Recap: 2020 WebAssembly (Wasm) Summit in Silicon Valley [incl. Links and Resources]

The WebAssembly Summit was held in Silicon Valley, on the 10th February 2020. The venue, Google’s newest building at 1625 Plymouth St Mountain View CA. This extremely well organised event kicked off with a clear message for its new WebAssembly community … “Be actively awesome to each other!” The single-track line up of speakers was superb. , from Mozilla, kicked off the event; delivering an amazing and thought provoking about building a new kind of ecosystem. Lin Clark opening keynote If you only have time for a tiny snack of Lin's brilliant (23:57) talk, at this present moment, please note that the team has created 2 snippets for you. The SecondState team have also taken the liberty of creating both English & Chinese subtitles, for these snippets, for your convenience. SecondState - how, in traditional (non Wasm) software applications, hackers are able to build malicious software libraries which other software developers will then trust and therefore bake into their application's dependency trees. These attacks are on the rise. The good news is that the Wasm community is choosing to negate these sort of attacks, through clever design, making Wasm users secure by default. Snippet 1 Lin explains - how, "WebAssembly can provide the kind of isolation that makes it safe to run untrusted code". In WebAssembly each module is sandboxed by default and Wasm has memory isolation between modules. Interestingly, with the Interface Types Proposal, modules can exchange data in a way that is safe and fast. This interesting and exciting talk paved the way for more talks to come. Snippet 2 Lin explains From there, the following speakers took to the stage and also proceeded to deliver a deluge of invaluable information about the future of WebAssembly. , creator of Emscripten, now from Google, provided great insights into “ ”. Alon Zakai Shipping Tiny WebAssembly Builds , from Cloudflare, gave about the future of WebAssembly and its relationship with other supporting technologies such as Javascript. Ashley Williams an excellent talk , from Apple, from research and development into benchmarking areas of compilation, startup and runtime for ’s WebAssembly implementation. Tadeu Zagallo shared interesting results WebKit demonstrated using WebAssembly; rendering his real-time audio demonstration to a very impressed audience. Peter Salomonsen how to compose and perform music , defined in terms of embedded systems and went on to explore WebAssembly’s use as an intermediary language for embedded runtime environments. Jonathan Beri Internet of Things (IoT) , from , articulated the benefits of Wasm and showed us how to . Kevin introduced several new ideas and tools to support those ideas (mid and high level runtimes). The overarching message, ; WebAssembly is the future of distributed computing. Kevin Hoffman Capital One build a containerless future with WebAssembly one which I agree with In the spirit of efficiency and convenience, the (also with English & Chinese subtitles, for your convenience) which outlines the benefits of Wasm in the cloud; articulating Kevin's accurate views about WebAssembly's superior security, in terms of buffer overflow exploits and so forth. SecondState team has once again created another snippet , from , discussed Wikipedia’s ogv.js media-compatibility-shim architecture as well as the ongoing challenges that exist in the in-browser rich-media space. Brion demonstrated how to use . Brion Vibber MediaWiki WebAssembly as a video polyfill After enjoying a full day of absorbing everything Wasm, as well as networking with other industry professionals, it was time for the last presenter , from Google (who is also chair of the WebAssembly Community Group), to give the closing keynote. Ben Smith Ben’s talk was entitled . As Ben (pictured below) mentioned, and as some may not even be aware, “5 years ago WebAssembly literally did not even exist”. WebAssembly: Expanding the PIE Interestingly, the broader notion of compiling C and C++ code in such a way that it would be compatible with modern browsers was demonstrable as far back as 2013 thanks to and . This pioneering development by those like Alon Zakai — pictured below — (who founded emscripten in 2010 and then went on to co-created WebAssembly and asm.js), provided concrete evidence that, at the very least, it was going to be possible to bring C and C++, and therefore eventually other languages . emscripten asm.js to the web Left: Middle: Right: Alon Zakai, Tim McCallum Ben Smith From a WebAssembly specific perspective, in 2015 a very small group of developers had managed to come up with both an executable (binary) and s-expression (text) format of WebAssembly. One feature request at the time was to create a mechanism which could convert between the two formats. Ben’s initial work to create such a mechanism was called sexpr-wasm (which stands for s-expression to wasm). Over the next 4.5 years, sexpr-wasm continued to be developed, and in September of 2016 it was renamed to . WABT is an incredible suite of tools for WebAssembly, and is fundamental to WebAssembly development and deployment. WABT aims for full fidelity and compliance with the WebAssembly specification. WABT I would personally surmise that every developer who has performed some task using WebAssembly, has used WABT. WebAssembly’s humble beginnings The initial design of WebAssembly was humble; it was designed to do than what the aforementioned could do. That being, allowing computer software written in languages such as C and C++ to be run as web applications. no more asm.js Ben’s talk outlined how WebAssembly has now become so much more. Ben’s presentation was one about growth and prosperity. Specifically about striving for win/win scenarios, in terms of, as Ben puts it, expanding . A PIE As mentioned, WebAssembly started with a very humble set of goals a.k.a. A [small] PIE. Let’s take a look at the pie circa 2015. A PIE, circa mid-2015 ability, what can Wasm do? producer, who/what can make Wasm? interoperability, who can Wasm talk to? embedder, what can run Wasm? A, // play around with numbers and memory P, // C++ I, // Javascript E, // A Web browser Fast forward to 2020 WebAssembly has come a long way in just a few years. ability A, There are currently over which are made using WebAssembly. These include free-hand drawing applications, media players, Gameboy emulators, in-browser compression/decompression applications and even an augmented reality sudoku puzzle solver application. 100 different projects producer P, At present there are around 15 programming languages that , . These include .Net, AssemblyScript, C, Haskell, Rust and Zig. Many more are under development. can compile to WebAssembly in a stable and production ready fashion interoperability I, WebAssembly now has a capability-based API design which allows WebAssembly code to interact with the outside world whilst still preserving the sandboxed nature of WebAssembly. Also the ever-powerful and useful set of Web APIs are now becoming part of a continual reality. embedder E, WebAssembly can now be run on a host of different platforms. There are about 20 Wasm runtimes which are under active development. Wasm is not restricted to just the browser anymore. There are examples of blockchain implementations, serverless applications, OS executables and IoT implementations which are deployed on self-contained and constrained embedded runtime environments. It is amazing to see so many different projects and runtimes. Going full circle Whilst driving this sort of progress and enjoying the expansion of the pie, I am also reminded that we must also go back full circle and reflect on the messages in Lin’s opening keynote. With WebAssembly moving outside of the browser we need to remember that we are also moving to areas which may not necessarily have the browser’s same sandboxing capabilities. Sandboxing facilitates one of WebAssembly’s key benefits. Security! Nowadays around 80 percent of code (in a given project) consists of pre-existing libraries and dependencies. This is brilliant in terms of reuse and efficiency. Software developers are well aware that pre-existing modules allow us to save time and also build better software; by standing on the shoulder of giants. Software developers must try to avoid widespread vulnerabilities and in doing so will be protecting the users of their software. Unfortunately, attackers can implant malicious code into these reusable modules. Traditional Virtual Machines (VMs) and containers provide a level of sandboxing; taking away the software’s ability to access the host system. One of the best ways to achieve a high level of security, safety and privacy is to ensure that software products do not have access to the end-user’s system resources. So how does WebAssembly achieve this same level of safety in terms of isolation? The security of WebAssembly is deliberately built in by design. For example, WebAssembly sandboxes each module by default; modules do not have any access to APIs or system calls. With WebAssembly, if the developer wants a module to access an API or a system call, they are required to explicitly declare that they want access and then provide this information as part of the shipped module. This makes the intent of the module very obvious; public and transparent. WebAssembly System Interface (WASI) Image: https://github.com/WebAssembly/WASI/blob/master/WASI.png The provides a type of capability based security whereby different modules can have different permissions to different resources. The future plan is for WebAssembly to apply a fine-grain form of per-module virtualisation. With this sort of design a developer would be able to spot malicious modules and not include that code in the dependency tree of the application which they are building. WebAssembly System Interface (WASI) Importantly, as Lin mentioned, security guarantees do not just fall out directly when using WebAssembly, we have to follow good conventions and bake security guarantees into our tools. This will take some work. As a community we can choose to make our users secure by default. These sorts of deliberate patterns and designs are already starting to be baked into tools which are provided by projects such as . the bytecode alliance I saw an incredible amount of new projects and use-cases for WebAssembly during the summit. I left the event completely inspired by the future possibilities of WebAssembly. I also left the summit with a saying in mind. “We don’t want to have a trade-off between developer productivity and user safety. We want both!” Lin concluded her presentation by quoting her teammate and WebAssembly co-creator , by saying … Luke Wagner “We have an opportunity to build new secure-by-default foundations for native development that are portable and scalable. We need to take deliberate cross-industry action to ensure this happens in the right way” The future of WebAssembly proposals As a new World Wide Web Consortium ( ) member, I am thoroughly looking forward to participating in the upcoming calls which relate to WebAssembly proposals as well as broader WebAssembly Community Group (GC) topics, as mentioned throughout this article. W3C If you are interested in the the latest progress of , you can read the transcripts and view the presentations of WebAssembly Community Group (CG) meetings via . For example, are from the CG meeting which was hosted by Google, in San Francisco for two consecutive days following the Wasm Summit; the 11th & 12th of February 2020. WebAssembly proposals GitHub these meeting notes Thank you! I would like to thank the organisers of this excellent event. The participants were indeed all “actively awesome”. I met so many new people from the leading technology companies and projects from around the world. I am a big fan of " by as well as and its creator so it was awesome to be able to say hello and thank you in person. "Wasm by example Aaron Turner wasm-pack Ashley Williams Bottom left: , top left: , right: All speakers Ashley Williams Tim McCallum & Aaron Turner If I had to give one piece of feedback, “please hold this event again next year”. I think that we will all be amazed by what the community will have achieved by then.