Chapter 11. WebAssembly System Interface (WASI)

I’m not in this world to live up to your expectations, and you’re not in this world to live up to mine.

Bruce Lee

There are some things that are unnecessarily difficult in WebAssembly as a consequence of the security and safety goals that are easier on other platforms. Reading from the filesystem, writing to the console, and manipulating strings in memory are all simple activities in a language like C, C++, or Rust. It is expected that an operating system will allow a user with sufficient privileges to do these things. There are not explicit, contextual boundaries.

Unfortunately, that is also the problem behind most modern cyber threats such as phishing attacks, privilege escalation, supply chain attacks, and more. If an attacker is able to convince a privileged user to run untrustworthy code, they can often steal access to other resources not otherwise due them. Sandboxed environments exist to prevent this, but they are often slow, cumbersome, and burdensome to developers. WebAssembly wants to solve this problem, and it does in many ways. Fundamentally, however, WebAssembly modules do not have access to anything that is not provided by their hosting environments.

The MVP and the tools that we have seen so far have largely been about making code portable. We are now going to learn how to make applications portable. The solution, as it turns out, is fundamentally about whether expectations can be met or not. This is not just a question ...