WASI: the portable system interface for server-side WASM. Without WASI: a WASM module has zero OS access. WASI Preview 1: stable, POSIX-inspired, synchronous. Interfaces: fd_read, fd_write, path_open, random_get, clock_time_get. WASI Preview 2 (wasi 0.2): based on component model. Adds: wasi:filesystem (object-oriented), wasi:sockets (TCP/UDP), wasi:http (incoming/outgoing), wasi:cli. Capability model: host preopens specific directories, passes capability tokens. Module can only access preopened paths. Runtimes: Wasmtime (Bytecode Alliance), Wasmer, WasmEdge (CNCF), WAMR (embedded).
2 / 5
What problem does the WASM component model solve?
Component model: core WASM modules can only share linear memory and function pointers — unsafe between modules from different languages. Component model adds: WIT (WebAssembly Interface Types IDL): defines typed interfaces with types: string, list, record, variant, tuple, option, result, resource. Component: WASM module + WIT-defined imports/exports. Composition: link component A's export to component B's import, runtime handles canonical ABI translation. Canonical ABI: standard binary encoding for WIT types. Enables: Rust image processor + Go HTTP server + Python ML model — all composed as WASM components. Used by WASI 0.2, Wasmtime, Fastly Compute.
3 / 5
What does wasm-bindgen do?
wasm-bindgen: WASM ABI only supports i32/i64/f32/f64. To pass a string: allocate memory in WASM linear memory, write UTF-8 bytes, pass pointer+length. wasm-bindgen generates this boilerplate automatically. Rust side: #[wasm_bindgen] pub fn process(input: &str) -> String. Generated JS: handles encoding/decoding, memory allocation/deallocation. Generated TypeScript: export function process(input: string): string. wasm-pack workflow: compile Rust → wasm-bindgen → wasm-opt → npm package (.wasm + .js + .d.ts + package.json). C/C++ equivalent: Emscripten — more mature for C/C++ (SQLite, ffmpeg ported to WASM).
4 / 5
What is WAT (WebAssembly Text Format)?
WAT: one-to-one mapping with WASM binary (conceptually). S-expression syntax: (module (func $add (export "add") (param i32 i32) (result i32) local.get 0 local.get 1 i32.add)). WASM is a stack machine: instructions push/pop values from a virtual stack. local.get pushes a local variable value. i32.add pops two i32s, pushes their sum. Tools: wat2wasm (compile WAT to .wasm), wasm2wat (decompile .wasm to WAT for inspection). Types: i32, i64, f32, f64, v128 (SIMD), funcref, externref. WAT is essential for debugging: when a .wasm crashes, decompile and read the WAT to understand what went wrong.
5 / 5
What makes the WASM sandbox a strong security boundary for running untrusted code?
WASM security model: no syscalls — all OS access through host-provided imports. No ambient authority — the module cannot call any function not explicitly provided in the import object. Linear memory isolation — each instance has its own buffer; accessing beyond it is a trap. Verifier — statically ensures no exploitable memory operations before any code runs. Instance isolation: running 1,000 concurrent WASM instances, each is isolated from others. No shared memory by default. Compare to containers: containers isolate at process level (OS boundary); WASM isolates at instruction level (language boundary). Combining both gives defense in depth. Escape vulnerabilities: Spectre-style side channels can cross WASM boundaries. JIT engine bugs have allowed sandbox escapes. Strong, not perfect — but far stronger than eval() or native plugins.