Enabling multi-tenancy on edge devices is crucial for maximizing resource utilization, enhancing scalability, and reducing costs. However, it introduces the challenge of maintaining tenant isolation, preventing adverse inter-tenant effects and unauthorized resource access. Traditional multi-tenant solutions often struggle in embedded systems due to resource constraints, and current lightweight approaches suffer from performance, portability, and tenant density issues. We propose WASMBOX, a novel solution for sandboxing applications in multi-tenant embedded systems. It leverages WebAssembly to offer strong isolation, small attack surface, high portability, efficient resource usage, and near-native performance. Our system ensures both attack prevention and detection, using a patched WebAssembly System Interface for safe system call execution, and a monitoring layer for anomaly detection. Additionally, WASMBOX uses a Trusted Execution Environment for further isolating applications against escaping tenants and attesting to the integrity of WebAssembly applications. We validated our solution in a real-world case study with the SpaceApplications company, aiming to adopt a multi-tenant model for its ISS-based micro-gravity research facility. The experimental evaluation compared WASMBOX with approaches relying on VMs, containers, and microkernel-based VMs. The obtained results show that WASMBOX has the lowest resource usage, the highest tenant density, the second lowest startup (preceded by microkernels), and execution time (preceded by containers).
WASMBOX: A Lightweight Wasm-based Runtime for Trustworthy Multi-Tenant Embedded Systems
Coppolino L.;D'Antonio S.;Mazzeo G.
;Nardone R.;Romano L.;
2024-01-01
Abstract
Enabling multi-tenancy on edge devices is crucial for maximizing resource utilization, enhancing scalability, and reducing costs. However, it introduces the challenge of maintaining tenant isolation, preventing adverse inter-tenant effects and unauthorized resource access. Traditional multi-tenant solutions often struggle in embedded systems due to resource constraints, and current lightweight approaches suffer from performance, portability, and tenant density issues. We propose WASMBOX, a novel solution for sandboxing applications in multi-tenant embedded systems. It leverages WebAssembly to offer strong isolation, small attack surface, high portability, efficient resource usage, and near-native performance. Our system ensures both attack prevention and detection, using a patched WebAssembly System Interface for safe system call execution, and a monitoring layer for anomaly detection. Additionally, WASMBOX uses a Trusted Execution Environment for further isolating applications against escaping tenants and attesting to the integrity of WebAssembly applications. We validated our solution in a real-world case study with the SpaceApplications company, aiming to adopt a multi-tenant model for its ISS-based micro-gravity research facility. The experimental evaluation compared WASMBOX with approaches relying on VMs, containers, and microkernel-based VMs. The obtained results show that WASMBOX has the lowest resource usage, the highest tenant density, the second lowest startup (preceded by microkernels), and execution time (preceded by containers).I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
