@raggi yeah or wazero's interpreter, if I can satisfy myself that it's not going near unsafe or JIT type things. And even if it comes to jit, I know _how_ to wire things up to feel okay about it, I just also can't shake the feeling that I should have a...
-
@raggi yeah or wazero's interpreter, if I can satisfy myself that it's not going near unsafe or JIT type things. And even if it comes to jit, I know _how_ to wire things up to feel okay about it, I just also can't shake the feeling that I should have an easier time of getting something running slowly without being this worried.
Ah well, so it goes. And better to have these tools available than not, I suppose.
-
@danderson yeah, it’s a fair question to ask at the bytecode alliance, I’m guessing their answer will be to use wamr and suck up the c
-
@raggi I suspect part of the answer will also be "a lot of clever people and tools have banged on these JITs and declared them solid, here's some receipts". In other niches of computing, I know peoples' reputations enough to make a judgement call based on who else wrote the thing/trusts the thing in prod. I lack the connections in the wasm world to be able to take those shortcuts.
-
@danderson so many names have missed for me, these days I measure more by looking at likely time investments: are there big fuzzing suites, do they contain caught regressions, are the arch docs, is there a 3p review summary, is there a governance and review process, etc
-
@raggi Yeah definitely looking for that too. When I look at people it's not so much looking for the lone genius, and more are the people thinking of all the above and more. Same for cryptography, what I want is exhaustive test vectors, timing analysis, fuzzing, correctness proofs and so on. I also have a shortlist of individuals where if I know they're involved, the technical measures are likely to exist, or to have documented reasons why not yet, or why they can't, or...
-
@danderson looks like there was a critical last year: https://groups.google.com/a/bytecodealliance.org/g/sec-announce/c/Mov-ItrNJsQ
-
@raggi I started the exploration at wazero, which focuses a lot on the "getting started" type experience and not on the security questions, which is what sparked my worry. In contrast, wasmtime's homepage still puts "secure" second after "fast", which gives me Feelings, but "secure" is number two and is also three times more words and outbound links to receipts. Had I started exploring at wasmtime, I'd have felt significantly better about wasm jit, I think.
-
@danderson https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-ff4p-7xrq-q5r8 is an interesting read, seems there could be/should be/maybe is a set of best practices somewhere for a hardened runtime configuration for big core systems
-
@raggi hah, well, that's awkward contrasted to my concurrent reply that wasmtime project a safer feeling
This is certainly the sort of bug I have in mind when I worry about JITs. I wish the advisory said something about how it was discovered, to your point about whether the belt and braces fuzzing and adversarial testing found this, or outside research, or a chance discovery, ...
-
@raggi Yeah, the knobs documented in the workarounds are interesting, in terms of giving mechanisms to trade in some speed for safety. It does also somewhat betray the audience that's driving requirements, afaict: hosting services that want to pack wasm instances tightly together in a process, and thus require some defenses to be opt-in because they break that use case.