Runtime Security

Blockless Runtime Security

Blockless Runtime is a standalone runtime for WebAssembly (WASM), which is a binary instruction format designed as a portable target for the safe and efficient execution of untrusted code.

Blockless Runtime ensures the security of the sandboxed environment using several key principles and mechanisms:

  1. WebAssembly design: WebAssembly itself is designed with security in mind. Its low-level virtual machine uses a stack-based architecture and has no direct access to the host's memory or system resources. Wasm modules can only access memory and resources provided explicitly by the host, which limits the potential attack surface.
  2. Linear memory and bounds checking: WebAssembly uses a single, contiguous block of memory known as linear memory. This memory is isolated from the host system's memory, and all accesses to it are checked to ensure they are within bounds. This prevents buffer overflows and other memory-related vulnerabilities.
  3. Validation: Blockless Runtime validates WebAssembly modules before execution, ensuring that they conform to the WebAssembly specification. This process checks for issues like malformed binaries, invalid opcodes, or type mismatches, helping to prevent potential security risks.
  4. Capability-based security model: Blockless Runtime follows the principle of least privilege by providing only the necessary capabilities to a wasm module. This means that a wasm module can only access resources (like memory, functions, or system calls) that have been explicitly granted to it by the host. This helps to prevent unauthorized access to system resources or sensitive data.
  5. Sandboxing: Blockless Runtime isolates the execution of wasm modules within a secure sandbox, which limits the impact of potential vulnerabilities. Even if an attacker manages to exploit a wasm module, they would still be confined within the sandbox and unable to compromise the host system.
  6. JIT (Just-In-Time) Compilation and CFG (Control Flow Guard): Blockless Runtime uses a JIT compiler to transform WebAssembly bytecode into native machine code. This allows it to implement security measures such as Control Flow Guard, which helps protect against code reuse attacks by ensuring that indirect function calls only target valid locations.
  7. Continuous updates and community involvement: Blockless Runtime is an open-source project with a dedicated community working together to identify and resolve security issues. Regular updates ensure that any vulnerabilities discovered are quickly patched, keeping the runtime secure.
© 2023 TX Labs Foundation Ltd.