Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
119 tokens/sec
GPT-4o
56 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Stop Hiding The Sharp Knives: The WebAssembly Linux Interface (2312.03858v1)

Published 6 Dec 2023 in cs.OS and cs.SE

Abstract: WebAssembly is gaining popularity as a portable binary format targetable from many programming languages. With a well-specified low-level virtual instruction set, minimal memory footprint and many high-performance implementations, it has been successfully adopted for lightweight in-process memory sandboxing in many contexts. Despite these advantages, WebAssembly lacks many standard system interfaces, making it difficult to reuse existing applications. This paper proposes WALI: The WebAssembly Linux Interface, a thin layer over Linux's userspace system calls, creating a new class of virtualization where WebAssembly seamlessly interacts with native processes and the underlying operating system. By virtualizing the lowest level of userspace, WALI offers application portability with little effort and reuses existing compiler backends. With WebAssembly's control flow integrity guarantees, these modules gain an additional level of protection against remote code injection attacks. Furthermore, capability-based APIs can themselves be virtualized and implemented in terms of WALI, improving reuse and robustness through better layering. We present an implementation of WALI in a modern WebAssembly engine and evaluate its performance on a number of applications which we can now compile with mostly trivial effort.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (94)
  1. Linux test project. https://github.com/linux-test-project/ltp, 2012.
  2. Wasmcrypto: A WebAssembly set of cryptographic primitives. https://github.com/jedisct1/wasm-crypto, 2018. (Accessed 2021-07-29).
  3. Webassembly exception handling proposal. https://github.com/webassembly/exception-handling, 2019. (Accessed 2023-8-08).
  4. The edge of the multi-cloud. https://www.fastly.com/cassets/6pk8mg3yh2ee/79dsHLTEfYIMgUwVVllaa4/5e5330572b8f317f72e16696256d8138/WhitePaper-Multi-Cloud.pdf, 2020. (Accessed 2021-07-06).
  5. libuvwasi. https://github.com/nodejs/uvwasi.git, 2020. (Access 2023-8-01).
  6. musl-libc. https://www.musl-libc.org, 2020. (Accessed 2023-8-08).
  7. Unity: Getting started with WebGL development. https://https://docs.unity3d.com/Manual/webgl-gettingstarted.html, 2020. (Accessed 2021-07-29).
  8. Unreal Engine: Developing HTML5 games. https://https://docs.unrealengine.com/4.26/en-US/SharingAndReleasing/HTML5/GettingStarted/, 2021. (Accessed 2021-07-29).
  9. Wasmer: A Fast and Secure Webassembly Runtime. https://github.com/wasmerio/wasmer, 2021. (Accessed 2021-07-06).
  10. Wasmtime: a standalone runtime for WebAssembly. https://github.com/bytecodealliance/wasmtime, 2021. (Accessed 2021-08-11).
  11. WebAssembly specifications. https://webassembly.github.io/spec/, 2021. (Accessed 2021-07-29).
  12. WebAssembly Micro Runtime (WAMR). https://github.com/bytecodealliance/wasm-micro-runtime, 2022. (Accessed 2022-04-11).
  13. Webassembly multi memory proposal. https://github.com/WebAssembly/multi-memory, 2022. (Accessed 2023-7-13).
  14. Cve-2023-38408 detail. https://nvd.nist.gov/vuln/detail/CVE-2023-38408, 2023. (Accessed 2023-08-9).
  15. Control-flow integrity principles, implementations, and applications. 13(1), nov 2009.
  16. Firecracker: Lightweight virtualization for serverless applications. In 17th USENIX symposium on networked systems design and implementation (NSDI 20), pages 419–434, 2020.
  17. Wine. Linux Journal, 1994(4es):3–es, 1994.
  18. Isa semantics for armv8-a, risc-v, and cheri-mips. Proc. ACM Program. Lang., 3(POPL), jan 2019.
  19. OpenVZ Authors. OpenVZ FAQ. https://wiki.openvz.org/FAQ, 2014. (Accessed 2023-8-08).
  20. WASI authors. Wasi: The webassembly system interface. wasi.dev, 2023. (Accessed 2023-8-08).
  21. Wasmer authors. Wasix: The superset of WASI. wasix.org, 2023. (Accessed 2023-8-08).
