| ▲ | tgtweak 11 hours ago | |
is a wasm sandbox as secure as a container or vm? | ||
| ▲ | souvik1997 11 hours ago | parent | next [-] | |
If I had to rank these, in order of least to most secure, it would be container < VM < WASM. WASM has: - Bounds checked linear memory - No system calls except what you explicitly grant via WASI - Much smaller attack surface VMs have: - Hardware isolation, separate kernel - May have hypervisor bugs leading to VM escape (rare in practice though) Some problems with containers: - Shared host kernel (kernel exploit = escape) - Seccomp/AppArmor/namespaces reduce attack surface but don't eliminate it - Larger attack surface (full syscall interface) - Container escapes are a known class of vulnerability | ||
| ▲ | PufPufPuf 11 hours ago | parent | prev [-] | |
In theory it's more secure. Containers and VMs run on real hardware, containers usually even on the real kernel (unless you use something like Kata). WASM doesn't have any system interface by default, you have full control over what it accesses. So it's similar to JVM for example. | ||