Session

Capabilities all the way down - an OS for WASM

Sid Hussmann - Gapfruit

WASI has two powerful security principles: Strong isolation and control over dependencies using capability-based security. In my talk, I demonstrate how to build resilient systems with this approach and reduce the overall attack surface by over 99%.

–

In my talk, I present Gapfruit’s journey of running WASM code on top of a microkernel operating system with capability-based security for industrial IoT solutions.

When it comes to systems engineering, we live in exciting times. On the one hand, we have projects, such as Genode and seL4, that push the boundaries for a solid computing foundation from the bottom up. On the other hand, the Zero-Trust movement pushes the industry to combine public-key infrastructures with TPM-backed device identities. Third, we can witness a trend from the cloud natives who try to free us from much of the complex and heavyweight legacy code bases with new runtimes such as WebAssembly/WASI on the application layer.

The systems community often uses the term “turtles all the way down” to describe the concept that complex systems build on top of each other. The term originates from an ancient anecdote where someone claims that the Earth rests on the back of a giant turtle, and when asked what the turtle stands on, the response is, “It’s turtles all the way down.” These layers of abstraction also have an impact on security. “Capabilities all the way down” is a pun that mitigates many security implications using capability-based security.

Compared to other runtimes, WASI shines from a security perspective because of two concepts: Isolation and capability-based security. Regarding WASM/WASI, capability-based security refers to explicitly granting permissions (capabilities) to execute specific operations rather than relying solely on traditional access control mechanisms.

The capability-based security boundary of WASM/WASI stops where the WASM code is spawned from: The operating system. In other words, the security of the code running inside the WASM runtime depends on the integrity of the operating system. E.g., if an attacker exploits a bug in a NIC driver on a Linux host, the integrity of the whole system, including the WASM code, is compromised.

In my talk, I want to demonstrate how we utilize strong isolation in combination with capability-based security all the way down to the hardware. With Gapfruit OS, even Linux drivers run in an isolated environment - taking away much of the severity of an exploited bug in the same NIC driver mentioned before.

I will further demonstrate the combination of the topics above in a live demo. The demo will showcase the zero-touch provisioning capabilities of an IoT gateway running a Gapfruit OS: The device will boot and connect to Azure with TPM-backed credentials. The desired state configuration of its digital twin will trigger the deployment of a WASM app with WasmEdge to the device.