OSTIF and wasmCloud collaborated with Trail of Bits on a security audit of the application which is a deployment platform for distributed Wasm application development. The engagement priorities are listed as, but not limited to: wasmCloud sandboxing capabilities of user-provided code, if users were appropriately limited in their accessible features so to as to minimize any loopholes for bad actors, and possibilities to break, hack, or crash any wasmCloud applications. To perform this security audit, Trail of Bits performed manual code review of all extant wasmCloud capability providers, executed fuzzing of critical components of the platform, as well as examined RPC messaging signing and the host runtime Elixir and Rust code. Executed over 6 engineer weeks with consistent collaboration between the wasmCloud team and the Trail of Bits engineers, this engagement was both informative and educational. In addition to the positive security impact for the open source community, this audit was a delightful collaboration to participate in due to the engaging work on all sides.
As wasmCloud is moving from a partial Elixir language stack to a full Rust ecosystem, the team focused on Elixir’s aspects for security implications as the project undergoes this transformation to a safer language. Found during static and dynamic testing was 2 low severity, 2 informational, and 1 undetermined finding, all of which have since been addressed by the wasmCloud team. The two low findings and singular undetermined issue were classified as data validation issues, and all low findings were related to error reporting. Reviewed and detailed via a traffic-light protocol was an evaluation of the codebase maturity of the application. This work helps the project and security reviewers understand the software’s life cycle and implications for past, present, and future security. Recommendations for fixes and code health can be better understood in context with code maturity review.
WasmCloud is a well reviewed project, with lots of diligence in its security posture. This has paid off, as evidenced by this audit, which had no severe or high issues to resolve. When a project receives ongoing investment in the form of repeated security work and healthy community contributions, it is likely to be more secure than similar projects that have not received the same backing. This audit is a credit to the security work previously performed upon wasmCloud, and will act as a guide for the future as this project moves forward through its migration to Rust.
OSTIF would first like to thank the team at Trail of Bits, particularly Francesco Bertolaccini, Artur Cygan, and Spencer Michaels for their hard work over weeks on this project. We also extend our thanks to Bailey Hayes, Liam Randall and the Cosmonic team for their participation, engagement, and contributions on this audit. Without their help and involvement, this would not have been possible. Finally, we would like to thank the CNCF for their sponsorship of this important open source security work. Projects like this are not feasible without the generous support of funders.
The full report can be viewed here: https://ostif.org/wp-content/uploads/2023/10/wasmcloud-audit-ostif-trail-of-bits-final.pdf
Trail of Bits has also made a post about the project here: https://github.com/trailofbits/publications/blob/master/reviews/2023-09-wasmCloud-securityreview.pdf