WASMBOX: A Lightweight Wasm-Based Runtime for Trustworthy Multi-Tenant Embedded Systems

IF 5.1 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

IEEE Transactions on Emerging Topics in Computing Pub Date : 2024-06-18 DOI:10.1109/TETC.2024.3409817

Luigi Coppolino;Salvatore D'Antonio;Giovanni Mazzeo;Roberto Nardone;Luigi Romano;Mathieu Schmitt

{"title":"WASMBOX: A Lightweight Wasm-Based Runtime for Trustworthy Multi-Tenant Embedded Systems","authors":"Luigi Coppolino;Salvatore D'Antonio;Giovanni Mazzeo;Roberto Nardone;Luigi Romano;Mathieu Schmitt","doi":"10.1109/TETC.2024.3409817","DOIUrl":null,"url":null,"abstract":"Enabling multi-tenancy on edge devices is crucial for maximizing resource utilization, enhancing scalability, and reducing costs. However, it introduces the challenge of maintaining tenant isolation, preventing adverse inter-tenant effects and unauthorized resource access. Traditional multi-tenant solutions often struggle in embedded systems due to resource constraints, and current lightweight approaches suffer from performance, portability, and tenant density issues. We propose <monospace>WASMBOX</monospace>, a novel solution for sandboxing applications in multi-tenant embedded systems. It leverages WebAssembly to offer strong isolation, small attack surface, high portability, efficient resource usage, and near-native performance. Our system ensures both attack prevention and detection, using a patched WebAssembly System Interface for safe system call execution, and a monitoring layer for anomaly detection. Additionally, <monospace>WASMBOX</monospace> uses a Trusted Execution Environment for further isolating applications against escaping tenants and attesting to the integrity of WebAssembly applications. We validated our solution in a real-world case study with the <italic>SpaceApplications</i> company, aiming to adopt a multi-tenant model for its ISS-based micro-gravity research facility. The experimental evaluation compared <monospace>WASMBOX</monospace> with approaches relying on VMs, containers, and microkernel-based VMs. The obtained results show that <monospace>WASMBOX</monospace> has the lowest resource usage, the highest tenant density, the second lowest startup (preceded by microkernels), and execution time (preceded by containers).","PeriodicalId":13156,"journal":{"name":"IEEE Transactions on Emerging Topics in Computing","volume":"13 2","pages":"467-480"},"PeriodicalIF":5.1000,"publicationDate":"2024-06-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Emerging Topics in Computing","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10562203/","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Enabling multi-tenancy on edge devices is crucial for maximizing resource utilization, enhancing scalability, and reducing costs. However, it introduces the challenge of maintaining tenant isolation, preventing adverse inter-tenant effects and unauthorized resource access. Traditional multi-tenant solutions often struggle in embedded systems due to resource constraints, and current lightweight approaches suffer from performance, portability, and tenant density issues. We propose WASMBOX, a novel solution for sandboxing applications in multi-tenant embedded systems. It leverages WebAssembly to offer strong isolation, small attack surface, high portability, efficient resource usage, and near-native performance. Our system ensures both attack prevention and detection, using a patched WebAssembly System Interface for safe system call execution, and a monitoring layer for anomaly detection. Additionally, WASMBOX uses a Trusted Execution Environment for further isolating applications against escaping tenants and attesting to the integrity of WebAssembly applications. We validated our solution in a real-world case study with the SpaceApplications company, aiming to adopt a multi-tenant model for its ISS-based micro-gravity research facility. The experimental evaluation compared WASMBOX with approaches relying on VMs, containers, and microkernel-based VMs. The obtained results show that WASMBOX has the lowest resource usage, the highest tenant density, the second lowest startup (preceded by microkernels), and execution time (preceded by containers).

查看原文本刊更多论文

WASMBOX：用于可信多租户嵌入式系统的基于 Wasm 的轻量级运行时

在边缘设备上启用多租户对于最大限度地利用资源、增强可伸缩性和降低成本至关重要。但是，它带来了维护租户隔离、防止不利的租户间影响和未经授权的资源访问的挑战。由于资源限制，传统的多租户解决方案在嵌入式系统中经常遇到困难，而当前的轻量级方法在性能、可移植性和租户密度方面存在问题。我们提出了WASMBOX，一种用于多租户嵌入式系统中的沙盒应用程序的新颖解决方案。它利用WebAssembly提供强大的隔离性、较小的攻击面、高可移植性、高效的资源使用和接近本机的性能。我们的系统确保了攻击的预防和检测，使用补丁的WebAssembly系统接口来安全执行系统调用，并使用监控层来进行异常检测。此外，WASMBOX使用可信执行环境进一步隔离应用程序，防止逃逸租户，并验证WebAssembly应用程序的完整性。我们在与SpaceApplications公司的实际案例研究中验证了我们的解决方案，旨在为其基于iss的微重力研究设施采用多租户模型。实验评估将WASMBOX与依赖vm、容器和基于微内核的vm的方法进行了比较。得到的结果表明，WASMBOX具有最低的资源使用、最高的租户密度、第二低的启动（在微内核之前）和执行时间（在容器之前）。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Emerging Topics in Computing Computer Science-Computer Science (miscellaneous)

CiteScore

12.10

自引率

5.10%

发文量

113

期刊介绍： IEEE Transactions on Emerging Topics in Computing publishes papers on emerging aspects of computer science, computing technology, and computing applications not currently covered by other IEEE Computer Society Transactions. Some examples of emerging topics in computing include: IT for Green, Synthetic and organic computing structures and systems, Advanced analytics, Social/occupational computing, Location-based/client computer systems, Morphic computer design, Electronic game systems, & Health-care IT.