meetings icon indicating copy to clipboard operation
meetings copied to clipboard
verified publisher icon WebAssembly

Update Security.md with details on capabilities

Open jfbastien opened this issue 8 years ago • 1 comments

POLL: WebAssembly instances must never be able to cause effects other than by wielding explicitly granted access (e.g. the importObject in a JS embedding).

SA A N F SF
0 0 6 9 7

Action item: Mark clarify what this poll is getting at, add to design repo’s “security.md” document, etc.

jfbastien avatar Nov 03 '17 20:11 jfbastien

Interesting discussion at https://groups.google.com/d/msg/e-lang/3A6zYWF6u5E/_41J3xYCAQAJ clarified the issue.

By "effects" above we mean input, output, mutating state outside the instance, or reading mutable state outside the instance. This is closely related to the criteria that should be used to distinguish user-mode instructions from other actions, as stated at

Formal Requirements for Virtualizable Third Generation Architectures https://www.princeton.edu/~rblee/ELE572Papers/Fall04Readings/secureOS/popek_virtualizable.pdf

We do not currently include resource use or non-determinism, even though OSes can control these aspects of user-mode computation. Note that blockchain usage of wasm (Dfinity, ewasm, EOS, Polkadot, Parity) do restrict resource use and non-determinism, so perhaps we would revisit; but that would be a separate proposal.

erights avatar Nov 13 '17 02:11 erights