-
Notifications
You must be signed in to change notification settings - Fork 718
Add documentation regarding security issues and the status of Wasm proposals #3972
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
314d3f3
Add documentation regarding security issues and the status of Wasm pr…
lum1n0us 8a6c7ca
Improve security documentation and clarify Wasm proposal statuses
lum1n0us 38b39d8
Clarify documentation regarding Wasm proposals by specifying "llvm-ji…
lum1n0us 0de4d1c
Refine security documentation and reorganize Wasm proposals for clarity
lum1n0us 43365ba
Update Wasm proposals documentation to reflect phase changes and impr…
lum1n0us 5201479
Refactor Wasm proposals documentation for improved clarity and organi…
lum1n0us File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| # About security issues | ||
|
|
||
| This document aims to explain the process of identifying a security issue and the steps for managing a security issue. | ||
|
|
||
| ## identifying a security issue | ||
|
|
||
| It is commonly stated that a security issue is an issue that: | ||
|
|
||
| - Exposes sensitive information to unauthorized parties. | ||
| - Allows unauthorized modification of data or system state. | ||
| - Affects the availability of the system or its services. | ||
| - Permits unauthorized access to the system. | ||
| - Enables users to perform actions they should not be able to. | ||
| - Allows users to deny actions they have performed. | ||
|
|
||
| Given that WASI is a set of Capability-based APIs, all unauthorized actions are not supposed to happen. Most of the above security concerns can be alleviated. What remains for us is to ensure that the execution of Wasm modules is secure. In other words, do not compromise the sandbox. Unless it is explicitly disabled beforehand. | ||
|
|
||
| Thus, we share most of the criteria for judging security issues with [the Bytecode Alliance](https://github.com/bytecodealliance/rfcs/blob/main/accepted/what-is-considered-a-security-bug.md#definition). | ||
|
|
||
| > [!NOTE] | ||
| > keep updating this document as the project evolves. | ||
|
|
||
| ## reporting a security issue | ||
|
|
||
| Follow the [same guidelines](https://bytecodealliance.org/security) as other projects within the Bytecode Alliance. | ||
|
|
||
| ## managing a security issue | ||
|
|
||
| Before reporting an issue, particularly one related to crashing, consult [the cheat sheet](https://github.com/bytecodealliance/rfcs/blob/main/accepted/what-is-considered-a-security-bug.md#cheat-sheet-is-this-bug-considered-a-security-vulnerability), _Report a security vulnerability_ if it qualifies. | ||
|
|
||
| Upon receiving an issue, thoroughly review [the cheat sheet](https://github.com/bytecodealliance/rfcs/blob/main/accepted/what-is-considered-a-security-bug.md#cheat-sheet-is-this-bug-considered-a-security-vulnerability) to assess and _Report a security vulnerability_ if the issue is indeed a security vulnerability. | ||
|
|
||
| Once a security issue is confirmed, please refer to [the runbook](https://github.com/bytecodealliance/rfcs/blob/main/accepted/vulnerability-response-runbook.md) for the subsequent steps to take. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,82 @@ | ||
| # Wasm Proposals | ||
|
|
||
| This document is intended to describe the current status of WebAssembly proposals and WASI proposals in WAMR. | ||
|
|
||
| Only track proposals that are followed in the [WebAssembly proposals](https://github.com/WebAssembly/proposals) and [WASI proposals](https://github.com/WebAssembly/WASI/blob/main/Proposals.md). | ||
|
|
||