  22. A quantitative cross-comparison of container networking technologies for virtualized service infrastructures in local computing environments. Transactions on Emerging Telecommunications Technologies, 32(4):e4234, 2021.
  23. Fabrice Bellard. Qemu: A generic and open source machine emulator and virtualizer. http://qemu.org, 2020. (Accessed 2023-8-07).
  24. Provably-safe multilingual software sandboxing using WebAssembly. In Proceedings of the USENIX Security Symposium, August 2022.
  25. The state-of-the-art in container technologies: Application, orchestration and security. Concurrency and Computation: Practice and Experience, 32(17):e5668, 2020. e5668 cpe.5668.
  26. Measuring docker performance: What a mess!!! In Proceedings of the 8th ACM/SPEC on International Conference on Performance Engineering Companion, ICPE ’17 Companion, page 11–16, New York, NY, USA, 2017. Association for Computing Machinery.
  27. David Chisnall. The definitive guide to the xen hypervisor. Pearson Education, 2008.
  28. Jonathan Corbet. Seccomp and sandboxing. lwn (13 may 2009), 2009.
  29. Techniques and applications for guest-language safepoints. In Proceedings of the 10th Workshop on Implementation, Compilation, Optimization of Object-Oriented Languages, Programs and Systems, ICOOOLPS ’15, New York, NY, USA, 2015. Association for Computing Machinery.
  30. Mathias Danzeisen. Truly portable vehicle applications using webassembly & wasi. COVESA All Member Meeting, April 2023.
  31. Frank Denis. Performance of webassembly runtimes in 2023, 2023.
  32. Gpu virtualization on vmware’s hosted i/o architecture. ACM SIGOPS Operating Systems Review, 43(3):73–82, 2009.
  33. Serverless computing on heterogeneous computers. In Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS ’22, page 797–813, New York, NY, USA, 2022. Association for Computing Machinery.
  34. Catalyzer: Sub-millisecond startup for serverless computing with initialization-less booting. In Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS ’20, page 467–481, New York, NY, USA, 2020. Association for Computing Machinery.
  35. Vx32: Lightweight user-level sandboxing on the x86. In 2008 USENIX Annual Technical Conference (USENIX ATC 08), 2008.
  36. Sledge: A serverless-first, light-weight wasm runtime for the edge. In Proceedings of the 21st International Middleware Conference, Middleware ’20, page 265–279, New York, NY, USA, 2020. Association for Computing Machinery.
  37. Simulation and formal verification of x86 machine-code programs that make system calls. In 2014 Formal Methods in Computer-Aided Design (FMCAD), pages 91–98, 2014.
  38. VMware vSphere design. John Wiley & Sons, 2013.
  39. Bringing the web up to speed with WebAssembly. In Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2017, page 185–200, New York, NY, USA, 2017. Association for Computing Machinery.
  40. An optimization approach for qemu. In 2009 First International Conference on Information Science and Engineering, pages 129–132, 2009.
  41. Bluevisor: A scalable real-time hardware hypervisor for many-core embedded systems. In 2018 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS), pages 75–84. IEEE, 2018.
  42. Wave: a verifiably secure webassembly sandboxing runtime. In 2023 IEEE Symposium on Security and Privacy (SP), pages 2940–2955, 2023.
  43. Marcin Juszkiewicz. Linux system calls tables for several architectures. https://marcin.juszkiewicz.com.pl/download/tables/syscalls.html, 2023. (Accessed 2023-08-09).
  44. Avengers, assemble! survey of webassembly security solutions. In 2022 IEEE 15th International Conference on Cloud Computing (CLOUD), pages 543–553, 2022.
  45. Integration with docker container technologies for distributed and microservices applications: A state-of-the-art review. Int. J. Syst. Serv.-Oriented Eng., 12(1):1–22, apr 2022.
  46. kvm: the linux virtual machine monitor. In Proceedings of the Linux symposium, volume 1, pages 225–230. Dttawa, Dntorio, Canada, 2007.
