Skip to content

Commit 5cb65a4

Browse files
lum1n0uslum1n0us
committed
fix: improve security documentation clarity
1 parent 57d8a39 commit 5cb65a4

2 files changed

Lines changed: 72 additions & 73 deletions

File tree

doc/security_need_to_know.md

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -17,29 +17,30 @@ Given that WASI is a set of Capability-based APIs, all unauthorized actions are
1717

1818
### Is this bug considered a security vulnerability?
1919

20-
For someone who finds a problem, if a bug **results in crash or hang**, please treat it as a security problem and report it to a security advisor. The maintainer will look into it and change its category if needed. It is better safe than sorry.
20+
#### For someone who finds a problem
21+
22+
if a bug **results in crash or hang**, please treat it as a security problem and report it to a security advisor. The maintainer will look into it and change its category if needed. It is better safe than sorry.
2123

2224
If the author of an issue(results in crash or hang) can go through the following checklist and answer all questions with "No", it is fine to mark it as a regular bug. If not, please report it as a security issue.
2325

2426
---
2527

26-
For those maintainers, please use the following guidelines to determine if a bug or advisory is a security issue:
28+
#### For those maintainers
29+
30+
please use the following guidelines to determine if a bug or advisory is a security issue:
2731

2832
Only bugs that affect [tier A platforms or features](./tired_support.md) should be considered.
2933

3034
Actions that differ from Wasm rules (like calculating wrong values) are not seen as security issues as long as they stay within the sandbox.
3135

32-
By default, APIs and CLIs are following the principle of **caller guarantee**. If the caller provides incorrect parameters or users input malformed options, it is not a security issue. For example, if a user passes an invalid file descriptor to `fd_read`, it is not a security issue.
36+
By default, native APIs and CLIs are following the principle of **caller guarantee**. If the caller provides incorrect parameters or users input malformed options, it is not a security issue. For example, if a user passes an invalid file descriptor to `fd_read`, it is not a security issue.
3337

34-
.wasm are not trusted. Malformed .wasm files should be handled gracefully. If a .wasm file causes a runtime crash or hang, it is a security issue. On the other hand, it's expected that aot runtime alone doesn't provide the same guarantee. So user-crafted aot modules can cause anything, including crashes or hangs. They are not considered security issues.
38+
.wasm are not trusted. Malformed .wasm files should be handled gracefully. If a .wasm file causes a runtime crash or hang, it is a security issue. On the other hand, it's expected that aot runtime alone doesn't provide the same guarantee. So user-crafted .aot can cause anything, including crashes or hangs. They are not considered security issues.
3539

3640
A denial-of-service (DoS) attack is a cyberattack that aims to make a computer or network resource unavailable to its users. If the service (runtime in this case) can recover and start another module or run another function within the same instance, it is not considered unavailable, and thus not a Denial of Service (DoS).
3741

3842
Another type of execution problem we usually do not classify as a security one is if it is caused by an infinite loop or incorrect recursive function call chain.
3943

40-
> [!NOTE]
41-
> need a diagram or a cheat sheet for quick reference eventually.
42-
4344
### When a maintainer identify a problem that should be classified as a security vulnerability
4445

4546
Once a maintainer realizes an issue or PR describes a real or possible security vulnerability, act quickly to minimize exposure. Do not share technical details publicly on the issue or PR anymore. Maintainers should:

doc/tiered_suppor.md

Lines changed: 64 additions & 66 deletions
Original file line numberDiff line numberDiff line change
@@ -6,23 +6,23 @@
66
- **B — Almost Production Ready:** partially tested; close to production.
77
- **C — Experimental / Not Production Ready:** unfinished or volatile.
88

9+
The condition _tested_ mentioned above specifically refers to whether there are enough tests in CI.
10+
911
## Architecture Support
1012

1113
| Architecture | Tier |
1214
| ------------ | ----- |
1315
| **x86-64** | **A** |
1416
| **x86-32** | **A** |
1517
| AArch64 | B |
16-
| ARC | B[^1] |
18+
| ARC | B |
1719
| ARM | B |
1820
| RISCV32 | B |
1921
| RISCV64 | B |
2022
| THUMB | B |
2123
| XTENSA | B |
2224
| MIPS | C |
2325

24-
[^1]: will upgrade to **A** after further testing and validation.
25-
2626
## OS / Platform Support
2727

2828
| Platform | Tier |
@@ -32,7 +32,7 @@
3232
| Android | B |
3333
| macOS | B |
3434
| Windows | B |
35-
| Zephyr | B[^2] |
35+
| Zephyr | B |
3636
| AliOS-Things | C |
3737
| Cosmopolitan | C |
3838
| ESP-IDF (FreeRTOS) | C |
@@ -42,78 +42,76 @@
4242
| RIOT | C |
4343
| VxWorks | C |
4444

