[willsinclair]

> Normally, this would be super dangerous, but WebAssembly is designed to run safely on remote computers, so it can be securely sandboxed without losing performance.

This seems a like a pretty strong claim. I hope that it's true, but I'm not going to be running WASM modules in ring 0 any time soon.

[gnode]

It's relative. ring 3 / the hardware isn't guaranteed to be free of vulnerabilities either.

What probably has the most bearing on the securability of a platform is its simplicity, which is on WebAssembly's side.

[Communitivity]

Agreed. I highly advise against this. What I heard when I read this headline was 'WebAssembly has no vulnerabilitities so we can run remote WebAssembly code in ring 0 without worry'. Almost everything has some kind of vulnerability, it is simply a matter of the time necessary to find it. The more analyzed and tested a software is, the more time it will take to find the next vulnerability (Barnhill's Law).

[legulere]

The protection ring 3 offers is greatly reduced by current operating systems. Processes usually can do everything the user could do via the file system.

[baybal2]

WASM is a stack machine, which does not add to security. You sense that no real VM specialist, nor one in field of security put hand to its design.

When I first read the specs, it screamed to me "VM design 101." It feels to be someones master thesis, more than a piece of production software. Just as the original Netscape Javascript 1.0 was.

It will have its fair share of "typeof null" style bugs to come.

[bennofs]

Why is a stack machine bad for security? The JVM also had sandboxed execution as a goal and also uses a stack machine. But perhaps the stack machine was choosen because it tends to produce smaller binaries (which is important for things you send over the net) and not for security reasons?

[baybal2]

>But perhaps the stack machine was choosen because it tends to produce smaller binaries (which is important for things you send over the net) and not for security reasons?

Who knows what was in their heads, but stack level attacks are as easy as to exploit unsafe type casting in anything that amount to a stack pointer.

My guess why they choose to do it that way is simply because there are more literature available for mid-tier coders in style of "VMs for dummies" and they wanted to always have an option to not to do extensive research on every small mater, and just copy JVMs behaviour.

[legulere]

The stack in stack-based VM does not refer to the real stack that contains return pointers that can be manipulated. You don’t have access to that from web assembly.

The security problems of java are not related to it being a stack-based VM at all. The problems are that the api lets applets do things they shouldn’t be able to and arbitrary code execution during serialisation.