Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
日本語
Entry № 1358

WebAssembly Security

WebAssembly Security とは何ですか?

WebAssembly SecurityThe security model of WebAssembly — capability-based sandbox, no ambient access to syscalls, structured control flow — plus the practical risks of memory-unsafe languages compiled to Wasm and untrusted Wasm running outside the browser.

WebAssembly (Wasm) is a portable, binary, stack-based VM with a deliberately conservative security model: linear memory is isolated from the host, control flow is structured (no arbitrary jumps), all imports are explicit, and there is no ambient I/O — a Wasm module can only do what its host (browser, runtime, WASI implementation) hands it as imported functions. Inside the browser this complements the same-origin policy and CSP; outside it (Cloudflare Workers, Fastly Compute, edge runtimes, Envoy filters, plugin systems), Wasm enables running untrusted code from third parties with capability-based controls. Security work focuses on (1) memory safety inside the module — buffer overflows in Wasm-compiled C/C++/Rust still exist and have already led to JIT-spray-style attacks on browser engines; (2) WASI capability scoping — restricting filesystem, network, and clock access per module; (3) supply-chain integrity of Wasm artifacts (component model, signed component-registry releases); and (4) side-channel resilience against Spectre, since Wasm can be a delivery vector for speculation primitives.

  1. 01

    An edge runtime gives each tenant's Wasm module a capability-scoped filesystem rooted at `/tenant/<id>` and no network sockets at all.

  2. 02

    A vulnerability in a JPEG decoder compiled to Wasm allows out-of-bounds reads inside the module, but the host's linear-memory isolation prevents it from escaping into other processes.

よくある質問

WebAssembly Security とは何ですか?

The security model of WebAssembly — capability-based sandbox, no ambient access to syscalls, structured control flow — plus the practical risks of memory-unsafe languages compiled to Wasm and untrusted Wasm running outside the browser. サイバーセキュリティの アプリケーションセキュリティ カテゴリに属します。

WebAssembly Security とはどういう意味ですか?

The security model of WebAssembly — capability-based sandbox, no ambient access to syscalls, structured control flow — plus the practical risks of memory-unsafe languages compiled to Wasm and untrusted Wasm running outside the browser.

WebAssembly Security はどのように機能しますか?

WebAssembly (Wasm) is a portable, binary, stack-based VM with a deliberately conservative security model: linear memory is isolated from the host, control flow is structured (no arbitrary jumps), all imports are explicit, and there is no ambient I/O — a Wasm module can only do what its host (browser, runtime, WASI implementation) hands it as imported functions. Inside the browser this complements the same-origin policy and CSP; outside it (Cloudflare Workers, Fastly Compute, edge runtimes, Envoy filters, plugin systems), Wasm enables running untrusted code from third parties with capability-based controls. Security work focuses on (1) memory safety inside the module — buffer overflows in Wasm-compiled C/C++/Rust still exist and have already led to JIT-spray-style attacks on browser engines; (2) WASI capability scoping — restricting filesystem, network, and clock access per module; (3) supply-chain integrity of Wasm artifacts (component model, signed component-registry releases); and (4) side-channel resilience against Spectre, since Wasm can be a delivery vector for speculation primitives.

WebAssembly Security からどのように防御しますか?

WebAssembly Security に対する防御は通常、上記の定義で述べたとおり、技術的統制と運用上の実践を組み合わせます。

WebAssembly Security の別名は何ですか?

一般的な別名: Wasm security, WASI security。

関連用語