  47. Sel4: Formal verification of an operating-system kernel. Commun. ACM, 53(6):107–115, jun 2010.
  48. Kevin P Lawton. Bochs: A portable pc emulator for unix/x. Linux Journal, 1996(29es):7–es, 1996.
  49. Everything old is new again: Binary security of {{\{{WebAssembly}}\}}. In 29th USENIX Security Symposium (USENIX Security 20), pages 217–234, 2020.
  50. Xavier Leroy. Formal verification of a realistic compiler. Commun. ACM, 52(7):107–115, jul 2009.
  51. Thingspire os: A WebAssembly-based iot operating system for cloud-edge integration. In Proceedings of the 19th Annual International Conference on Mobile Systems, Applications, and Services, MobiSys ’21, page 487–488, New York, NY, USA, 2021. Association for Computing Machinery.
  52. Bringing webassembly to resource-constrained iot devices for seamless device-cloud integration. In Proceedings of the 20th Annual International Conference on Mobile Systems, Applications and Services, pages 261–272, 2022.
  53. Aerogel: Lightweight access control framework for webassembly-based bare-metal iot devices. In 2021 IEEE/ACM Symposium on Edge Computing (SEC), pages 94–105, 2021.
  54. C# and the. net framework: Ready for real time? IEEE software, 20(1):74–80, 2003.
  55. LXC. Lxc introduction. https://linuxcontainers.org/lxc/introduction/, 2023. (Accessed 2023-8-08).
  56. My vm is lighter (and safer) than your container. In Proceedings of the 26th Symposium on Operating Systems Principles, pages 218–233, 2017.
  57. Xtratum: a hypervisor for safety critical embedded systems. In 11th Real-Time Linux Workshop, volume 9. Citeseer, 2009.
  58. Twine: An embedded trusted runtime for webassembly. In 2021 IEEE 37th International Conference on Data Engineering (ICDE), pages 205–216, Los Alamitos, CA, USA, apr 2021. IEEE Computer Society.
  59. Dirk Merkel. Docker: lightweight linux containers for consistent development and deployment. Linux journal, 2014(239):2, 2014.
  60. Microsoft. Hyper-v technology overview. https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-technology-overview, 2021. (Accessed 2023-8-08).
  61. Support for just-in-time compilation of webassembly for embedded systems. In 2023 12th Mediterranean Conference on Embedded Computing (MECO), pages 1–4, 2023.
  62. Edgedancer: Secure mobile WebAssembly services on the edge. In Proceedings of the 4th International Workshop on Edge Systems, Analytics and Networking, EdgeSys ’21, page 13–18, New York, NY, USA, 2021. Association for Computing Machinery.
  63. Predictable virtualization on memory protection unit-based microcontrollers. In 2018 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS), pages 62–74. IEEE, 2018.
  64. Embedded hypervisor xvisor: A comparative analysis. In 2015 23rd Euromicro International Conference on Parallel, Distributed, and Network-Based Processing, pages 682–691. IEEE, 2015.
  65. Towards a trustzone-assisted hypervisor for real-time embedded systems. IEEE computer architecture letters, 16(2):158–161, 2016.
  66. Browsix: Bridging the gap between unix and the browser. In Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS ’17, page 253–266, New York, NY, USA, 2017. Association for Computing Machinery.
  67. Solaris zones: Operating system support for consolidating commercial workloads. In Proceedings of the 18th USENIX Conference on System Administration, LISA ’04, page 241–254, USA, 2004. USENIX Association.
  68. Iris-wasm: Robust and modular verification of webassembly programs. Proc. ACM Program. Lang., 7(PLDI), jun 2023.
  69. Alastair Reid. Trustworthy specifications of arm® v8-a and v8-m system level architecture. In 2016 Formal Methods in Computer-Aided Design (FMCAD), pages 161–168, 2016.
  70. Fabian Scheidl. Webassembly: Paving the way towards a unified and distributed intra-vehicle computing-and data-acquisition-platform? In 2020 AEIT International Conference of Electrical and Electronic Technologies for Automotive (AEIT AUTOMOTIVE), pages 1–6. IEEE, 2020.
  71. Exploring wsl2. Learn Windows Subsystem for Linux: A Practical Guide for Developers and IT Professionals, pages 75–98, 2020.
