Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Empowering WebAssembly with Thin Kernel Interfaces

Arjun Ramesh, Tianshu Huang, Ben L. Titzer, Anthony Rowe

TL;DR

The paper presents thin kernel interfaces (WALI for Linux and WAZI for Zephyr) that expose OS syscalls to WebAssembly while preserving intra-process sandboxing, enabling a bottom-up virtualization model where legacy software can run on Wasm across diverse ISAs. By layering high-level APIs like WASI over a compact, ISA-agnostic kernel interface, the approach decouples engine evolution from OS surface changes and reduces the trusted computing base. Empirical results show broad syscall coverage (≈137 of the common Linux syscalls), feasible porting of real-world apps, and a middle-ground performance profile between emulation (QEMU) and containers (Docker), with fast startup and strong security properties. The work is extended to Zephyr through WAZI and is argued to generalize to other kernels, offering a path toward portable, secure, and robust Wasm deployments across edge, IoT, and embedded domains.

Abstract

Wasm is gaining popularity outside the Web as a well-specified low-level binary format with ISA portability, low memory footprint and polyglot targetability, enabling efficient in-process sandboxing of untrusted code. Despite these advantages, Wasm adoption for new domains is often hindered by the lack of many standard system interfaces which precludes reusability of existing software and slows ecosystem growth. This paper proposes thin kernel interfaces for Wasm, which directly expose OS userspace syscalls without breaking intra-process sandboxing, enabling a new class of virtualization with Wasm as a universal binary format. By virtualizing the bottom layer of userspace, kernel interfaces enable effortless application ISA portability, compiler backend reusability, and armor programs with Wasm's built-in control flow integrity and arbitrary code execution protection. Furthermore, existing capability-based APIs for Wasm, such as WASI, can be implemented as a Wasm module over kernel interfaces, improving reuse, robustness, and portability through better layering. We present an implementation of this concept for two kernels -- Linux and Zephyr -- by extending a modern Wasm engine and evaluate our system's performance on a number of sophisticated applications which can run for the first time on Wasm.

Empowering WebAssembly with Thin Kernel Interfaces

TL;DR

The paper presents thin kernel interfaces (WALI for Linux and WAZI for Zephyr) that expose OS syscalls to WebAssembly while preserving intra-process sandboxing, enabling a bottom-up virtualization model where legacy software can run on Wasm across diverse ISAs. By layering high-level APIs like WASI over a compact, ISA-agnostic kernel interface, the approach decouples engine evolution from OS surface changes and reduces the trusted computing base. Empirical results show broad syscall coverage (≈137 of the common Linux syscalls), feasible porting of real-world apps, and a middle-ground performance profile between emulation (QEMU) and containers (Docker), with fast startup and strong security properties. The work is extended to Zephyr through WAZI and is argued to generalize to other kernels, offering a path toward portable, secure, and robust Wasm deployments across edge, IoT, and embedded domains.

Abstract

Wasm is gaining popularity outside the Web as a well-specified low-level binary format with ISA portability, low memory footprint and polyglot targetability, enabling efficient in-process sandboxing of untrusted code. Despite these advantages, Wasm adoption for new domains is often hindered by the lack of many standard system interfaces which precludes reusability of existing software and slows ecosystem growth. This paper proposes thin kernel interfaces for Wasm, which directly expose OS userspace syscalls without breaking intra-process sandboxing, enabling a new class of virtualization with Wasm as a universal binary format. By virtualizing the bottom layer of userspace, kernel interfaces enable effortless application ISA portability, compiler backend reusability, and armor programs with Wasm's built-in control flow integrity and arbitrary code execution protection. Furthermore, existing capability-based APIs for Wasm, such as WASI, can be implemented as a Wasm module over kernel interfaces, improving reuse, robustness, and portability through better layering. We present an implementation of this concept for two kernels -- Linux and Zephyr -- by extending a modern Wasm engine and evaluate our system's performance on a number of sophisticated applications which can run for the first time on Wasm.
Paper Structure (88 sections, 8 figures, 6 tables)

This paper contains 88 sections, 8 figures, 6 tables.

Table of Contents

  1. Introduction
  2. Motivation
  3. Virtualization Requirements at the Edge
  4. Why Wasm?
  5. Protecting System Software
  6. The Need for Complete Wasm OS Interfaces
  7. Positioning Kernel Interfaces in the Ecosystem
  8. Q: Do Kernel Interfaces Break Wasm?
  9. Q: Do Kernel Interfaces Ruin WASI/Browser Ecosystems?
  10. Contributions
  11. Scoping Existing System Call Interfaces
  12. Practical Prevalence of Syscalls
  13. Diversity Across ISAs
  14. An Interface for Linux: WALI
  15. Process and Thread Model
  16. ...and 73 more sections

Figures (8)

  • Figure 1: Linux Virtualization stack with WALI as a foundation.
  • Figure 2: Log-normalized Linux syscall profile sorted by aggregate frequency; the top row shows the distribution of all invoked syscalls across all benchmarks sorted by frequency; lower rows show the syscall frequency for each benchmark using the same ordering.
  • Figure 3: Similarity of Linux Syscalls across ISAs.
  • Figure 4: Process Model Spectrum for varying configurations of Native and Wasm processes; WALI must implement the bolded components.
  • Figure 5: WALI Asynchronous Signal Handling Sequence Diagram
  • ...and 3 more figures