gnh1201/wasm-micro-runtime
1
0
Fork 0
mirror of https://github.com/bytecodealliance/wasm-micro-runtime.git synced 2025-09-06 18:01:08 +00:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

Enhance security guidelines for identifying vulnerabilities

Browse Source 
It incudes a tiered-support-list
This commit is contained in:
liang.he@intel.com 2025-08-27 02:11:58 +00:00
parent 6c3f6fd017
commit 8976ac0d76
3 changed files with 232 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/build_wamr.md
View File

@ -20,6 +20,8 @@ add_library(vmlib ${WAMR_RUNTIME_LIB_SOURCE})
The script `runtime_lib.cmake` defines a number of variables for configuring the WAMR runtime features. You can set these variables in your CMakeList.txt or pass the configurations from cmake command line. The script `runtime_lib.cmake` defines a number of variables for configuring the WAMR runtime features. You can set these variables in your CMakeList.txt or pass the configurations from cmake command line.
Please refer to [a full list of configuration options](./tired_support.md#appendix-all-compilation-flags).
### **Configure platform and architecture** ### **Configure platform and architecture**
- **WAMR_BUILD_PLATFORM**: set the target platform. It can be set to any platform name (folder name) under folder [core/shared/platform](../core/shared/platform). - **WAMR_BUILD_PLATFORM**: set the target platform. It can be set to any platform name (folder name) under folder [core/shared/platform](../core/shared/platform).

38
doc/security_need_to_know.md
View File

@ -15,10 +15,40 @@ It is commonly stated that a security issue is an issue that:
Given that WASI is a set of Capability-based APIs, all unauthorized actions are not supposed to happen. Most of the above security concerns can be alleviated. What remains for us is to ensure that the execution of Wasm modules is secure. In other words, do not compromise the sandbox. Unless it is explicitly disabled beforehand. Given that WASI is a set of Capability-based APIs, all unauthorized actions are not supposed to happen. Most of the above security concerns can be alleviated. What remains for us is to ensure that the execution of Wasm modules is secure. In other words, do not compromise the sandbox. Unless it is explicitly disabled beforehand.
Thus, we share most of the criteria for judging security issues with [the Bytecode Alliance](https://github.com/bytecodealliance/rfcs/blob/main/accepted/what-is-considered-a-security-bug.md#definition). ### Is this bug considered a security vulnerability?
For someone who finds a problem, if a bug **results in crash or hang**, please treat it as a security problem and report it to a security advisor. The maintainer will look into it and change its category if needed. It is better safe than sorry.
If the author of an issue(results in crash or hang) can go through the following checklist and answer all questions with "No", it is fine to mark it as a regular bug. If not, please report it as a security issue.
---
For those maintainers, please use the following guidelines to determine if a bug or advisory is a security issue:
Only bugs that affect [tier A platforms or features](./tired_support.md) should be considered.
Actions that differ from Wasm rules (like calculating wrong values) are not seen as security issues as long as they stay within the sandbox.
As embedded code, trusts inputs from the guest. By default, APIs and CLIs are following the principle of **caller guarantee**. If the caller provides incorrect parameters, it is not a security issue. For example, if a user passes an invalid file descriptor to `fd_read`, it is not a security issue.
While .aot files are trusted, .wasm files are not. Any unexpected behavior caused by a .wasm file is not a security issue. For example, if a .wasm file causes a runtime crash or hang, it is a security issue. However, if the same .wasm file causes a crash or hang when converted to an .aot file, it is not a security issue.
A denial-of-service (DoS) attack is a cyberattack that aims to make a computer or network resource unavailable to its users. If the service (runtime in this case) can recover and start another module or run another function within the same instance, it is not considered unavailable, and thus not a Denial of Service (DoS).
Another type of execution problem we usually do not classify as a security one is if it is caused by an infinite loop or incorrect recursive function call chain.
> [!NOTE] > [!NOTE]
> keep updating this document as the project evolves. > need a diagram or a cheat sheet for quick reference eventually.
### When a maintainer identify a problem that should be classified as a security vulnerability
Once a maintainer realizes an issue or PR describes a real or possible security vulnerability, act quickly to minimize exposure. Do not share technical details publicly on the issue or PR anymore. Maintainers should:
- Close or edit the public discussion. Thank the person who reported it and explain that security-related issues should go through the Security Advisory process. Close the public issue or pull request as soon as possible to prevent further public sharing. If details have already been shared, consider editing or asking GitHub staff to remove sensitive content.
- Create a Security Advisory. Invite the reporter to join as a collaborator or reporter. If the reporter is uncomfortable using GitHub Security Advisories, offer another private communication method, such as email.
- Follow the guidelines in [the security issue runbook](./security_issue_runbook.md) for the next steps.
## reporting a security issue ## reporting a security issue
@ -26,8 +56,4 @@ Follow the [same guidelines](https://bytecodealliance.org/security) as other pro
## managing a security issue ## managing a security issue
Before reporting an issue, particularly one related to crashing, consult [the cheat sheet](https://github.com/bytecodealliance/rfcs/blob/main/accepted/what-is-considered-a-security-bug.md#cheat-sheet-is-this-bug-considered-a-security-vulnerability), _Report a security vulnerability_ if it qualifies.
Upon receiving an issue, thoroughly review [the cheat sheet](https://github.com/bytecodealliance/rfcs/blob/main/accepted/what-is-considered-a-security-bug.md#cheat-sheet-is-this-bug-considered-a-security-vulnerability) to assess and _Report a security vulnerability_ if the issue is indeed a security vulnerability.
Once a security issue is confirmed, please refer to [the runbook](./security_issue_runbook.md) for the subsequent steps to take. Once a security issue is confirmed, please refer to [the runbook](./security_issue_runbook.md) for the subsequent steps to take.

