Stream: git-wasmtime

Topic: wasmtime / Issue #871 Documentation for sandboxing mechanism


view this post on Zulip Wasmtime GitHub notifications bot (Mar 21 2020 at 04:08):

sunfishcode commented on Issue #871:

Hello! I recently started adding some content to the security-sandboxing document, and it answers this question, at least at a high level.

All "pointers" in C are compiled into wasm as indices into linear memory, which you can think of as just an array of bytes, with bounds checking. So while your vulnerable C code may store beyond the ends of the nominal array, it can't access any memory outside the wasm instance's memory.

Also, all control transfers in wasm are checked, at compile time or runtime, to ensure they go to known branch/jump destinations. Among other things, this means that even if you load a machine-code payload, you can't make the program jump to it.

Does this clarify things? If not, please let us know as we're interested in expanding the documentation to answer questions people have!

view this post on Zulip Wasmtime GitHub notifications bot (Mar 06 2021 at 11:45):

bluescreen303 commented on Issue #871:

better late than never :)

Yes, that document clarifies things a lot. Many thanks!

view this post on Zulip Wasmtime GitHub notifications bot (Mar 06 2021 at 11:45):

bluescreen303 closed Issue #871:

I noticed the documentation for how the sandbox works is just a stub currently. I would really like to know more about it, so this issue is just to track progress.

One thing I would really like to get clarified is how the sandbox (and possibly the just-in-time compilation of wasm to machine code) will protect against the following scenario:

My guess is that either the overflowing wouldn't work (how is this protected given that c is compilable into wasm), or there is no way to get the overflowed malicious code to execute (how would wasmtime protect against this?), but I would like some nice documentation explaining this.


Last updated: Dec 23 2024 at 13:07 UTC