On Tuesday Fastly, Intel, Mozilla, and Red Hat teamed up to form the Bytecode Alliance, an industry group intent on making WebAssembly work more consistently and securely outside of web browsers.
WebAssembly is a form of low-level bytecode that can be created by passing code in higher-level languages, like C/C++ and Rust, through a compiler. It's been described as an assembly language for a conceptual machine rather than a physical one. That means it can be run on various processor architectures and operating systems. It's a bit like Java, but for a structured stack machine rather than the JVM's fully-general stack machine.
Many of the use-cases for wasm involve in-browser applications, such as running games or other performance-sensitive tasks. But wasm also has potential outside the browser, for content distribution, server-side handling of untrusted code, hybrid native apps on mobile devices, and multi-node computation.
The Bytecode Alliance thus is backing open source projects like Wasmtime and WebAssembly Micro Runtime so that wasm code can be embedded in servers, IoT devices, and cloud applications.
The group's initial focus is on shoring up the security of the current developer ecosystem, where those creating applications rely on libraries of uncertain provenance.
"As an industry, we're putting our users at risk more and more every day," said Lin Clark, staff engineer at Mozilla, in a blog post. "We're building massively modular applications, where 80 per cent of the code base comes from package registries like npm, Pypy, and crates.io."
Package registries allow developers to upload code modules that others can download and include in their applications so they don't have to implement functions that have already been done by someone else. Package registries save software developers a tremendous amount of time but they come with a risk: Downloaded modules, or other people's libraries that come along for the ride as dependencies, may not be secure.
In the past few years, miscreants have had some success exploiting the misplaced assumption that software fetched from public registries can be trusted. Recent examples include a Ruby software package called rest-client that leaked credentials, and another called strong_password v0.0.7 that was hijacked. And the npm Registry has seen problems with various modules including the purescript-installer, electron-native-notify and event-stream.
Clark points to a research paper from earlier this year that found up to 40 per cent of npm packages rely on code with at least one publicly reported vulnerability.
The various code module registries have stepped up their security measures but the Bytecode Alliance contends it can use wasm sandboxing contain untrusted code, effectively limiting the potential for malicious modules to do much damage.
Clark maintains WebAssembly allows an architecture that uses many small processes isolated from one another, but without the weight of microservices.
"In technical terms, we're planning to use a fine grained form of per-module virtualization," she explains.
An embedded wasm module could thus be configured to allow certain API interactions while blocking access to the filesystem or network. Or it could allow calculations based on data in a database without allowing that data to be read over the network.
That's the theory. Getting this to work may require buy-in from other industry players and significant development effort. Without Apple, Google, and Microsoft on board yet, it's difficult to guess whether wasm will soar or sink for lack of support. But perhaps it's worth a try given the sorry state of current security practices. ®
Users will be able to 'override ... restrictions' on phones and other kit, says engineering team
You're unlikely to hear someone inflicting their iOS Spotify playlist on the bus today
No support 'in any capacity' for PHP for Windows for v8 and beyond, but Windows users not to worry, says release manager
The aritst formerly known as Advanced Computer Software Group confirms redundancies
Hope for web success, but plan for every possible (and impossible) failure
Deep upset at what is perceived as broken commitments
CEO reckons team 'navigated a very challenging environment'