Maybe I’m missing some nuance here but it’s not clear to me what the omission by wasm advocates is?
> And this kids, is why security in WASM still needs to be taken with a grain of salt if any of those modules touch critical data or return values that influence the caller's decisions
Isn’t this true of any sandboxed environment? You can trust it not to touch things outside of the sandbox, but any holes you poke to get data in/out need their own verification.
No it isn't true for all sandboxed environments, there are sandboxed environments where memory accesses are bound checked for the underlying data types, instead of only the complete linear memory segment.
Thanks, that makes sense. This would only matter if you’re sharing the linear memory between different bytecode modules, though, right? If only one wasm module can touch a span of linear memory I can’t think of anything that it could do that wouldn’t be possible with type-aware bound checks (in the extreme, it could just treat the memory as an array of u8s and implement data structures on top of that, bypassing any type-awareness that the VM has)
> And this kids, is why security in WASM still needs to be taken with a grain of salt if any of those modules touch critical data or return values that influence the caller's decisions
Isn’t this true of any sandboxed environment? You can trust it not to touch things outside of the sandbox, but any holes you poke to get data in/out need their own verification.