Wasm is gaining popularity outside the Web as a well-specified low-level binary format with ISA portability, low memory footprint and polyglot targetability, enabling efficient in-process sandboxing of untrusted code. Despite these advantages, Wasm adoption for new domains is often hindered by the lack of many standard system interfaces which precludes reusability of existing software and slows ecosystem growth. This paper proposes thin kernel interfaces for Wasm, which directly expose OS userspace syscalls without breaking intra-process sandboxing, enabling a new class of virtualization with Wasm as a universal binary format. By virtualizing the bottom layer of userspace, kernel interfaces enable effortless application ISA portability, compiler backend reusability, and armor programs with Wasm's built-in control flow integrity and arbitrary code execution protection. Furthermore, existing capability-based APIs for Wasm, such as WASI, can be implemented as a Wasm module over kernel interfaces, improving reuse, robustness, and portability through better layering. We present an implementation of this concept for two kernels -- Linux and Zephyr -- by extending a modern Wasm engine and evaluate our system's performance on a number of sophisticated applications which can run for the first time on Wasm.

翻译：WebAssembly（Wasm）作为一种规范明确的低级二进制格式，凭借其指令集架构（ISA）可移植性、低内存占用和多语言目标支持等特性，正日益在Web环境外获得广泛应用，实现了对不可信代码的高效进程内沙箱隔离。尽管具备这些优势，Wasm在新领域的采用常因缺乏标准系统接口而受阻，这既阻碍了现有软件的重用，也延缓了生态系统的成长。本文提出面向Wasm的精简内核接口，该设计在不破坏进程内沙箱隔离的前提下直接暴露操作系统用户态系统调用，从而开创了以Wasm作为通用二进制格式的新型虚拟化范式。通过虚拟化用户态底层，内核接口实现了零成本的应用指令集架构移植、编译器后端复用，并借助Wasm内置的控制流完整性与任意代码执行保护机制为程序提供安全加固。此外，现有基于能力的Wasm API（如WASI）可基于内核接口以Wasm模块形式实现，通过更优的层级化设计提升复用性、鲁棒性与可移植性。我们在Linux与Zephyr两种内核上实现了该架构，通过扩展现代Wasm引擎完成系统构建，并在多款首次实现Wasm运行的复杂应用程序上评估了系统性能。