| Normally, the document tracks proposals that are in phase 4. However, if a proposal in an earlier phase receives support, it will be added to the list below. | ||
|
|
||
| The _status_ represents the configuration _product-mini/platforms/linux/CMakeLists.txt_. There may be minor differences between the top-level CMakeLists and platform-specific CMakeLists. | ||
|
|
||
| Users can turn those features on or off by using compilation options. If a relevant compilation option is not available(`N/A`), it indicates that the feature is permanently enabled. | ||
|
|
||
| ## On-by-default Wasm Proposals | ||
|
|
||
| | Proposal | >= Phase 4 | Compilation Option | | ||
| | ------------------------------------- | ---------- | ------------------------ | | ||
| | Bulk memory operations | Yes | `WAMR_BUILD_BULK_MEMORY` | | ||
| | Extended Constant Expressions | Yes | N/A | | ||
| | Fixed-width SIMD[^1] | Yes | `WAMR_BUILD_SIMD` | | ||
| | Multi-value | Yes | N/A | | ||
| | Non-trapping float-to-int conversions | Yes | N/A | | ||
| | Reference Types | Yes | `WAMR_BUILD_REF_TYPES` | | ||
| | Sign-extension operators | Yes | N/A | | ||
| | WebAssembly C and C++ API | No | N/A | | ||
|
|
||
| [^1]: llvm-jit and aot only. | ||
|
|
||
| ## Off-by-default Wasm Proposals | ||
|
|
||
| | Proposal | >= Phase 4 | Compilation Option | | ||
| | ----------------------------- | ---------- | -------------------------- | | ||
| | Garbage collection | Yes | `WAMR_BUILD_GC` | | ||
| | Legacy Exception handling[^2] | No | `WAMR_BUILD_EXCE_HANDLING` | | ||
| | Memory64 | Yes | `WAMR_BUILD_MEMORY64` | | ||
| | Multiple memories[^3] | Yes | `WAMR_BUILD_MULTI_MEMORY` | | ||
| | Reference-Typed Strings | No | `WAMR_BUILD_STRINGREF` | | ||
| | Tail call | Yes | `WAMR_BUILD_TAIL_CALL` | | ||
| | Thread[^4] | Yes | `WAMR_BUILD_SHARED_MEMORY` | | ||
| | Typed Function References | Yes | `WAMR_BUILD_GC` | | ||
|
|
||
| [^2]: | ||
| interpreter only. [a legacy version](https://github.com/WebAssembly/exception-handling/blob/main/proposals/exception-handling/legacy/Exceptions.md). | ||
| This proposal is currently also known as the "legacy proposal" and still | ||
| supported in the web, but can be deprecated in future and the use of | ||
| this proposal is discouraged. | ||
|
|
||
| [^3]: interpreter only | ||
| [^4]: `WAMR_BUILD_LIB_PTHREAD` can also be used to enable | ||
|
|
||
| ## Unimplemented Wasm Proposals | ||
|
|
||
| | Proposal | >= Phase 4 | | ||
| | ------------------------------------------- | ---------- | | ||
| | Branch Hinting | Yes | | ||
| | Custom Annotation Syntax in the Text Format | Yes | | ||
| | Exception handling[^5] | Yes | | ||
| | Import/Export of Mutable Globals | Yes | | ||
| | JS String Builtins | Yes | | ||
| | Relaxed SIMD | Yes | | ||
|
|
||
| [^5]: [up-to-date version](https://github.com/WebAssembly/exception-handling/blob/main/proposals/exception-handling/Exceptions.md) | ||
|
|
||
| ## On-by-default WASI Proposals | ||
|
|
||
| | Proposal | >= Phase 4 | Compilation Option | | ||
| | -------- | ---------- | ------------------ | | ||
|
|
||
| ## Off-by-default WASI Proposals | ||
|
|
||
| | Proposal | >= Phase 4 | Compilation Option | | ||
| | -------------------------- | ---------- | ----------------------------- | | ||
| | Machine Learning (wasi-nn) | No | `WAMR_BUILD_WASI_NN` | | ||
| | Threads | No | `WAMR_BUILD_LIB_WASI_THREADS` | | ||
|
|
||
| ## Unimplemented WASI Proposals | ||
|
|
||
| | Proposal | >= Phase 4 | | ||
| | -------- | ---------- | | ||
|
|
||
| ## WAMR features | ||
|
|
||
| WAMR offers a variety of customizable features to create a highly efficient runtime. For more details, please refer to [build_wamr](./build_wamr.md). |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.