Lucet is the native WebAssembly compiler that meets your security needs
The love for WebAssembly just keeps on growing! Fastly open sourced their internal native WebAssembly compiler and runtime, Lucet. Written in Rust, Lucet can execute tens of thousands of WebAssembly programs simultaneously, all with the benefits of a top-notch security architecture.
When it comes to WebAssembly, things have been moving fast. It’s only been around since 2017, but what would life be without it? Add yet another reason that you love Wasm to your long list because now Fastly open sourced their native WebAssembly compiler and runtime: Lucet.
Lucet has been in development since 2017 and now hits the scene, much to our benefit! It’s the first Fastly project to be built in Rust and is currently under active development. If you’ve used Fastly’s edge computing platform Terrarium then you’ve already seen it in action.
Lucet safely executes untrusted WebAssembly programs inside your application and supports programs written in C, Rust, and AssemblyScript. For now, it only supports x86-64 based Linux systems. It uses and was developed in collaboration with Mozilla’s low-level code generator Cranelift.
SEE ALSO: Using Go for WebAssembly applications
Performance wise, Lucet can execute “tens of thousands of WebAssembly programs simultaneously, in the same process, without compromising security”. It can handle thousands of requests per second in a single process.
In the next coming years, it will be interesting to see how the landscape of JS and Wasm evolve together.
Just like fire, security is nothing to deal with frivolously. Lucet is committed to high-level security architecture and explains the security system in detail here.
The project does not provide a complete secure sandbox framework at this time; security is achieved through a combination of lucet-supplied security controls and user-supplied security controls. At a high level, this jointly-constructed security architecture aims to prevent untrusted input, data, and activity from compromising the security of trusted components. It also aims to prevent an untrusted actor from compromising the security (e.g. data and activity) of another untrusted actor. For example, one user of a lucet embedding should not be able to affect the security of another user of the same lucet embedding.
Two security scenarios exist: Trusted code and untrusted code.
Trusted code involves fully trusted code controlled by a system’s administrator. Whereas, untrusted code incorporates all code, processes, and inputs supplied from a third-party.
Rest assured you will not have to compromise on security and safety.
Of course, this doesn’t fire off a magic bullet that alleviates the administrator of all duties. The security doc also reminds users to beware of several security caveats, including attacks against guest programs.
Want it? You got it.
Try out a quick demo by cloning the repo from GitHub and follow the README for info on setting up your environment. The repo includes a
Dockerfile and uses git submodules.
- Stable Rust, and
- GNU Make, CMake, & various standard Unix utilities for the build system
Future plans for Lucet involve making it available on the Fastly edge cloud and support for more languages. Full support for the entire WebAssembly spec will also come in the future. We also expect to see more security features in future updates as well.