Cyber-physical WebAssembly: Secure Hardware Interfaces and Pluggable Drivers

TL;DR

This work addresses the security and maintenance challenges of integrating hardware interfaces into IoT/edge devices by proposing standardized WASI interfaces for I2C and USB and a cyber-physical architecture where apps and device drivers run inside WebAssembly. The approach combines interface worlds, host/guest components, and runtime linking with capability-based and ACL-based security to mediates hardware access through Wasm. The authors implement three proof-of-concept deployments (I2C in Wasmtime, I2C in WAMR, USB in Wasmtime) and evaluate performance, showing minimal USB overhead ($<$1.4 MiB/s throughput reduction) but highlighting significant runtime initialization overhead in Wasmtime for I2C ($7.16$ ms worst-case). The results support the feasibility of standardized I2C/USB WASI interfaces for secure, modular hardware access on resource-constrained devices, while also outlining future work on standardization, cross-runtime support, and asynchronous capabilities. This work lays groundwork for a secure, modular, and forward-compatible cyber-physical WebAssembly ecosystem for IoT and embedded systems.

Abstract

The rapid expansion of Internet of Things (IoT), edge, and embedded devices in the past decade has introduced numerous challenges in terms of security and configuration management. Simultaneously, advances in cloud-native development practices have greatly enhanced the development experience and facilitated quicker updates, thereby enhancing application security. However, applying these advances to IoT, edge, and embedded devices remains a complex task, primarily due to the heterogeneous environments and the need to support devices with extended lifespans. WebAssembly and the WebAssembly System Interface (WASI) has emerged as a promising technology to bridge this gap. As WebAssembly becomes more popular on IoT, edge, and embedded devices, there is a growing demand for hardware interface support in WebAssembly programs. This work presents WASI proposals and proof-of-concept implementations to enable hardware interaction with I2C and USB, which are two commonly used protocols in IoT, directly from WebAssembly applications. This is achieved by running the device drivers within WebAssembly as well. A thorough evaluation of the proof of concepts shows that WASI-USB introduces a minimal overhead of at most 8% compared to native operating system USB APIs. However, the results show that runtime initialization overhead can be significant in low-latency applications.

Figures (4)

• Figure 1: Schematic representation of the proof-of-concept architecture that enables I2C and USB hardware interface support in Wasm applications. The application and device drivers run as Wasm guest components and connect to the host components via WASI. The host components provide ACL and capability-based security and use underlying OS-specific APIs to implement the interfaces. This figure contains resources from Flaticon.com.
• Figure 2: Mean cold start execution times for writing a four-digit number to the display and reading the temperature from the HTS221 sensor, comparing native, Wasmtime, and WAMR implementations.
• Figure 3: USB flash drive sequential read speeds across various platforms for both native and Wasm guest applications show minimal overhead on high-powered machines, while lower-powered devices experience a larger overhead. The reported speeds represent the median throughput.
• Figure 4: Round-trip time for a 32-byte USB bulk transfer across different platforms, comparing native and Wasm guest applications. x86 Linux shows minimal outliers and reasonable overhead, whereas AArch64 displays greater overhead. The reported times represent the median round-trip time.