Skip to content

Latest commit

 

History

History
94 lines (75 loc) · 5.62 KB

mitigations.md

File metadata and controls

94 lines (75 loc) · 5.62 KB

Mitigation Strategies Analysis for wasmerio/wasmer

Mitigation Strategy: Principle of Least Privilege for Wasm Modules (Wasmer-Specific)

  • Description:

    1. WasiCtxBuilder Configuration: Use wasmer::WasiCtxBuilder to meticulously control the WASI environment provided to the Wasm module.
    2. Restrict Filesystem Access:
      • Use preopen_dir() to grant access only to specific, pre-approved directories. Never grant access to the root directory (/) or sensitive system directories.
      • Example: builder.preopen_dir("/path/to/wasm_data")?;
    3. Control Environment Variables:
      • Use env() to explicitly set only the necessary environment variables. Avoid passing through all host environment variables.
      • Example: builder.env("CONFIG_PATH", "/data/config.json")?;
    4. Limit Arguments:
      • If the Wasm module accepts command-line arguments, validate them thoroughly on the host side before passing them to the module using args().
      • Example: builder.args(&["validated_arg1", "validated_arg2"])?;
    5. Restrict Standard I/O:
      • If the Wasm module doesn't require interactive input/output, redirect stdin, stdout, and stderr to null devices or in-memory buffers using methods on WasiCtxBuilder.
      • Example: builder.stdin(Box::new(wasmer_wasi::Pipe::new())); (for an in-memory pipe)
    6. Auditing Host Functions (Wasmer Interaction): When defining custom host functions (functions callable from the Wasm module), ensure they are minimal, perform thorough input validation, and do not expose unnecessary system functionality. This is a Wasmer-specific concern because it involves the interaction between the host and the Wasm sandbox.

  • List of Threats Mitigated:

    • Arbitrary File System Access (High Severity):
    • Information Disclosure (High Severity):
    • Code Injection via Host Functions (High Severity):
    • Denial of Service (DoS) via Resource Exhaustion (Medium Severity): (Indirectly)
    • Command Injection (High Severity):

  • Impact: (Same as before, as the core mitigation is the same)

    • Arbitrary File System Access: Risk significantly reduced.
    • Information Disclosure: Risk significantly reduced.
    • Code Injection via Host Functions: Risk reduced.
    • Denial of Service: Risk partially reduced.
    • Command Injection: Risk significantly reduced.

  • Currently Implemented:

    • Example: src/host/wasi_context.rs

  • Missing Implementation:

    • Example: Host functions in src/host/functions.rs need further auditing.

Mitigation Strategy: Memory Safety and Sandboxing (Wasmer-Specific)

  • Description:

    1. Keep Wasmer Updated: Regularly update the Wasmer runtime to the latest stable version.
    2. Isolate Wasm Instances: Use a separate wasmer::Store for each Wasm module.
    3. Set Resource Limits:
      • Use wasmer::Config to set limits on memory and instructions.
      • config.max_memory_pages(100);
      • config.max_instructions(1_000_000_000);
    4. Compiler Choice (with caution): Consider wasmer-compiler-cranelift vs. wasmer-compiler-singlepass, evaluating the security/performance trade-off. This is a Wasmer-specific choice.
    5. Minimize unsafe in Host-Wasm Interaction: Be extremely cautious with unsafe Rust code when interacting with Wasm memory from the host. This is Wasmer-specific because it involves the low-level interaction with the Wasmer API.

  • List of Threats Mitigated:

    • Wasmer Runtime Vulnerabilities (High Severity):
    • Denial of Service (DoS) via Resource Exhaustion (Medium Severity):
    • Cross-Module Interference (Medium Severity):
    • Memory Corruption (High Severity):
    • Information Leaks via Uninitialized Memory (Medium Severity):

  • Impact: (Same as before)

    • Wasmer Runtime Vulnerabilities: Risk reduced.
    • Denial of Service: Risk significantly reduced.
    • Cross-Module Interference: Risk significantly reduced.
    • Memory Corruption: Risk reduced.
    • Information Leaks: Risk reduced.

  • Currently Implemented:

    • Example: src/host/runtime.rs

  • Missing Implementation:

    • Example: Review uses of unsafe in src/host/memory.rs.

Mitigation Strategy: Disable Unnecessary WASI Features (Wasmer-Specific)

  • Description:

    1. Review WASI: Understand the WASI specification.
    2. Identify Unnecessary Features: Determine which WASI features are not needed.
    3. Explicitly Disable: Use the WasiCtxBuilder to disable unnecessary features. This is entirely Wasmer-specific as it directly uses the Wasmer API to configure WASI.
    4. Document Disabled Features: Clearly document the disabled features.

  • List of Threats Mitigated:

    • Exploitation of Unnecessary WASI Features (Medium Severity):
    • Accidental Misuse of WASI Features (Low Severity):

  • Impact:

    • Exploitation of Unnecessary WASI Features: Risk reduced.
    • Accidental Misuse of WASI Features: Risk reduced.

  • Currently Implemented:

    • Example: src/host/wasi_config.rs

  • Missing Implementation:

    • Example: Review and disable additional WASI features; document in src/host/wasi_config.rs.