Intra-process Fault Isolation Using WebAssembly / Felisolering inom process med hjälp av WebAssembly

Mårtensson Tolentino, Kevin

January 2024

Software Fault Isolation (SFI) is a form of software sandboxing that refers to the technique of isolating faults such as failures and vulnerabilities to a specific area in a software system. Together with other software sandboxing techniques, SFI remains a widely used practice in many types of software, ranging from web browsers to cloud infrastructure. Therefore, there are often different requirements on throughput, latency, and resource usage that have to be met. To this end, we have evaluated the usage of WebAssembly, a virtual instruction set architecture which has a design that makes it a suitable compilation target for enforcing SFI. Our findings show that WebAssembly compared to native x86-64 code performs favorably on memory-intensive workloads, but poorly on numerically intensive workloads. However, its main strength was found to be in communication between the host environment and the sandboxed environment. We found that communication across the sandbox boundary using WebAssembly-based sandboxing was up to several orders of magnitude faster than inter-process communication methods commonly used in process-based sandboxing. Additionally, we discuss the security model of WebAssembly and how it compares to other sandboxing methods.

fault isolation

WebAssembly

intra-process

software sandboxing

Computer Sciences

Datavetenskap (datalogi)