There are significant contrasts in the security offered by different portable byte code architectures. There are those with abstracted, object based memory models, like the JVM and CLR, that provide strong memory safety, but support only higher-level, garbage-collected languages. WebAssembly (Wasm) is at the other extreme. Its linear memory model offers efficiency and compatibility with languages like C/C++, but sacrifices memory safety. Given the growing importance of \wasm, we believe that we must address this lack of safety, or risk a web that inherits the legacy of memory based vulnerabilities that have plagued native platforms for decades. Towards this end we propose Trestle, a protection model for \wasm that seeks to offer stronger memory safety for low level code targetting linear memory, with minimal impact on performance and compatibility.

Our goal with Trestle is to encode safety policies that are precise, but still leave it up to different architectures that Wasm targets to implement these as efficiently and securely as possible.

Our approach starts by adding a new memory handle type to Wasm that expresses memory safety policies for a range of memory, and a new set of load and store instructions that understand handles. Using this abstraction, the compiler can express fine grain policies in Wasm, which it can then efficiently enforce in a platform specific manner. We present our proposal for Trestle and discuss some design and implementation considerations that inform it.