198
doc/tiered_suppor.md Normal file
View File

@ -0,0 +1,198 @@
# Tiered Supported
**Tier definitions**
- **A — Production Ready:** fully tested and stable.
- **B — Almost Production Ready:** partially tested; close to production.
- **C — Experimental / Not Production Ready:** unfinished or volatile.
## Architecture Support
| Architecture | Tier |
| ------------ | ----- |
| **x86-64** | **A** |
| **x86-32** | **A** |
| AArch64 | B |
| ARC | B[^1] |
| ARM | B |
| RISCV32 | B |
| RISCV64 | B |
| THUMB | B |
| MIPS | C |
| XTENSA | C |
[^1]: will upgrade to **A** after further testing and validation.
## OS / Platform Support
| Platform | Tier |
| ------------------ | ----- |
| **NuttX** | **A** |
| **Ubuntu** | **A** |
| Android | B |
| macOS | B |
| Windows | B |
| Zephyr | B[^2] |
| AliOS-Things | C |
| Cosmopolitan | C |
| ESP-IDF (FreeRTOS) | C |
| FreeBSD | C |
| iOS | C |
| RT-Thread | C |
| RIOT | C |
| VxWorks | C |
[^2]: will upgrade to **A** after further testing and validation.
## WebAssembly Proposal Support
> Defaults below reflect the sample build configuration you provided (e.g., `WAMR_BUILD_*` values), not necessarily the release bundle. “Always-on” items are part of WAMRs baseline.
| WASM Proposal / Extension | Tier | Default |
| -------------------------------------- | ----------- | ------- |
| **Bulk Memory** | A | **On** |
| **Extended Constant Expressions** | A | Off |
| **Import/Export of Mutable Globals** | A | **On** |
| **Memory64** | A | Off |
| **Multi-value** | A | **On** |
| **Non-trapping float-to-int** | A | **On** |
| **Reference Types** | A | **On** |
| **Shared Memory (Threads)** | A | Off |
| **SIMD (128-bit)** | A | **On** |
| **Sign-extension Operators** | A | **On** |
| GC (Garbage Collection) | B | Off |
| Stringref | B | Off |
| Tail Calls | B | Off |
| Multi-memory | C | Off |
| Legacy Exception Handling | C | Off |
| Branch Hinting | Unsupported | |
| Custom Annotation Syntax (text format) | Unsupported | |
| Exception Handling (new spec) | Unsupported | |
| JS String Builtins | Unsupported | |
| Relaxed SIMD | Unsupported | |
# WAMR-Specific Feature Support
> Defaults below mirror your sample build output (e.g., “enabled/disabled” lines) and common WAMR options.
| WAMR Feature | Tier | Default |
