Sandboxing untrusted code with WebAssembly
Plenary | Mon 20 Jan 10:45 a.m.–11:30 a.m.
Presented by
Abstract
WebAssembly was built so websites could run compiled code from any language, but it turns out this low-overhead way to run untrusted code is useful outside the browser too!
WebAssembly is already being used by Shopify to execute custom functions for third-party plugins, by Fastly and Cloudflare to host cheap edge workers, and by Firefox to sandbox memory-unsafe libraries. This talk will go through what WebAssembly is and how it's being used in the real world to sandbox untrusted code. We'll also discuss the tradeoffs to consider when weighing up different sandboxing options.
To give us a concrete example to work with, the talk will include a live demo. You, the audience, will be invited to upload your own code in the language of your choice to compete in a simple game! For an extra challenge, you're welcome to try to break out of the WebAssembly sandbox too.
WebAssembly was built so websites could run compiled code from any language, but it turns out this low-overhead way to run untrusted code is useful outside the browser too! WebAssembly is already being used by Shopify to execute custom functions for third-party plugins, by Fastly and Cloudflare to host cheap edge workers, and by Firefox to sandbox memory-unsafe libraries. This talk will go through what WebAssembly is and how it's being used in the real world to sandbox untrusted code. We'll also discuss the tradeoffs to consider when weighing up different sandboxing options. To give us a concrete example to work with, the talk will include a live demo. You, the audience, will be invited to upload your own code in the language of your choice to compete in a simple game! For an extra challenge, you're welcome to try to break out of the WebAssembly sandbox too.