45-
[^2]: will upgrade to **A** after further testing and validation.
46-
4745
## WebAssembly Proposal Support
4846

49-
> Defaults below reflect the sample build configuration you provided (e.g., `WAMR_BUILD_*` values), not necessarily the release bundle. “Always-on” items are part of WAMR’s baseline.
50-
51-
| WASM Proposal / Extension | Tier | Default |
52-
| -------------------------------------- | ----------- | ------- |
53-
| **Bulk Memory** | A | **On** |
54-
| **Extended Constant Expressions** | A | Off |
55-
| **Import/Export of Mutable Globals** | A | **On** |
56-
| **Memory64** | A | Off |
57-
| **Multi-value** | A | **On** |
58-
| **Non-trapping float-to-int** | A | **On** |
59-
| **Reference Types** | A | **On** |
60-
| **Shared Memory (Threads)** | A | Off |
61-
| **SIMD (128-bit)** | A | **On** |
62-
| **Sign-extension Operators** | A | **On** |
63-
| GC (Garbage Collection) | B | Off |
64-
| Stringref | B | Off |
65-
| Tail Calls | B | Off |
66-
| Multi-memory | C | Off |
67-
| Legacy Exception Handling | C | Off |
68-
| Branch Hinting | Unsupported | |
69-
| Custom Annotation Syntax (text format) | Unsupported | |
70-
| Exception Handling (new spec) | Unsupported | |
71-
| JS String Builtins | Unsupported | |
72-
| Relaxed SIMD | Unsupported | |
47+
> During configuration, It is able to disable or enable the following features by setting the corresponding flags (see Appendix). It is also possible to check features status in the configuration output.
48+
49+
| WASM Proposal / Extension | Tier |
50+
| -------------------------------------- | ----------- |
51+
| **Bulk Memory** | A |
52+
| **Extended Constant Expressions** | A |
53+
| **Import/Export of Mutable Globals** | A |
54+
| **Memory64** | A |
55+
| **Multi-value** | A |
56+
| **Non-trapping float-to-int** | A |
57+
| **Reference Types** | A |
58+
| **Shared Memory (Threads)** | A |
59+
| **SIMD (128-bit)** | A |
60+
| **Sign-extension Operators** | A |
61+
| GC (Garbage Collection) | B |
62+
| Stringref | B |
63+
| Tail Calls | B |
64+
| Multi-memory | C |
65+
| Legacy Exception Handling | C |
66+
| Branch Hinting | Unsupported |
67+
| Custom Annotation Syntax (text format) | Unsupported |
68+
| Exception Handling (new spec) | Unsupported |
69+
| JS String Builtins | Unsupported |
70+
| Relaxed SIMD | Unsupported |
7371

7472
# WAMR-Specific Feature Support
7573

76-
> Defaults below mirror your sample build output (e.g., “enabled/disabled” lines) and common WAMR options.
77-
78-
| WAMR Feature | Tier | Default |
79-
| --------------------------------- | ---- | ------- |
80-
| **AoT (wamrc)** | A | **On** |
81-
| **AOT intrinsics** | A | **On** |
82-
| **Fast Interpreter** | A | **Off** |
83-
| **Interpreter (classic)** | A | **On** |
84-
| **Libc builtin** | A | **On** |
85-
| **Libc WASI** | A | **On** |
86-
| **Quick AOT/JIT entries** | A | **On** |
87-
| **Shrunk memory** | A | **On** |
88-
| **Wakeup of blocking operations** | A | **On** |
89-
| **WASM C API** | A | **On** |
90-
| Fast JIT | B | Off |
91-
| LLVM ORC JIT | B | Off |
92-
| Memory profiling | B | Off |
93-
| Module instance context[^7] | B | On |
94-
| Multi-module | B | Off |
95-
| Perf profiling | B | Off |
96-
| Pthread | B | Off |
97-
| Shared heap | B | Off |
98-
| WASI threads | B | Off |
99-
| WASI-NN (neural network APIs) | B | Off |
100-
| Debug Interpreter | B | Off |
101-
| Debug AOT | C | Off |
102-
| Tier-up (Fast JIT → LLVM JIT) | C | Off |
74+
> During configuration, It is able to disable or enable the following features by setting the corresponding flags (see Appendix). It is also possible to check features status in the configuration output.
75+
76+
| WAMR Feature | Tier |
77+
| --------------------------------- | ---- |
78+
| **AoT (wamrc)** | A |
79+
| **AOT intrinsics** | A |
80+
| **Fast Interpreter** | A |
81+
| **Interpreter (classic)** | A |
82+
| **Libc builtin** | A |
83+
| **Libc WASI** | A |
84+
| **Quick AOT/JIT entries** | A |
85+
| **Shrunk memory** | A |
86+
| **Wakeup of blocking operations** | A |
87+
| **WASM C API** | A |
88+
| Fast JIT | B |
89+
| LLVM ORC JIT | B |
90+
| Memory profiling | B |
91+
| Module instance context[^7] | B |
92+
| Multi-module | B |
93+
| Perf profiling | B |
94+
| Pthread | B |
95+
| Shared heap | B |
96+
| WASI threads | B |
97+
| WASI-NN (neural network APIs) | B |
98+
| Debug Interpreter | B |
99+
| Debug AOT | C |
100+
| Tier-up (Fast JIT → LLVM JIT) | C |
103101