| --------------------------------- | ---- | ------- |
| **AoT (wamrc)** | A | **On** |
| **AOT intrinsics** | A | **On** |
| **Fast Interpreter** | A | **Off** |
| **Interpreter (classic)** | A | **On** |
| **Libc builtin** | A | **On** |
| **Libc WASI** | A | **On** |
| **Quick AOT/JIT entries** | A | **On** |
| **Shrunk memory** | A | **On** |
| **Wakeup of blocking operations** | A | **On** |
| **WASM C API** | A | **On** |
| Fast JIT | B | Off |
| LLVM ORC JIT | B | Off |
| Memory profiling | B | Off |
| Module instance context[^7] | B | On |
| Multi-module | B | Off |
| Perf profiling | B | Off |
| Pthread | B | Off |
| Shared heap | B | Off |
| WASI threads | B | Off |
| WASI-NN (neural network APIs) | B | Off |
| Debug Interpreter | B | Off |
| Debug AOT | C | Off |
| Tier-up (Fast JIT → LLVM JIT) | C | Off |
---
# Appendix: All compilation flags
| Compilation flags | Tiered | Default | on Ubuntu |
| ------------------------------------------- | ------ | ------- | --------- |
| WAMR_APP_THREAD_STACK_SIZE_MAX | B | ND[^3] | |
| WAMR_BH_LOG | B | ND | |
| WAMR_BH_VPRINTF | B | ND | |
| WAMR_BUILD_ALLOC_WITH_USAGE | B | ND | |
| WAMR_BUILD_ALLOC_WITH_USER_DATA | B | ND | |
| WAMR_BUILD_AOT | A | ND | 1 |
| WAMR_BUILD_AOT_INTRINSICS | A | 1[^4] | |
| WAMR_BUILD_AOT_STACK_FRAME | A | ND | |
| WAMR_BUILD_AOT_VALIDATOR | B | ND | |
| WAMR_BUILD_BULK_MEMORY | A | 1 | |
| WAMR_BUILD_COPY_CALL_STACK | B | ND | |
| WAMR_BUILD_CUSTOM_NAME_SECTION | B | ND | |
| WAMR_BUILD_DEBUG_AOT | C | ND | |
| WAMR_BUILD_DEBUG_INTERP | B | ND | |
| WAMR_BUILD_DUMP_CALL_STACK | B | ND | |
| WAMR_BUILD_DYNAMIC_AOT_DEBUG | C | ND | |
| WAMR_BUILD_EXCE_HANDLING | C | 0 | |
| WAMR_BUILD_EXTENDED_CONST_EXPR | A | 0 | |
| WAMR_BUILD_FAST_INTERP | A | ND | 1 |
| WAMR_BUILD_FAST_JIT | B | ND | |
| WAMR_BUILD_FAST_JIT_DUMP | B | ND | |
| WAMR_BUILD_GC | B | 0 | |
| WAMR_BUILD_GC_HEAP_VERIFY | B | ND | |
| WAMR_BUILD_GLOBAL_HEAP_POOL | A | ND | |
| WAMR_BUILD_GLOBAL_HEAP_SIZE | A | ND | |
| WAMR_BUILD_INSTRUCTION_METERING | C | ND | |
| WAMR_BUILD_INTERP | A | ND | 1 |
| WAMR_BUILD_INVOKE_NATIVE_GENERAL | B | ND | |
| WAMR_BUILD_JIT | B | ND | |
| WAMR_BUILD_LAZY_JIT | B | 1[^5] | |
| WAMR_BUILD_LIBC_BUILTIN | A | ND | 1 |
| WAMR_BUILD_LIBC_EMCC | C | ND | |
| WAMR_BUILD_LIBC_UVWASI | C | ND | |
| WAMR_BUILD_LIBC_WASI | A | ND | 1 |
| WAMR_BUILD_LIB_PTHREAD | B | ND | |
| WAMR_BUILD_LIB_PTHREAD_SEMAPHORE | B | ND | |
| WAMR_BUILD_LIB_RATS | C | ND | |
| WAMR_BUILD_LIB_WASI_THREADS | B | ND | |
| WAMR_BUILD_LINUX_PERF | B | ND | |
| WAMR_BUILD_LOAD_CUSTOM_SECTION | A | ND | |
| WAMR_BUILD_MEMORY64 | A | 0 | |
| WAMR_BUILD_MEMORY_PROFILING | B | ND | |
| WAMR_BUILD_MINI_LOADER | B | ND | |
| WAMR_BUILD_MODULE_INST_CONTEXT | B | ND | 1 |
| WAMR_BUILD_MULTI_MEMORY | C | 0 | |
| WAMR_BUILD_MULTI_MODULE | B | ND | |
| WAMR_BUILD_PERF_PROFILING | B | ND | |
| WAMR_BUILD_PLATFORM | - | ND | linux |
| WAMR_BUILD_QUICK_AOT_ENTRY | A | 1[^6] | |
| WAMR_BUILD_REF_TYPES | A | ND | 1 |
| WAMR_BUILD_SANITIZER | B | ND | |
| WAMR_BUILD_SGX_IPFS | C | ND | |
| WAMR_BUILD_SHARED_HEAP | A | ND | |
| WAMR_BUILD_SHARED_MEMORY | A | 0 | 1 |
| WAMR_BUILD_SHRUNK_MEMORY | A | ND | 1 |
| WAMR_BUILD_SIMD | A | ND | 1 |
| WAMR_BUILD_SIMDE | A | ND | 1 |
| WAMR_BUILD_SPEC_TEST | A | ND | |
| WAMR_BUILD_STACK_GUARD_SIZE | B | ND | |
| WAMR_BUILD_STATIC_PGO | B | ND | |
| WAMR_BUILD_STRINGREF | B | 0 | |
| WAMR_BUILD_TAIL_CALL | A | 0 | 1 |
| WAMR_BUILD_TARGET | - | ND | X86-64 |
| WAMR_BUILD_THREAD_MGR | A | ND | |
| WAMR_BUILD_WAMR_COMPILER | A | ND | |
| WAMR_BUILD_WASI_EPHEMERAL_NN | B | ND | |
| WAMR_BUILD_WASI_NN | B | ND | |
| WAMR_BUILD_WASI_NN_ENABLE_EXTERNAL_DELEGATE | B | ND | |
| WAMR_BUILD_WASI_NN_ENABLE_GPU | B | ND | |
| WAMR_BUILD_WASI_NN_EXTERNAL_DELEGATE_PATH | B | ND | |
| WAMR_BUILD_WASI_NN_LLAMACPP | B | ND | |
| WAMR_BUILD_WASI_NN_ONNX | B | ND | |
| WAMR_BUILD_WASI_NN_OPENVINO | B | ND | |
| WAMR_BUILD_WASI_NN_TFLITE | B | ND | |
| WAMR_BUILD_WASI_TEST | B | ND | |
| WAMR_BUILD_WASM_CACHE | B | ND | |
| WAMR_CONFIGURABLE_BOUNDS_CHECKS | C | ND | |
| WAMR_DISABLE_APP_ENTRY | A | ND | |
| WAMR_DISABLE_HW_BOUND_CHECK | A | ND | |
| WAMR_DISABLE_STACK_HW_BOUND_CHECK | A | ND | |
| WAMR_DISABLE_WAKEUP_BLOCKING_OP | B | ND | |
| WAMR_DISABLE_WRITE_GS_BASE | B | ND | |
| WAMR_TEST_GC | B | ND | |
[^3]: _ND_ represents _not defined_
[^4]: active if `WAMR_BUILD_AOT` is 1
[^5]: active if `WAMR_BUILD_FAST_JIT` or `WAMR_BUILD_JIT1` is 1
[^6]: active if `WAMR_BUILD_AOT` or `WAMR_BUILD_JIT` is 1
[^7]: required by Libc WASI