WASM in the Kernel: Tales of Triumph and Trouble
17 hours ago
- #Security
- #WebAssembly
- #Linux Kernel
- Riptides initially aimed to evaluate Open Policy Agent (OPA) policies in kernel space using WebAssembly (WASM) for real-time socket security.
- The team ported the wasm3 runtime to the Linux kernel, facing challenges like memory management, floating-point operation removal, and debugging complexities.
- Early success showed promise with microsecond-level policy evaluation latency and flexible policy updates without kernel changes.
- Production challenges emerged, including memory management issues, security concerns, and high maintenance burdens, leading to reconsideration of the approach.
- Riptides pivoted to a user-space architecture using Go-based OPA evaluation, improving reliability, maintainability, and security.
- The new architecture leverages protocol buffers for efficient kernel-user-space communication and includes caching to mitigate latency.
- Performance comparisons revealed that user-space OPA evaluation, despite context-switching overhead, was faster than interpreted WASM in kernel space.
- Key lessons include prioritizing simplicity and maintainability over raw performance, the importance of caching, and using the right tools for the job.
- The transition resulted in a more stable, debuggable, and operationally efficient system, with better observability and security.