hard to generate due to requiring a structured control flow so anyone generating it must implement relooper och stackifier. Is there any work on solving this issue?<p><a href="http:&#x2F;&#x2F;troubles.md&#x2F;posts&#x2F;why-do-we-need-the-relooper-algorithm-again&#x2F;" rel="nofollow">http:&#x2F;&#x2F;troubles.md&#x2F;posts&#x2F;why-do-we-need-the-relooper-algorit...</a>

Radare2[1] supports WebAssembly disassembling if anyone is curious about compiled code analysis.<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;radareorg&#x2F;radare2" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;radareorg&#x2F;radare2</a>

Are those drawings supposed to be clickable? When I do so, it just opens and immediately closes a new tab or window. Firefox 70 on Windows if it makes a difference.

WebAssembly keeps trying to be the next UNCOL, it seems.

What&#x27;s the main difference between this and the Java Virtual Machine?

Not in a mood of diving deep into technical details but forgive me for being skeptical. This &quot;secure by design&quot; execution mantra makes me somewhat sick after hearing it so many times over the decades.