  72. Draco: Architectural and operating system support for system call security. In 2020 53rd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO), pages 42–57, 2020.
  73. An evaluation of webassembly in non-web environments. In 2021 XLVII Latin American Computing Conference (CLEI), pages 1–10, 2021.
  74. William Stackenäs. An evaluation of webassembly pre-initialization for faster startup times. Master’s thesis, KTH, School of Electrical Engineering and Computer Science (EECS), 2023.
  75. Osek/vdx api for java. In Proceedings of the 3rd workshop on Programming languages and operating systems: linguistic support for modern operating systems, pages 4–es, 2006.
  76. Selwasm: A code protection mechanism for webassembly. In 2019 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom), pages 1099–1106. IEEE, 2019.
  77. Leaps and bounds: Analyzing webassembly’s performance with a focus on bounds checking. In 2022 IEEE International Symposium on Workload Characterization (IISWC), pages 256–268, 2022.
  78. Scalable translation validation of unverified legacy os code. In 2019 Formal Methods in Computer Aided Design (FMCAD), pages 1–9, 2019.
  79. Ben L. Titzer. A fast in-place interpreter for webassembly. Proc. ACM Program. Lang., 6(OOPSLA2), oct 2022.
  80. Kenton Varda. WebAssembly on Cloudflare Workers. https://blog.cloudflare.com/webassembly-on-cloudflare-workers/. (Accessed 2021-07-06).
  81. Aneka: a software platform for .net-based cloud computing. High speed and large scale scientific computing, 18(3):267–295, 2009.
  82. Potential of webassembly for embedded systems. In 2022 11th Mediterranean Conference on Embedded Computing (MECO), pages 1–4. IEEE, 2022.
  83. Characterizing and optimizing kernel resource isolation for containers. Future Generation Computer Systems, 141:218–229, 2023.
  84. Weihang Wang. Empowering web applications with webassembly: Are we there yet? In 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE), pages 1301–1305, 2021.
  85. Wenwen Wang. How far we’ve come – a characterization study of standalone webassembly runtimes. In 2022 IEEE International Symposium on Workload Characterization (IISWC), pages 228–241, 2022.
  86. Conrad Watt. Mechanising and verifying the WebAssembly specification. In Proceedings of the 7th ACM SIGPLAN International Conference on Certified Programs and Proofs, CPP 2018, page 53–65, New York, NY, USA, 2018. Association for Computing Machinery.
  87. Performance optimization for infiniband virtualization on qemu/kvm. In 2019 IEEE International Conference on Cloud Computing Technology and Science (CloudCom), pages 19–26, 2019.
  88. Wasmachine: Bring iot up to speed with a webassembly os. In 2020 IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops), pages 1–4, 2020.
  89. Unikernel monitors: Extending minimalism outside of the box. In 8th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud 16), Denver, CO, June 2016. USENIX Association.
  90. An end-to-end toolchain for evaluating webassembly runtimes for cps-iot use cases. WebAssembly Research Day 2022, October 2022.
  91. Writing solaris device drivers in java. In Proceedings of the 3rd workshop on Programming languages and operating systems: linguistic support for modern operating systems, pages 3–es, 2006.
  92. The true cost of containing: A {{\{{gVisor}}\}} case study. In 11th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud 19), 2019.
  93. {{\{{XRP}}\}}:{{\{{In-Kernel}}\}} storage functions with {{\{{eBPF}}\}}. In 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI 22), pages 375–393, 2022.
  94. Hacl*: A verified modern cryptographic library. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS ’17, page 1789–1806, New York, NY, USA, 2017. Association for Computing Machinery.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (4)
  1. Arjun Ramesh (2 papers)
  2. Tianshu Huang (7 papers)
  3. Ben L. Titzer (10 papers)
  4. Anthony Rowe (10 papers)
Citations (2)
View on Semantic Scholar

Summary

An Analytical Perspective on the WebAssembly Linux Interface (WALI)

The paper "Stop Hiding The Sharp Knives: The WebAssembly Linux Interface," presents a compelling proposal for enhancing the execution capabilities of WebAssembly (Wasm) outside traditional web environments by introducing the WebAssembly Linux Interface (WALI). As WebAssembly continues to establish itself as a robust sandboxing solution for running near-native-speed code across various platforms, the need arises to bridge the gap in standard system interfaces that restrict its application potential, especially within native system contexts such as Linux.

Summary of Contributions

The principal contribution of the paper is the introduction of WALI, a minimalistic yet effective abstraction layer over Linux userspace system calls. This design allows Wasm modules to interact seamlessly with native processes and leverage existing Linux capabilities without necessitating extensive modifications. The authors argue convincingly for using Linux's syscall interface due to its stability and wide adoption across platforms, thereby sidestepping the limitations and fragmentation issues associated with ongoing Wasm System Interface (WASI) standardization efforts.

The paper outlines several vital facets of WALI's architecture:

  • Process and Thread Model: WALI supports a variety of concurrency models by implementing lightweight process (LWP)-based threading, providing a solution that balances performance with isolation.
  • Memory Model: WALI implements efficient memory management through memory translation and layout conversion, allowing it to support advanced features like memory mapping without excessive overhead.
  • Signal Handling: The authors provide a detailed solution for the asynchronous signal handling limitations in existing systems, ensuring comprehensive signal registration, generation, and delivery compatible with Wasm execution constraints.
  • Cross-Platform Portability: WALI achieves cross-architecture adaptability by resolving syscall discrepancies, employing name-bound syscalls, and managing architecture-specific data representations.
  • Security and Layering: WALI adopts a relaxed security model, pushing much of the API-specific security out of the engine, thereby simplifying runtime implementations and enhancing modularity.

Key Results and Performance Evaluation

The paper reports that WALI effectively bridges the compatibility gaps for significant Linux applications and benchmarks with minimal source code modifications, showcasing this on a suite of real-world applications such as Bash, SQLite, and the OpenSSH suite. It declares the implementation to be concise with a reduced trusted computing base (TCB), and profiles the syscall overheads to be competitive, positioning them as feasible for deployment in embedded systems demanding efficient and secure execution.

Furthermore, the authors provide quantitative benchmarks comparing WALI's performance impact to existing virtualization technologies such as Docker and QEMU, illustrating its favorable balance in resource and execution time efficiency, particularly highlighting its low startup times compared to containers.

Implications and Speculative Outlook

The introduction of WALI holds notable implications for the broadening scope of WebAssembly's applicability, especially in contexts beyond the web. By simplifying the incorporation of Wasm in Linux environments, WALI has the potential to facilitate the porting and execution of legacy Linux applications within Wasm sandboxes. This could significantly impact how applications are developed, deployed, and maintained across heterogeneous computing environments, offering a secure and efficient alternative to traditional virtual machine or container-based virtualization strategies.

Moreover, WALI’s modular approach could pave the way for expanded innovation in creating and deploying new Wasm-based APIs, such as future iterations of WASI, by providing a stable syscall-based foundation that enables complex API layering. This decoupling from engine implementation can catalyze faster iteration and adoption of such standards within the Wasm community.

Ultimately, WALI's contributions underscore the potential for Wasm to serve as a universal execution target across diverse operating systems and hardware architectures. It forecasts a future where Wasm's role can extend deeply into embedded, mobile, and edge computing paradigms—domains that traditionally prioritize safety, efficiency, and long-term software roi. This aligns well with the vision for Wasm as an efficient, secure, and portable execution environment that caters to the multifaceted requirements of emerging cyber-physical systems.

File Document Download Save Streamline Icon: https://streamlinehq.com PDF File Document Download Save Streamline Icon: https://streamlinehq.com Markdown

HackerNews

  1. Stop Hiding the Sharp Knives: The WebAssembly Linux Interface (98 points, 57 comments)
  2. Stop Hiding the Sharp Knives (5 points, 1 comment)