WebAssembly is gaining popularity as a portable binary format targetable from many programming languages. With a well-specified low-level virtual instruction set, minimal memory footprint and many high-performance implementations, it has been successfully adopted for lightweight in-process memory sandboxing in many contexts. Despite these advantages, WebAssembly lacks many standard system interfaces, making it difficult to reuse existing applications. This paper proposes WALI: The WebAssembly Linux Interface, a thin layer over Linux's userspace system calls, creating a new class of virtualization where WebAssembly seamlessly interacts with native processes and the underlying operating system. By virtualizing the lowest level of userspace, WALI offers application portability with little effort and reuses existing compiler backends. With WebAssembly's control flow integrity guarantees, these modules gain an additional level of protection against remote code injection attacks. Furthermore, capability-based APIs can themselves be virtualized and implemented in terms of WALI, improving reuse and robustness through better layering. We present an implementation of WALI in a modern WebAssembly engine and evaluate its performance on a number of applications which we can now compile with mostly trivial effort.

翻译：WebAssembly作为一种可移植的二进制格式正日益普及，其可从多种编程语言编译生成。凭借明确定义的底层虚拟指令集、极小的内存占用以及众多高性能实现方案，WebAssembly已成功应用于多种场景下的轻量级进程内内存沙箱。然而，尽管具备这些优势，WebAssembly仍缺少许多标准系统接口，导致现有应用难以复用。本文提出WALI：WebAssembly Linux接口——一个覆盖Linux用户空间系统调用的薄层，开创了一种新型虚拟化范式，使WebAssembly能够与原生进程及底层操作系统无缝交互。通过虚拟化用户空间最低层级，WALI以极低代价实现应用可移植性，并复用现有编译器后端。借助WebAssembly的控制流完整性保障机制，这些模块获得了针对远程代码注入攻击的额外保护层级。此外，基于能力的安全API本身也可被虚拟化并通过WALI实现，通过更优的分层结构提升代码复用性和鲁棒性。我们在现代WebAssembly引擎中实现了WALI，并通过一系列现可近乎零成本编译的应用对其性能进行了评估。