Lucet is the native WebAssembly compiler that meets your security needs

Share
  • March 29, 2019

When it comes to WebAssembly, things have been moving fast. It’s only been around since 2017, but what would life be without it? Add yet another reason that you love Wasm to your long list because now Fastly open sourced their native WebAssembly compiler and runtime: Lucet.

Lucet has been in development since 2017 and now hits the scene, much to our benefit! It’s the first Fastly project to be built in Rust and is currently under active development. If you’ve used Fastly’s edge computing platform Terrarium then you’ve already seen it in action.

Welcome Lucet!

Lucet safely executes untrusted WebAssembly programs inside your application and supports programs written in C, Rust, and AssemblyScript. For now, it only supports x86-64 based Linux systems. It uses and was developed in collaboration with Mozilla’s low-level code generator Cranelift.

SEE ALSO: Using Go for WebAssembly applications

Performance wise, Lucet can execute “tens of thousands of WebAssembly programs simultaneously, in the same process, without compromising security”. It can handle thousands of requests per second in a single process.

How does this compare to JavaScript? Lucet and Wasm easily blow JavaScript out of the water. From the announcement blog: “Lucet can instantiate WebAssembly modules in under 50 microseconds, with just a few kilobytes of memory overhead. By comparison, Chromium’s V8 engine takes about 5 milliseconds, and tens of megabytes of memory overhead, to instantiate JavaScript or WebAssembly programs.”

In the next coming years, it will be interesting to see how the landscape of JS and Wasm evolve together.

Secure Wasm

Just like fire, security is nothing to deal with frivolously. Lucet is committed to high-level security architecture and explains the security system in detail here.

The project does not provide a complete secure sandbox framework at this time; security is achieved through a combination of lucet-supplied security controls and user-supplied security controls. At a high level, this jointly-constructed security architecture aims to prevent untrusted input, data, and activity from compromising the security of trusted components. It also aims to prevent an untrusted actor from compromising the security (e.g. data and activity) of another untrusted actor. For example, one user of a lucet embedding should not be able to affect the security of another user of the same lucet embedding.

SEE ALSO: A developer’s introduction to WebAssembly

Two security scenarios exist: Trusted code and untrusted code.

Trusted code involves fully trusted code controlled by a system’s administrator. Whereas, untrusted code incorporates all code, processes, and inputs supplied from a third-party.

webassembly

Compile/load scenario

webassembly

Program execution scenario

Rest assured you will not have to compromise on security and safety.

Of course, this doesn’t fire off a magic bullet that alleviates the administrator of all duties. The security doc also reminds users to beware of several security caveats, including attacks against guest programs.

Want it? You got it.

Try out a quick demo by cloning the repo from GitHub and follow the README for info on setting up your environment. The repo includes a Dockerfile and uses git submodules.

Requirements include:

  • Stable Rust, and rustfmt
  • wasi-sdk
  • GNU Make, CMake, & various standard Unix utilities for the build system
  • libhwloc

Future plans for Lucet involve making it available on the Fastly edge cloud and support for more languages. Full support for the entire WebAssembly spec will also come in the future. We also expect to see more security features in future updates as well.

The post Lucet is the native WebAssembly compiler that meets your security needs appeared first on JAXenter.

Source : JAXenter