[CyberRabbi]

Running untrusted code in a wasm vm doesn’t add any extra defense over just using seccomp. It just adds unnecessary overhead and increases attack surface.

[alquemist]

Assuming that Intel / ARM microarch implementations are bug free, that is correct. In the real world there are no bug free implementations.

Edit. This is the strategy Chrome sandboxing uses: a hardened runtime (JS/WASM) inside a seccomp enclosure. https://chromium.googlesource.com/chromiumos/docs/+/master/s...

[CyberRabbi]

Running code in a wasm vm doesn’t magically prevent user code from exploiting uarch bugs. Lucet specifically does not mitigate spectre variant 2.

[feanaro]

seccomp escapes are a thing and if you're inside a restrictive environment such as WASM, it is harder to achieve it.

[CyberRabbi]

I think you’re referring to seccomp-bpf. seccomp has never been escaped and it is unlikely such a bug could happen due its simplicity. If you do not know the difference between seccomp and seccomp-bpf, please check references: https://en.wikipedia.org/wiki/Seccomp

[tuwtuwtuwtuw]

Unlikely? Sounds like you think it could happen.

[CyberRabbi]

Nothing is 100%. It’s effectively impossible.

[bobthebuilders]

This disproves your point. How many "effectively impossible" exploits have come out recently?

[CyberRabbi]

The semantic gymnastics here are pretty interesting. It’s about as secure / impossible to penetrate as anyone could reasonably guarantee in the face of future uncertainty. If you don’t understand why, please check references on how seccomp works: https://en.Wikipedia.org/wiki/Seccomp