104102
---
105103

106104
# Appendix: All compilation flags
107105

108106
| Compilation flags | Tiered | Default | on Ubuntu |
109107
| ------------------------------------------- | ------ | ------- | --------- |
110-
| WAMR_APP_THREAD_STACK_SIZE_MAX | B | ND[^3] | |
108+
| WAMR_APP_THREAD_STACK_SIZE_MAX | B | ND[^1] | |
111109
| WAMR_BH_LOG | B | ND | |
112110
| WAMR_BH_VPRINTF | B | ND | |
113111
| WAMR_BUILD_ALLOC_WITH_USAGE | B | ND | |
114112
| WAMR_BUILD_ALLOC_WITH_USER_DATA | B | ND | |
115113
| WAMR_BUILD_AOT | A | ND | 1 |
116-
| WAMR_BUILD_AOT_INTRINSICS | A | 1[^4] | |
114+
| WAMR_BUILD_AOT_INTRINSICS | A | 1[^2] | |
117115
| WAMR_BUILD_AOT_STACK_FRAME | A | ND | |
118116
| WAMR_BUILD_AOT_VALIDATOR | B | ND | |
119117
| WAMR_BUILD_BULK_MEMORY | A | 1 | |
@@ -136,7 +134,7 @@
136134
| WAMR_BUILD_INTERP | A | ND | 1 |
137135
| WAMR_BUILD_INVOKE_NATIVE_GENERAL | B | ND | |
138136
| WAMR_BUILD_JIT | B | ND | |
139-
| WAMR_BUILD_LAZY_JIT | B | 1[^5] | |
137+
| WAMR_BUILD_LAZY_JIT | B | 1[^3] | |
140138
| WAMR_BUILD_LIBC_BUILTIN | A | ND | 1 |
141139
| WAMR_BUILD_LIBC_EMCC | C | ND | |
142140
| WAMR_BUILD_LIBC_UVWASI | C | ND | |
@@ -146,6 +144,7 @@
146144
| WAMR_BUILD_LIB_RATS | C | ND | |
147145
| WAMR_BUILD_LIB_WASI_THREADS | B | ND | |
148146
| WAMR_BUILD_LINUX_PERF | B | ND | |
147+
| WAMR_BUILD_LIME1 | A | NO | |
149148
| WAMR_BUILD_LOAD_CUSTOM_SECTION | A | ND | |
150149
| WAMR_BUILD_MEMORY64 | A | 0 | |
151150
| WAMR_BUILD_MEMORY_PROFILING | B | ND | |
@@ -155,7 +154,7 @@
155154
| WAMR_BUILD_MULTI_MODULE | B | ND | |
156155
| WAMR_BUILD_PERF_PROFILING | B | ND | |
157156
| WAMR_BUILD_PLATFORM | - | ND | linux |
158-
| WAMR_BUILD_QUICK_AOT_ENTRY | A | 1[^6] | |
157+
| WAMR_BUILD_QUICK_AOT_ENTRY | A | 1[^4] | |
159158
| WAMR_BUILD_REF_TYPES | A | ND | 1 |
160159
| WAMR_BUILD_SANITIZER | B | ND | |
161160
| WAMR_BUILD_SGX_IPFS | C | ND | |
@@ -191,8 +190,7 @@
191190
| WAMR_DISABLE_WRITE_GS_BASE | B | ND | |
192191
| WAMR_TEST_GC | B | ND | |
193192

194-
[^3]: _ND_ represents _not defined_
195-
[^4]: active if `WAMR_BUILD_AOT` is 1
196-
[^5]: active if `WAMR_BUILD_FAST_JIT` or `WAMR_BUILD_JIT1` is 1
197-
[^6]: active if `WAMR_BUILD_AOT` or `WAMR_BUILD_JIT` is 1
198-
[^7]: required by Libc WASI
193+
[^1]: _ND_ represents _not defined_
194+
[^2]: active if `WAMR_BUILD_AOT` is 1
195+
[^3]: active if `WAMR_BUILD_FAST_JIT` or `WAMR_BUILD_JIT1` is 1
196+
[^4]: active if `WAMR_BUILD_AOT` or `WAMR_BUILD_JIT` is 1

0 commit comments

Comments
 (0)