This study investigates the potential of WebAssembly as a more secure and efficient alternative to Linux containers for executing untrusted code in cloud computing with Kubernetes. Specifically, it evaluates the security and performance implications of this shift. Security analyses demonstrate that both Linux containers and WebAssembly have attack surfaces when executing untrusted code, but WebAssembly presents a reduced attack surface due to an additional layer of isolation. The performance analysis further reveals that while WebAssembly introduces overhead, particularly in startup times, it could be negligible in long-running computations. However, WebAssembly enhances the core principle of containerization, offering better security through isolation and platform-agnostic portability compared to Linux containers. This research demonstrates that WebAssembly is not a silver bullet for all security concerns or performance requirements in a Kubernetes environment, but typical attacks are less likely to succeed and the performance loss is relatively small.

翻译：本研究探讨了在Kubernetes云计算环境中，WebAssembly作为执行不可信代码方案时，相较于Linux容器在安全性与效率方面的潜在优势。具体而言，本研究评估了从容器转向WebAssembly对安全性和性能的影响。安全分析表明，Linux容器和WebAssembly在执行不可信代码时均存在攻击面，但WebAssembly通过额外的隔离层提供了更小的攻击面。性能分析进一步揭示，尽管WebAssembly会引入开销（尤其在启动时间方面），但在长时间运行的计算任务中，这种开销可以忽略不计。与Linux容器相比，WebAssembly强化了容器化的核心原则，通过隔离机制和与平台无关的可移植性提供了更好的安全性。本研究表明，WebAssembly并非解决Kubernetes环境中所有安全顾虑或性能需求的万能方案，但典型攻击更难以成功，且性能损失相对较小。