-
Notifications
You must be signed in to change notification settings - Fork 250
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Annotation for file descriptors / enforcing integrity of fd
#50
Comments
How would you get rid of this once reference types will be available? |
@dumblob i think you could just have a tool that removes the custom header and transforms the annotated i32s to reference types. |
@wanderer I mean in production - you'll have some "binary app" compiled using the annotated This is the biggest pain of web development - everything changes all the time 😢. |
@dumblob doesn't that question also apply to the current situation too? Once we have actually references the API will totally change and I assume older binaries will use the older version of the API (once we figure out versioning as well). Annotations are just trying to enforces the unforgeablality of references between modules with what we have now. |
yeah this is particularly annoying. But forward looking implementations could just go ahead and implement references and translate the annotation to actually references internally. The problem with this approach would be that those implementation would still have to support operations that actually references wouldn't support. I don't have any other ideas here 😶 |
@wanderer I admit I didn't think of this at all as I assume this won't happen after a "1.0" WASI standard will be published. But I must be missing something and so I'll rather keep waiting until some clarification from the versioning and reference types discussions emerges 😉. |
It's unclear what this mechanism would guard against. If someone forges a file descriptor
|
@sunfishcode so maybe the assumption i made here that isn't entirely clear is that the two instantiates are separate stores and instead of inheriting If instance If we don't have a mechanism like this then how would to separate store be able to share |
Could you spell out the scenario in more detail? How does Also, another option here is to just accept that forging is possible with integer file descriptors, and wait for reference types to fix this properly. |
Let me see if I understand what you are asking for here @wanderer? In your scenario there are two separate wasi modules (is this what you mean by store?) that can directly call functions on each other? Right now as of today if you pass and In the future this will work if we have first class reference types. In the interim you are suggesting we could build some kind of annotation that would automatically generate the code needed to pass the fd (via some kind of wasi fd passing syscall) before making the call to |
It could just be preopened. All the preopend fd's would be added to c-list or table once we have ref types.
thats the job of the runtime. When a
on b's side
Here is the equivalents with ref-types
yeah annotations are a bit pain but in some usecases, like smart contracts, i think that unforgeability is necessary from the get go or any situation when multiple untrusted stores are interacting. |
yes this is what i was thinking. but i guess this scenario would be fine for multiple wasm instances that are linked together in a single wasi module / store too.
yep! this at least allows us to have the room to do that. Currently i think it would be hard to implement a system used WASI and that needed to have multiple untrusted programs interacting and sharing capabilities/fd. |
The design principles document describes an approach where we can think of c-lists as WebAssembly tables. With that in mind, the way to have two instances that are linked without sharing is to give them each their own table, aka c-list, and to have tooling and interface-types support for conceptually passing handles from one instance to another, which handle actually copying handles from one table to another. This avoids the need for special types or special annotations -- instances can access any of the capabilities within their c-lists, but they need not see all c-lists present within a store. |
WASI is now moving to a model where handles are a first-class type in wit, and instance-local indices are used to refer to them. They're instance-local, so when a handle is passed from one instance to another, the indices are translated. For further questions about the underlying mechanism, please follow up in the component model. |
So once we have reference types we can use those types for
fd
but currently we can also enforce nearly the same behavior as if we had reference types by annotating functions. This would enable the host system to enforce the integrity offd
across module instances.For example lets say we have to have 2 wasm instances (a, b) that share no memory or tables but instance
a
imports some exported functions from instanceb
. If those exported functions expectedfd
in its augments, those augments would be annotated in a custom section so that whena
calledb
the host would enforce that values were validfd
.The custom sections could looks something like the following
The custom section has a name of "wasi.type".
The typeMap section maps the custom types to functions. And is encoded as follows
varuint32
map*
And a map is Encoded as follows and named "wasi.typeMap".
varuint32
varuint32
Lastly the custom type information for globals are encoded as follows. The section name is "wasi.globals"
varuint32
varuint32
The text was updated successfully, but these errors were encountered: