Hacker News new | ask | show | jobs
by simonw 5 days ago
I'm unreasonably excited about WASI. WASI is the thing which takes WebAssembly from a tool for running stuff in a browser to a tool that can run entire portable sandboxed applications on a computer - with controlled filesystem and network access.

I don't ever want to run untrusted code from the internet outside of a sandbox ever again. If WASI lives up to its full potential I won't have to - we'll have a robust, cross-platform sandboxing solution for running real applications.
8 comments
Panzerschrek 5 days ago
> I don't ever want to run untrusted code from the internet outside of a sandbox ever again

WASM is great, but I think it's a wrong approach for sandboxing problem. It's technically possible to sandbox native applications (compiled into target machine code) using OS-builtin mechanisms, but it's not done for compatibility reasons, because this is the way things were done last 50 years or so.

link
tancop 5 days ago
sandboxing native apps just gives you security. with wasm you also get a single portable binary that can run on x86 windows, arm64 linux and in your browser with zero modification. you dont need to write platform specific code or use third party frameworks.
link
Panzerschrek 5 days ago
> you dont need to write platform specific code

You don't need to write platform-specific code if you use some cross-platform framework. For simple programs it may be enough to use only the standard library of your language of choice.

> single portable binary that can run on x86 windows, arm64 linux and in your browser with zero modification

It has little value. Compiling a separate binary for each OS isn't that hard, since only a handful of architectures and operating systems are actually in use. Using an abstract cross-platform binary (like WASM) in the other hand adds extra performance costs and other user-side overhead, which isn't strictly necessary.

link
pjmlp 5 days ago
No you don't, because WASM is only compute, and you need exactly runtime specific code and third party frameworks for everything else as imported functions.
link
hmry 5 days ago
That's what WASI is for
link
pjmlp 5 days ago
And like CORBA, or POSIX, the portability does not work 100% as being sold.
link
rvz 5 days ago
Exactly. It is entirely a misconception to believe that WASM is this silver bullet on sandboxing and it is not that great security-wise I’m afraid.

It is only now being inspected by researchers and attackers who have found sandbox escapes [0] (chrome 0day), out-of-bounds [1] / use-after-free [2] and many other [3] flaws [4] in WebAssembly which I also agree that it is not enough for sandboxing at all.

[0] https://nvd.nist.gov/vuln/detail/CVE-2026-11645

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=2009901

[2] https://bugzilla.mozilla.org/show_bug.cgi?id=2013741

[3] https://www.miggo.io/vulnerability-database/cve/CVE-2026-269...

[4] https://github.com/bytecodealliance/wasm-micro-runtime/secur...

link
dns_snek 5 days ago
There's no reason to believe that [0] has anything to do with WASM, [1] and [2] are runtime implementation bugs, [3] is a vulnerability in a "weak" sandboxing library VM2 - it has nothing to do with WASM as such, and [4] is another implementation bug in an experimental WASI feature of that specific runtime which is gated behind a build flag.

------

[Re: 3] https://github.com/patriksimek/vm2

> vm2 attempts to sandbox untrusted JavaScript code within the same Node.js process as your application. It does this through a complex network of Proxies that intercept and mediate every interaction between the sandbox and the host environment.

> JavaScript is an extraordinarily dynamic language. Objects can be accessed through prototype chains, constructors can be reached via error objects, symbols provide protocol hooks, and async execution creates timing windows. The sheer number of ways to traverse from one object to another in JavaScript makes building an airtight in-process sandbox extremely difficult.

[Re: 4] https://github.com/search?q=repo%3Abytecodealliance%2Fwasm-m...

link
hobofan 5 days ago
Those are not flaws in WASM itself, but in different WASM runtimes.
link
GoblinSlayer 5 days ago
Might as well run java or flash.
link
DonHopkins 5 days ago
But WASM is "lawnmower not included"!
link
DanielHB 5 days ago
Use cases I am more excited about:

1) Replace webhooks in web apps with wasm binaries provided by the customer, but that run in the web app servers.

2) Safer plugin system for professional software (plugins for photoshop, plugins for IDEs, etc)

3) Safer mod system for games and server-side mods that run on the game-maker server.

link
bzzzt 5 days ago
We had that in the 90's with Java. Why would this approach succeed today?
link
simonw 5 days ago
Why wouldn't it? It's a different technology stack, developed with the benefit of decades of additional experience running hostile code on the web.
link
pjmlp 5 days ago
You mean like the CLR?

