Skip to content

Latest commit

 

History

History
40 lines (33 loc) · 3.81 KB

threat-modeling.md

File metadata and controls

40 lines (33 loc) · 3.81 KB

Threat Model Analysis for wasmerio/wasmer

Threat: Sandbox Escape

  • Threat: Sandbox Escape
    • Description: An attacker crafts a malicious WebAssembly module that exploits a vulnerability in Wasmer's sandboxing implementation (e.g., a bug in the memory management, instruction validation, or system call handling). The attacker's goal is to gain unauthorized access to the host system. This is a flaw within Wasmer.
    • Impact: Complete system compromise. The attacker could read, write, or execute arbitrary code on the host, potentially gaining full control over the machine running Wasmer.
    • Affected Wasmer Component: Core runtime, memory management, sandboxing mechanisms (e.g., wasmer-compiler, wasmer-engine, wasmer-wasi if WASI is enabled).
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Update Wasmer: Immediately apply security updates released by the Wasmer project. This is the primary mitigation.
      • Disable Unnecessary Features: If WASI or other optional features are not required, disable them to reduce the attack surface.
      • Host-Level Security: Implement strong host-level security measures (e.g., process isolation, least privilege, SELinux/AppArmor) to limit the damage even if an escape occurs. This is a secondary mitigation, as it doesn't prevent the escape itself.
      • Monitor Security Advisories: Regularly check for Wasmer security advisories and CVEs.

Threat: Wasmer Runtime Denial of Service (DoS)

  • Threat: Wasmer Runtime Denial of Service (DoS)
    • Description: An attacker crafts a WebAssembly module that exploits a vulnerability in Wasmer itself (e.g., a bug that causes excessive memory allocation or an infinite loop within the runtime) to cause the Wasmer runtime to crash or become unresponsive. This is distinct from a module simply consuming its allowed resources.
    • Impact: Denial of service for the host application. The application embedding Wasmer becomes unavailable.
    • Affected Wasmer Component: Core runtime, compiler, potentially specific engine implementations.
    • Risk Severity: High
    • Mitigation Strategies:
      • Update Wasmer: Apply security updates. This is the primary mitigation.
      • Monitor Security Advisories: Check for Wasmer-specific DoS vulnerabilities.
      • Resource Limits (Runtime): If possible (and supported by the specific Wasmer configuration), configure Wasmer to limit its own resource usage. This is distinct from limiting the resources of individual modules.
      • Host-Level Monitoring: Monitor the resource usage of the Wasmer process itself.

Threat: Compromised Wasmer Build

  • Threat: Compromised Wasmer Build
    • Description: An attacker compromises the Wasmer build process and injects malicious code into the Wasmer runtime itself. This is a supply chain attack targeting Wasmer directly.
    • Impact: Complete system compromise. The attacker could control any application using the compromised Wasmer build.
    • Affected Wasmer Component: The entire Wasmer runtime.
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Official Sources: Download Wasmer only from official sources (e.g., the official GitHub repository, official releases).
      • Checksum Verification: Verify the integrity of downloaded binaries using checksums (e.g., SHA-256) provided by the Wasmer project. This is crucial.
      • Build from Source (Advanced): Consider building Wasmer from source after careful code review. This is a more advanced mitigation for experienced developers.