"A C program that crashes will crash in webasm" is exactly what pjmpl said. The sandbox doesn't protect the sandboxes program from internal memory corruption.

Thanks for confirming not having any clue in Infosec.

Explain specifically and technically what you think the problem is. You can't overrun buffers and overflow stacks in any language without it crashing.

There is also no expectation that data in one buffer in webasm would be separate from another buffer.

You should stop arguing. He's correct in this critique, and you don't even disagree that he's correct. The problem is that it's a critique of how (he alleges) hype/VC people have over-sold WASM, not an actual problem with WASM.

You should stop arguing, because the claim of insecurity is not being backed up by anything.

Show me an exploit, show me with detailed and technical information, show some sort of evidence.

Both of you are just repeating your claim more forcefully, never adding anything that backs up your claims.

Compiling C to webasm doesn't fix C bugs within the local memory space of webasm? No one has those expectations except people with a bizarre vendetta against a simple and benign technology like webasm.

pjmlp's claim is: there are people out there who over-hype WASM, who claim that simply compiling a C program to WASM will automatically make it secure. pjmlp is claiming that these over-hyped claims are wrong (in their words: "programs inside the sandbox can still be tricked into internal memory corruption"). You agree that those over-hyped claims are wrong (in your own words: "compiling C to webasm doesn't fix C bugs within the local memory space of webasm"). I agree that those over-hyped claims are wrong.

If one wants to argue against pjmlp (as you and I both do), there are two ways to go: 1) you can say that nobody is making those claims, or 2) you can say that if people are making those claims, the problem is with those people, not WASM.

I choose #2, because it seems plausible to me that VC-backed startup types over-hype WASM. If I was more familiar with the discourse around WASM, I might try to argue #1 if I thought I could demonstrate that over-hyping WASM doesn't really happen. Maybe you could go the burden of proof route, that it's their responsibility to prove that people are over-hyping WASM and take the discussion from there.

But you ... don't seem to be engaging with the argument. You agree that "compiling C to wasm doesn't fix C bugs within the local memory space of wasm", yet you say that "the claim of insecurity is not being backed up by anything" when the claim of insecurity is that compiling C to wasm doesn't fix C bugs within the local memory space of wasm. That's literally what was meant by "internal memory corruption" in pjmlp's very first comment which mentioned the security angle. Again, they're wrong to mention this as a flaw of WASM because making C code resistant against "internal memory corruption" was never a goal of WASM, but that doesn't mean that their "claim of insecurity" is wrong.

To show an example of the kind of exploit pjmlp is talking about, just take any C program with some kind of exploitable buffer overflow, run it in wasmtime or wasmer or whatever, and exploit the buffer overflow. Maybe the buffer overflow lets an attacker write 101 bytes to a 100 byte buffer and therefore flip an "isAdministrator" flag from 0 to 1. You, I and pjmlp all agree that such security issues can exist; WASM doesn't magically protect C code from memory corruption. And that is not a flaw in WASM, which is what your argument should be focusing on.

You both need to stop conflating bugs in a C program that become bugs in webasm with insecurity.

Insecurity would be escaping the VM it runs in. In a native compiled binary you have infinite permissions and can make system calls. You can't do that in a webasm VM.

Webasm is not insecure because a C program that crashes also crashes in webasm.

You still haven't shown any evidence of escaping the VM or actual insecurity.

Nobody is conflating bugs in a C program with bugs in WASM. Nobody is saying that there are sandbox escaping bugs. I give up.

If you can't escape the VM, then where is the insecurity?

If someone is dumping privileged data into a VM that's insecure no matter what, why would you blame webasm?

Web pages can have insecure JavaScript even if the sandbox isn't escaped. Sandbox escape isn't the only possible vulnerability in sandboxed applications. This is basic stuff that I know you already agree with so I don't understand why you keep pressing it.

"Why would you blame WASM" is the right question. As I have said in LITERALLY every single comment so far, blaming WASM instead of the alleged hype people is where pjmlp is wrong. He's not wrong in the assertion that insecure programs may remain insecure when run in the WASM sandbox. But you refuse to listen. This conversation is like talking to a much less polite ChatGPT.

You're arguing against claims no one is making. No one thinks webasm magically fixes bugs. I never said that and no one else did either.

Fucking hell, please pay attention to the discussion you're in. pjmlp's claim is: marketing around WASM suggests that running C programs in WASM instead of natively magically makes those C programs safe.

I doubt anyone is suggesting "magic" and obviously when people talk about 'safety' they mean preventing crashes and escaping the VM.

What specific marketing are you talking about? Link what you're referring to.

Read. My. Comments. I am not claiming that WASM has been misleadingly marketed. pjmlp is. Ask him to link to what he's referring to.

After all this, now you're going to say you don't actually have any of these criticisms and you were just repeating someone else's claims?

Ask him to link to what he's referring to.

He posts this stuff in half the webasm threads I see. Like you he never has anything to back it up and you both get very upset at people asking.

YES! I DISAGREE WITH PJMLK! ALL MY RESPONSES TO PJMLK HAVE BEEN ME DISAGREEING WITH HIM! ALL MY RESPONSES TO YOU HAVE BEEN ABOUT HOW YOU CAN ARGUE AGAINST HIM BETTER BY UNDERSTAND WHICH WRONG CLAIMS HE ACTUALLY MADE, SO THAT YOU'RE NOT ARGUING AGAINST STRAW MEN! PAY ATTENTION!

This is my last response in this thread. You've displayed a profound inability to think. I can't be part of this anymore.

Maybe you should reply to him then instead of getting so upset.

I already did reply to him, see https://news.ycombinator.com/item?id=38613663.

I don't really understand your expectations here. You seem to disagree with someone else and they won't reply to you to give you evidence of their claims. What do you hope to accomplish by replying to me?

I replied to pjmlp because I thought (and still think) he was wrong in his characterization that WASM is a failure because it doesn't magically make insecure C programs secure.

I replied to you because I thought (and still think) you were wrong and/or misunderstanding what pjmlp was saying.

I can disagree with two people at the same time. I don't see the issue.

A reference was already provided. Here's a direct link to the demo of a cross-site scripting attack via webassembly:

https://www.youtube.com/watch?v=glL__xjviro&t=450s

That looks like you have to load up a local file with an exploit, use a png library not being used by major software that also doesn't check for issues with the png file (because they already need to deal with malicious files) and the end result is that it will run javascript if javascript is able to be run from webasm in that context.

It is still worth looking at and is actual information, so I appreciate that.

Don't focus on the specific exploit, it's a general issue:

In order to be useful, your wasm application will likely have to be able to make systems calls, or whatever its equivalent might be on your particular host environment. If you can corrupt internal state, you can control the arguments to these calls. The severity of the issue will depend on what your application is allowed to do: If all it has access to is a some virtual file system, the host will still be safe. But if that virtual file system contains sensitive data, results may nevertheless be catastrophic if, say, it can also request resources over http.