Kind of strange that such experience still allows for WASM to be the target of C and C++ compilers, and there is no bounds checking support inside linear memory regions.

link
DanielHB 4 days ago
WASM sandbox is miles better than the JVM

WASI is a standard on where to poke holes on the sandbox for your specific use-case

WASM+WASI as a compilation target allows any program written for modern operating systems to work on any WASM runtime

link
dtj1123 5 days ago
Because Java is a language, not a compilation target?
link
ptx 5 days ago
From the introduction section of the Java specification [1]:

"The Java Virtual Machine is the cornerstone of the Java platform. It is the component of the technology responsible for its hardware- and operating system-independence, the small size of its compiled code, and its ability to protect users from malicious programs."

[1] https://docs.oracle.com/javase/specs/jvms/se26/html/jvms-1.h...

link
dtj1123 4 days ago
From the same link, opening sentence:

"The Java® programming language is a general-purpose, concurrent, object-oriented language."

Edit: Having thought a little, I appreciate that it's possible to compile for the JVM from source code which is not Java, which makes the JVM a compilation target. As far as I'm aware the JVM doesn't have first class support for this though, It's been tacked on as an afterthought. Compiling C to JVM bytecode for example doesn't appear to be an enjoyable process. WASM on the other hand was designed explicity to function as a compilation target for arbitrary languages.

Maybe I'm missing something, happy to be proven wrong.

link
ptx 4 days ago
There are (or have been) lots of languages using the JVM as a compilation target, whether it is well-suited for this or not. Wikipedia has a partial list: https://en.wikipedia.org/wiki/List_of_JVM_languages
link
crabmusket 5 days ago
Check out https://extism.org, it is built for those kinds of use cases. However I think WASI and components could enhance it.
link
DanielHB 5 days ago
sorry I meant "most excited about", WASI and components should be useful for the usecases I mentioned too.

For example a SaaS services that accepts WASM plugins could provide a WASI that lets the plugin write to a object-store filesystem (like AWS S3) provided by the SaaS owner.

link
tuananh 5 days ago
i had this same vision when i created hyper-mcp with modular plugin system via WASM plugins. Too bad, the community moves on from MCP to CLI with coding agent

https://github.com/hyper-mcp-rs/hyper-mcp

link
yjftsjthsd-h 5 days ago
Hey, this is also my interest. I was just looking into whether it was possible to e.g. build an archive extractor that runs like a normal program but does the actual extraction completely in wasm. Unfortunately, AFAICT it's possible but requires custom code; you can't (yet, I hope) just compile unzip/libarchive/whatever with CC=wasicompiler and get a sandboxed binary. But we're getting close.
link
nl 5 days ago
What do you mean? You absolutely can run compression in WASM.

For example here is Gzip in WASM: https://github.com/ColinTimBarndt/wasm-gzip

link
fc417fc802 5 days ago
You should be able to do exactly that though? Why do you think you can't?

You will of course need to include a lot of support code to provide the relevant syscalls and otherwise emulate the environment that the code expects. But there are plenty of examples of that at this point.

link
yjftsjthsd-h 4 days ago
Yeah, it's all that support code that I don't want to write. I want to (roughly) just

  tar -xf unzip.tar.gz && cd unzip
  ./configure CC=wasmcc
  make
  wasmruntime unzip.wasm testfile.zip
link
wyager 5 days ago
I'm curious if people have a good story for why WASI will succeed where Java failed
link
simonw 5 days ago
My main one is that WASI has benefitted from an additional 31 years of accumulated industry-wide experience compared to when Java was first released.
link
DonHopkins 5 days ago
Plus, Larry Ellison doesn't own WASM: "Lawnmower Not Included"!
link
pjmlp 5 days ago
So where has the experience gone in the support of C and C++ for WASM?
link
Panzerschrek 5 days ago
Programs written in Java require installation of a middleware called Java runtime. It adds extra friction for end-users. And even if one has Java runtime installed, a newer version may be necessary for a recently-published application.

With WASM it may be the same, unless al major OS vendors integrate a WASM runtime so that it doesn't need to be installed separately.

link
pjmlp 5 days ago
It is exactly the same for WASM outside of the browser, and Java has Android as counter part to built in runtime.
link
auggierose 5 days ago
Yes, but inside the browser is a freaking big use case.
link
pjmlp 5 days ago
Not really, I don't need COM / CORBA on the browser.
link
auggierose 3 days ago
Good for you! In other words, you don't write compute heavy applications for the browser?

I never used COM or CORBA, by the way, just too freaking ugly.

link
afiori 5 days ago
Java's vm does not start in milliseconds nor has dozen independent implementations in every ecosystem
link
pjmlp 5 days ago
Folks tend to think only Oracle does Java, and the only place to get it is from https://www.java.com.

Maybe they should broaden their horizons.

https://en.wikipedia.org/wiki/List_of_Java_virtual_machines

And some like PTC or microEJ are missing from the list.

link
tpm 5 days ago
> It adds extra friction for end-users

It doesn't have to, the program can bundle its own jre as its often the case, and then you also don't have to worry about jre compatibility. Downside is then you have many jres installed and of course you can't trust their sandboxing.

link
GoblinSlayer 4 days ago
>And even if one has Java runtime installed, a newer version may be necessary for a recently-published application.

WASM doesn't remove version churn, the linked article literally discusses a newer version. Oh and the wonderful web compat story.

link
bzzzt 5 days ago
> Programs written in Java require installation of a middleware called Java runtime. It's possible to link or embed a Java runtime in an existing application.
link
afiori 5 days ago
Because Java was doing nothing similar, a better comparison would be .NET CLR that actually tried to be a decent compilation target.

Also security, Java has reflection so you cannot reliably sandbox java libraries

link
fla 5 days ago
My main one is: distribution & access. If major browsers implement the WASI runtime then using and distributing a WASI app will be way simpler than the Java equivalent ever was.
link
grayrest 5 days ago
The thing that interests me the most is that execution is deterministic. If the inputs to a WASM module are logged you get durable execution and rr style reverse debugging as part of the package.
link
sideeffffect 4 days ago
If you're interested in this, then you should check out https://github.com/golemcloud/golem

Golem is a durable workflow platform and can run any wasm.

link
samiv 5 days ago
Sorry but how exactly does the sandboxing help? You download and run an app that you expect to be useful and that you need. The app needs permission to access your data. If you want to use the application what choice do you have except to grant it access?

Point being you wouldn't run untrusted code in the first place and for "trusted code" you end up accepting it's access requirements anyway.

So logically I'd think that the malware would just get piggy bagged into actual non-obvious utility apps and nothing is gained.

Second problem is that the security model hoops make for terrible APIs and user experiences. Just look at the current filesystem browser APIs. It must be mentally challenging to design APIs to Be usable and the nerf them for security purposes to make them "not too usable".

Finally one must note that at least right now the webasm ecosystem is rather immature and the de-facto only tool (emscripten) is an amateur hour hobby project. So it's going to take some decades still before the tooling is really getting there.

link
eviks 5 days ago
> The app needs permission to access your data. If you want to use the application what choice do you have except to grant it access?

But it doesn't need network access to be useful, so it doesn't have that permission and can't exfiltrate your data?

link
pjmlp 5 days ago
https://learn.microsoft.com/en-us/windows/security/applicati...
link
eviks 5 days ago
In general, what's three point of a link to a sandbox in a conversation about the benefits of sanboxingm

But specifically, this sandbox also kills all interop with your system, other apps/utilities, so way too disruptive for the purpose of isolating just from the network.

link
pjmlp 4 days ago
Just like any WebAssembly runtime, without imports of external functions, the code can only warm CPUs.
link
eviks 4 days ago
So? Will they not have imports of external functions?
link
emadda 5 days ago
I like the technical design of WASM, but I feel that better OS sandboxes for regular native code will be the common approach to running untrusted code.

As soon as you compile to WASM you no longer have the C FFI and the ability to call the OS systems interfaces for files, network and others.

It is extra work to move something to WASM vs just compiling it and running it in a sandbox.

link
pistoriusp 5 days ago
Why not just run a vm?
link
AndrewDucker 5 days ago
Far more overhead.
link
ptx 5 days ago
In particular (as I just learned when looking it up), WASM can dynamically allocate host memory with the memory.grow instruction, so you don't have to waste a huge chunk of statically allocated memory per VM: https://developer.mozilla.org/en-US/docs/WebAssembly/Referen...

Although... it doesn't say anything about releasing memory back to the host (I don't see a memory.shrink instruction) so maybe it's not all that helpful? Will WASM applications continue hogging the maximum amount of memory they've ever used until they're restarted?

A VM could release memory back to the host using memory ballooning, but this has to be managed manually somehow, at least with QEMU.

link