Hacker News new | ask | show | jobs
by nickmooney 2631 days ago
I'm not sure I agree. If you can affect the state of the runtime in ways that are not intended to be possible by the WASM API, this breaks sandboxing requirements. Even if you can't break out of the current process (due to isolation provided by the kernel), you can still cause arbitrary code execution within the process.
2 comments
kllrnohj 2631 days ago
> you can still cause arbitrary code execution within the process

You start with the ability to do arbitrary code execution, you don't have to find an exploit to do that. And since your WASM code is the only thing in the process, what is an exploit going to let you do that you couldn't already do anyway?

link
sitkack 2631 days ago
I nominate this thread for the Worst of HN. Reminds me of work.
link
kllrnohj 2630 days ago
You seem to be confused. Arbitrary code execution is just the ability to run code. It is a security attack when a user that wasn't supposed to be able to run code can now run code. But WASM and JS runtimes would be literally useless if you didn't start with the ability to run arbitrary code. Their sole purpose is to run code. You feed them code, they run it. You were supposed to have the ability to run code, therefore arbitrary code execution is not an exploit here.

Maybe you're confusing it with privilege escalation, though? Or a sandbox escape? But FYI those aren't the same thing. At all.

Alternatively if the worst you've seen on HN is one person seemingly confusing arbitrary code execution with privilege escalation you must not be on HN very much.

link
sitkack 2630 days ago
Your rhetorical behavior is why I should leave HN. Trite, condescending, arrogant.
link
int_19h 2631 days ago
WASM is originally designed for the sandbox, but it doesn't mean that all its practical applications have to be sandboxed.
link
sitkack 2631 days ago
Wasm (not an acronym) assumes a sandbox, if an execution environment doesn't provide a sandbox it needs to clearly call that out.

This one clearly needs work in validating the Wasm sent to it.

link
BenjiWiebe 2630 days ago
Isn't it a combination of the first letter of Web and the common abbreviation for assembly language, ASM?
link
int_19h 2629 days ago
They're correct - it's an abbreviation (of Web assembly), but it's not an acronym, so "Wasm" is the proper casing.
link