8caa5a9476
* Spice up the project README, fill out more docs This is an attempt to spruce up wasmtime's README.md file as well as fill out more of the missing documentation in the `docs/` folder. There's still a long way to go but I hoped here to mostly move around existing information and add new information. As always happy to have feedback! * Tweak CLI wording * Remove no-longer relevant clause * Update sandboxing docs * Handle comments
918 B
Sandboxing
One of WebAssembly (and Wasmtime's) main goals is to execute untrusted code in a safe manner inside of a sandbox. WebAssembly is inherently sandboxed by design (must import all functionality, etc). This document is intended to cover the various sandboxing implementation strategies that Wasmtime has as they are developed.
At this time Wasmtime implements what's necessary for the WebAssembly specification, for example memory isolation between instances. Additionally the safe Rust API is intended to mitigate accidental bugs in hosts.
Different sandboxing implementation techniques will also come with different tradeoffs in terms of performance and feature limitations, and Wasmtime plans to offer users choices of which tradeoffs they want to make.
More will be added here over time!
Spectre
Wasmtime does not yet implement Spectre mitigations, however this is a subject of ongoing research.