Leveraging eBPF to enhance sandboxing of WebAssembly runtimes

In Proc. of the 18th ACM ASIA Conference on Computer and Communications Security (ASIACCS) — Melbourne, Australia, July 10-14, 2023

In this work we propose a solution to enhance the security of the sandbox provided by Wasm runtimes when file system resources are involved via the WASI (WebAssembly System Interface).

Currently, runtimes that implement WASI allow for a poor granularity when specifying what is accessible and what is not, and moreover previous work has also found that this approach is error-prone and can lead to security issues.

Hence, in this work we have replaced the security checks in hostcall wrappers with eBPF programs, enabling the user to specify fine-grained per-module policies. This paper shows that our approach has limited overhead and it's viable.

Paper [BibTeX]