On Tuesday Fastly, Intel, Mozilla, and Red Hat teamed up to form the Bytecode Alliance, an industry group intent on making WebAssembly work more consistently and securely outside of web browsers.
WebAssembly is a form of low-level bytecode that can be created by passing code in higher-level languages, like C/C++ and Rust, through a compiler. It's been described as an assembly language for a conceptual machine rather than a physical one. That means it can be run on various processor architectures and operating systems. It's a bit like Java, but for a structured stack machine rather than the JVM's fully-general stack machine.
Many of the use-cases for wasm involve in-browser applications, such as running games or other performance-sensitive tasks. But wasm also has potential outside the browser, for content distribution, server-side handling of untrusted code, hybrid native apps on mobile devices, and multi-node computation.
The group's initial focus is on shoring up the security of the current developer ecosystem, where those creating applications rely on libraries of uncertain provenance.
"As an industry, we’re putting our users at risk more and more every day," said Lin Clark, staff engineer at Mozilla, in a blog post. "We’re building massively modular applications, where 80 per cent of the code base comes from package registries like npm, Pypy, and crates.io."
Package registries allow developers to upload code modules that others can download and include in their applications so they don't have to implement functions that have already been done by someone else. Package registries save software developers a tremendous amount of time but they come with a risk: Downloaded modules, or other people's libraries that come along for the ride as dependencies, may not be secure.
In the past few years, miscreants have had some success exploiting the misplaced assumption that software fetched from public registries can be trusted. Recent examples include a Ruby software package called
rest-client that leaked credentials, and another called
strong_password v0.0.7 that was hijacked. And the npm Registry has seen problems with various modules including the
Clark points to a research paper from earlier this year that found up to 40 per cent of npm packages rely on code with at least one publicly reported vulnerability.
Mozilla tries to do Java as it should have been – with a WASI spec for all devices, computers, operating systemsREAD MORE
The various code module registries have stepped up their security measures but the Bytecode Alliance contends it can use wasm sandboxing contain untrusted code, effectively limiting the potential for malicious modules to do much damage.
Clark maintains WebAssembly allows an architecture that uses many small processes isolated from one another, but without the weight of microservices.
"In technical terms, we’re planning to use a fine grained form of per-module virtualization," she explains.
An embedded wasm module could thus be configured to allow certain API interactions while blocking access to the filesystem or network. Or it could allow calculations based on data in a database without allowing that data to be read over the network.
That's the theory. Getting this to work may require buy-in from other industry players and significant development effort. Without Apple, Google, and Microsoft on board yet, it's difficult to guess whether wasm will soar or sink for lack of support. But perhaps it's worth a try given the sorry state of current security practices. ®