Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add documentation regarding security issues and the status of Wasm proposals #3972

Open
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

lum1n0us
Copy link
Collaborator

No description provided.

- Enables users to perform actions they should not be able to.
- Allows users to deny actions they have performed.

Given that WASI is a set of Capability-based APIs, all unauthorized actions are not supposed to happen. Most of the above security concerns can be alleviated. What remains for us is to ensure that Wasm modules ' execution is secure. In other words, do not compromise the sandbox. Unless it is explicitly disabled beforehand.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wasm modules ' -> Wasm modules'


## managing a security issue

Before reporting an issue, particularly one related to crashing, consult [the cheat sheet](), *Report a security vulnerability* if it qualifies.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

missing link for the cheat sheet?


Before reporting an issue, particularly one related to crashing, consult [the cheat sheet](), *Report a security vulnerability* if it qualifies.

Upon receiving an issue, thoroughly review [the cheat sheet] to assess and *Report a security vulnerability* if the issue is indeed a security vulnerability .
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as above for the cheat sheet


The _status_ represents the configuration _product-mini/platforms/linux/CMakeLists.txt_. There may be minor differences between the top-level CMakeLists and platform-specific CMakeLists.

Users can turn those features on or off using compilation options. If a relevant compilation option is not available(`N/A`), it indicates that the feature is permanently enabled.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

had better change using to by using?

| Extended Constant Expressions | Yes | N/A |
| Typed Function References | Yes | `WAMR_BUILD_GC` |
| Thread | Yes | `WAMR_BUILD_SHARED_MEMORY` |
| Exception handling[^2] | Yes | `WAMR_BUILD_EXCE_HANDLING` |
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is misleading because what we have is not the phase 4 version.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. I will move this one to unimplemented Wasm proposals

@@ -0,0 1,28 @@
# About security issues

This document aims to explain the process of identifying a security issue and the steps for managing a security issue.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the expected audiences and purposes of this document are not obvious to me.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The document is intended to:

  • Clarify to the community and TSC which types of issues will be recognized as security issues.
  • Provide a step-by-step guide on how to handle a security issue once it has been identified.
  • Ensure maintainers distinguish security issues from all reported community issues and address them with caution.
  • Encourage accurate reporting of security issues, rather than categorizing them as normal issues.

| Legacy Exception handling[^2] | Yes | `WAMR_BUILD_EXCE_HANDLING` |
| WebAssembly C and C API | No | N/A |

[^1]: jit and aot only
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to classify fast-jit and LLVM-jit?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants